Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:56
Behavioral task
behavioral1
Sample
JY7XH_Client-built.exe
Resource
win7-20241023-en
General
-
Target
JY7XH_Client-built.exe
-
Size
3.1MB
-
MD5
f9fd797dbef56a3900d2fe9d0a6e2e86
-
SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309
-
SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
-
SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
-
SSDEEP
49152:ivkt62XlaSFNWPjljiFa2RoUYIobRJ6MbR3LoGdNwhTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIobRJ6WK
Malware Config
Extracted
quasar
1.4.1
Office04
biseo-48321.portmap.host:48321
cb74f432-50f1-4947-8163-7687a0292fb0
-
encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
-
install_name
Svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
Svchost
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3232-1-0x0000000000980000-0x0000000000CA4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cb5-6.dat family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Svchost.exe -
Executes dropped EXE 14 IoCs
pid Process 1472 Svchost.exe 1744 Svchost.exe 1196 Svchost.exe 2188 Svchost.exe 2128 Svchost.exe 3356 Svchost.exe 1472 Svchost.exe 3244 Svchost.exe 2344 Svchost.exe 4060 Svchost.exe 4872 Svchost.exe 4908 Svchost.exe 4844 Svchost.exe 4432 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5020 PING.EXE 1224 PING.EXE 4024 PING.EXE 1192 PING.EXE 8 PING.EXE 2088 PING.EXE 1064 PING.EXE 4656 PING.EXE 1976 PING.EXE 2528 PING.EXE 5060 PING.EXE 1344 PING.EXE 436 PING.EXE 2212 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 4024 PING.EXE 1064 PING.EXE 1224 PING.EXE 1976 PING.EXE 2528 PING.EXE 436 PING.EXE 8 PING.EXE 1344 PING.EXE 4656 PING.EXE 5060 PING.EXE 2088 PING.EXE 2212 PING.EXE 5020 PING.EXE 1192 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3400 schtasks.exe 696 schtasks.exe 4428 schtasks.exe 1788 schtasks.exe 4548 schtasks.exe 4352 schtasks.exe 2424 schtasks.exe 4712 schtasks.exe 3684 schtasks.exe 4420 schtasks.exe 1556 schtasks.exe 2572 schtasks.exe 4240 schtasks.exe 4712 schtasks.exe 3720 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 3232 JY7XH_Client-built.exe Token: SeDebugPrivilege 1472 Svchost.exe Token: SeDebugPrivilege 1744 Svchost.exe Token: SeDebugPrivilege 1196 Svchost.exe Token: SeDebugPrivilege 2188 Svchost.exe Token: SeDebugPrivilege 2128 Svchost.exe Token: SeDebugPrivilege 3356 Svchost.exe Token: SeDebugPrivilege 1472 Svchost.exe Token: SeDebugPrivilege 3244 Svchost.exe Token: SeDebugPrivilege 2344 Svchost.exe Token: SeDebugPrivilege 4060 Svchost.exe Token: SeDebugPrivilege 4872 Svchost.exe Token: SeDebugPrivilege 4908 Svchost.exe Token: SeDebugPrivilege 4844 Svchost.exe Token: SeDebugPrivilege 4432 Svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2128 Svchost.exe 1472 Svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 3720 3232 JY7XH_Client-built.exe 82 PID 3232 wrote to memory of 3720 3232 JY7XH_Client-built.exe 82 PID 3232 wrote to memory of 1472 3232 JY7XH_Client-built.exe 84 PID 3232 wrote to memory of 1472 3232 JY7XH_Client-built.exe 84 PID 1472 wrote to memory of 3684 1472 Svchost.exe 85 PID 1472 wrote to memory of 3684 1472 Svchost.exe 85 PID 1472 wrote to memory of 2648 1472 Svchost.exe 87 PID 1472 wrote to memory of 2648 1472 Svchost.exe 87 PID 2648 wrote to memory of 4240 2648 cmd.exe 89 PID 2648 wrote to memory of 4240 2648 cmd.exe 89 PID 2648 wrote to memory of 5020 2648 cmd.exe 90 PID 2648 wrote to memory of 5020 2648 cmd.exe 90 PID 2648 wrote to memory of 1744 2648 cmd.exe 98 PID 2648 wrote to memory of 1744 2648 cmd.exe 98 PID 1744 wrote to memory of 4420 1744 Svchost.exe 99 PID 1744 wrote to memory of 4420 1744 Svchost.exe 99 PID 1744 wrote to memory of 4140 1744 Svchost.exe 101 PID 1744 wrote to memory of 4140 1744 Svchost.exe 101 PID 4140 wrote to memory of 4040 4140 cmd.exe 103 PID 4140 wrote to memory of 4040 4140 cmd.exe 103 PID 4140 wrote to memory of 1064 4140 cmd.exe 104 PID 4140 wrote to memory of 1064 4140 cmd.exe 104 PID 4140 wrote to memory of 1196 4140 cmd.exe 105 PID 4140 wrote to memory of 1196 4140 cmd.exe 105 PID 1196 wrote to memory of 1556 1196 Svchost.exe 106 PID 1196 wrote to memory of 1556 1196 Svchost.exe 106 PID 1196 wrote to memory of 920 1196 Svchost.exe 108 PID 1196 wrote to memory of 920 1196 Svchost.exe 108 PID 920 wrote to memory of 688 920 cmd.exe 110 PID 920 wrote to memory of 688 920 cmd.exe 110 PID 920 wrote to memory of 1344 920 cmd.exe 111 PID 920 wrote to memory of 1344 920 cmd.exe 111 PID 920 wrote to memory of 2188 920 cmd.exe 113 PID 920 wrote to memory of 2188 920 cmd.exe 113 PID 2188 wrote to memory of 4352 2188 Svchost.exe 114 PID 2188 wrote to memory of 4352 2188 Svchost.exe 114 PID 2188 wrote to memory of 852 2188 Svchost.exe 116 PID 2188 wrote to memory of 852 2188 Svchost.exe 116 PID 852 wrote to memory of 876 852 cmd.exe 118 PID 852 wrote to memory of 876 852 cmd.exe 118 PID 852 wrote to memory of 1224 852 cmd.exe 119 PID 852 wrote to memory of 1224 852 cmd.exe 119 PID 852 wrote to memory of 2128 852 cmd.exe 120 PID 852 wrote to memory of 2128 852 cmd.exe 120 PID 2128 wrote to memory of 4712 2128 Svchost.exe 121 PID 2128 wrote to memory of 4712 2128 Svchost.exe 121 PID 2128 wrote to memory of 2080 2128 Svchost.exe 123 PID 2128 wrote to memory of 2080 2128 Svchost.exe 123 PID 2080 wrote to memory of 4360 2080 cmd.exe 125 PID 2080 wrote to memory of 4360 2080 cmd.exe 125 PID 2080 wrote to memory of 4656 2080 cmd.exe 126 PID 2080 wrote to memory of 4656 2080 cmd.exe 126 PID 2080 wrote to memory of 3356 2080 cmd.exe 127 PID 2080 wrote to memory of 3356 2080 cmd.exe 127 PID 3356 wrote to memory of 2572 3356 Svchost.exe 128 PID 3356 wrote to memory of 2572 3356 Svchost.exe 128 PID 3356 wrote to memory of 3232 3356 Svchost.exe 130 PID 3356 wrote to memory of 3232 3356 Svchost.exe 130 PID 3232 wrote to memory of 3648 3232 cmd.exe 132 PID 3232 wrote to memory of 3648 3232 cmd.exe 132 PID 3232 wrote to memory of 1976 3232 cmd.exe 133 PID 3232 wrote to memory of 1976 3232 cmd.exe 133 PID 3232 wrote to memory of 1472 3232 cmd.exe 134 PID 3232 wrote to memory of 1472 3232 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3720
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeQgBxu2mlZn.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5020
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUB7rmpXc2AK.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4040
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1064
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i9x6EM7EijhK.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1344
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6bq0GjMpv4S3.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:876
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1224
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsn6GKogYMHD.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4656
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RLRWTMq55qVq.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3648
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1976
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x8RlsWtxlgCE.bat" "15⤵PID:1456
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2528
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQz5lI6cqMf4.bat" "17⤵PID:3204
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1060
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:436
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QjwIsd9EjlsO.bat" "19⤵PID:2328
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1100
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1192
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKusbavgr7ie.bat" "21⤵PID:5092
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2212
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wbz61EpFOYMc.bat" "23⤵PID:544
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5060
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4SYAokDOoplh.bat" "25⤵PID:3672
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYQPHd16tyG.bat" "27⤵PID:344
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4024
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kh7UZGqig9wm.bat" "29⤵PID:4144
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
209B
MD54c27e88fc5884c1082c2ec2adf0eeb36
SHA19db38bab8ac03d7432a952a5acf570624b0f577f
SHA2561f46169c869cf94d724c06821d187fe1affb1c77ec417b6905922dcaf238ec03
SHA5126b70141e3e754cf3942aae3d06224a36b8ce76bc2964755e5590cfb85d9d9b85b20b6c79238faa9f0737ea61ac9d03f7603b29a1acb5e2fa5a0a875e4e897e05
-
Filesize
209B
MD52e82916f06c4f57a6942079b4daaebaa
SHA1b337f1c0a2efd2dfd9cbbbfaffb472bd304fa840
SHA25668a18b618f4f4dceb8f393d35b1bcafb76ee64fa17baf5be90f92935d9180e00
SHA512046b7ab1a56b2172323178f1805af2c94947db4d01389d2ed1a1c3061e0eb283bd92d668bdece05c5f47819140a8c60a49bd9fb867251cf84fbd1bb02d6cbf6a
-
Filesize
209B
MD5085d45a7845a6d954e45f1924a3079b5
SHA14fae1d857ca792b30ac368277c709e0a01ca59a9
SHA25698c9490d4db2e1ee003fcdf8239d447b6042126044b6ea46bce87a3e62c19943
SHA5129bcee536367fd531aa620f4ab4c5a14b1f94d8ad0bb5b1a4bdd43001b9b0c510b63b7a7312457c30cfec201af8f9450cdcbf2069223416e8e0121511bd42d14d
-
Filesize
209B
MD583fe6cc86c99a7d6507238e026afddac
SHA1e32763f8efe1be085b33020929b3eab8dfb857a7
SHA2560ab9c605e7bffdcdbea01872e1b4f4b330919f7209c960231137d749e046699e
SHA512e15ef8600abad45a912cced7bcb2e4c16677b8a4241190e4ca3a09ded9c70ade76ffaefcf8f409d3b5ec31c464643a3f1d6954c11a9c89d05bc1f1edfa01b699
-
Filesize
209B
MD5a6ea549b4adb170926ec579d17bfddb1
SHA1588804d434205fce2d1b1c334eaae774ff6158a1
SHA2569dd3982fbeaaa7d09e99a27161d117b37fe05301058d379269baefa50bf19159
SHA512b6774895ea2987b63f36103a33fd30afb53a896a5cca2eee1a8443118268bc79c06e03753377bdea46aff6311bb4bf0c4cfbcb49993b991ac82cdbe249233d1c
-
Filesize
209B
MD5b333b5671666b786abe4bd788db74629
SHA12cb9a9f7c3dccaca823640fd88d34037a89fd2c5
SHA256ce43cd5c9e94251ce22716169964927365146c79e684393cfd61af0da9e7cd3e
SHA512b3a4667a2e1e811d4858be4a8dfbc26a7232a655b6ac00705dbdecf9d176f9aa36e087fc0c44f93ea63f74b6dddfd867ebc92691d0e2bc245dfc5e1ae1767bbf
-
Filesize
209B
MD50c938574b81e39a98f59175a86352116
SHA12e509b042d7d62308eeb0f4aba0e4b5b5bf2ee7b
SHA256f3e6fba2d6fc68519b09ae87f943248e8d251e369d771b3d32f85479a6b453b2
SHA512fd82ad6dd0eb8e4de9d870dc77752ec50b285297b73ec5e2fa85de68b80391395631814e02c44cd7dc1d8e999343ffa5b225bb1f51e2d2aded8295c1635bbac2
-
Filesize
209B
MD592e23e1483ce68f286ac3ac01b2e0446
SHA1ac205a2b3d086fcf7b2b68b2578c6c65c4144dea
SHA256817a3e513eea99fcfec19b5f04d8aa557e2cd617376b06736cfb665f63b0e4d2
SHA51257f4cc06017659a6f38cdb863db3dc5f76914c6c57a7c8d607f59f60648eb626ddf2947129f2f12b5c2be8416a86be4fc7e00beadda6fdb12e912f51d737acff
-
Filesize
209B
MD5991756777b7dfd9319d102b694d79225
SHA1d57af8836c3a4df3bde10ab4eb1f7dbba6b4aa83
SHA256574596accb9ba7a1cb8b7a24b617af0bd1c08c08de22ebc0e44533e43cba4f30
SHA512b9ddf83abba1bf67fc51a590153dddd963a3e9c71c913c454bee1092733bb03df4c4731a5ad9910b26e86515c3eb37d9840f3dff065cddf53ce557f15d763689
-
Filesize
209B
MD59dfa9803a1f341538be0b2267ae1721b
SHA1787547f894380eda54116ffcadd3a671fedfa7b6
SHA25662117284523e9da8e8e187170bcd4f66481e93403ae86d1f2107cf35b0bf25b2
SHA5127a474d70d0d4181f2f4c4f5c1ec2ab241d127e09cec3d027bab2d6fb98903ba6919af973b70c1635fb7556140176f3fca731fa891531a823b395af41d5e85cdf
-
Filesize
209B
MD516089ecb1604d6d78e023406d27d28af
SHA10f89698f73ebede269791decd6a3e4c469b6e430
SHA256fd460d0325e72709af4446fd584dfa1aeefa8568444ad0e25a08a5a7e591ca24
SHA512ab432923aff4fd09b394a8ce842c6cfcfa144fd0c485fbbe0e608026f7343e23f1a5cf7bbc1f3bc0f8d5a8732fd0ac9c20efe51c2d3bd7b80da57aa52ecf3700
-
Filesize
209B
MD5fd8eddf2cdf3bc8e68bcce7e365c35f9
SHA1128481c4144c23cda5796fe53daa1b7682dcdc3e
SHA256cf8def798e0d1ead637daa7faa7eb8fc1eae5718eda59abfbb31c55efe2c67ca
SHA5124909b9ed5eb19c5c47a8b236328836f163533f6417274eaa4de9dea520d0f85975ecb1794839687d554f4055962aac11bb2b78922c66e919f7ae967a8979a169
-
Filesize
209B
MD5d22ebf0a2f643b0df31b4ef7c07f7545
SHA1ac3a2fb5ba9d674d1068d80c40c64a9d2cede2f9
SHA2567b547c7ce2296fe278e71b318ba95fa437bc4af01e0e19bd35e548b156e23fa2
SHA512c305ed10a3066d34b33dfc9b4498494344983c099baf5faae7c98fdf7f57bc2b157680b048412ca81f5d2ef15bb20ddd2dea9aa5d1ac3ee52fc2836f4918e50e
-
Filesize
209B
MD50c64da9a10bf983ed8b832ab55009357
SHA1ba6b2d0e83dccb71372ffa80cf79230be37cafab
SHA2561f0b71f635ac4e7459c271ce7d0df784ba3d38732dcde44c61cb0fbcfe328550
SHA5123b5e06f881c073a5d02992eca8206c620179af738e2559ab9f79a12afdc1aa417e7f80590eada7c79fe991fb6ffd4e5b0bcdeda71e59ce5c3b79d0e62df55bfc
-
Filesize
3.1MB
MD5f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1