Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:33
Behavioral task
behavioral1
Sample
sharpmonoinjector.exe
Resource
win7-20240903-en
General
-
Target
sharpmonoinjector.exe
-
Size
3.1MB
-
MD5
4522bc113a6f5b984e9ffac278f9f064
-
SHA1
392ec955d7b5c5da965f7af9f929b89c33409b03
-
SHA256
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
-
SHA512
c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
-
SSDEEP
98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo
Malware Config
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ebef1e3c-805b-4b1a-aa24-bf4dcab44476
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4364-1-0x0000000000760000-0x0000000000A84000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation sharpmonoinjector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4400 PING.EXE 2028 PING.EXE 3536 PING.EXE 628 PING.EXE 404 PING.EXE 3936 PING.EXE 2596 PING.EXE 3184 PING.EXE 2056 PING.EXE 3988 PING.EXE 4648 PING.EXE 1840 PING.EXE 5016 PING.EXE 2896 PING.EXE 3064 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 5016 PING.EXE 2596 PING.EXE 2896 PING.EXE 3064 PING.EXE 3184 PING.EXE 404 PING.EXE 1840 PING.EXE 4400 PING.EXE 3936 PING.EXE 2056 PING.EXE 2028 PING.EXE 3536 PING.EXE 3988 PING.EXE 4648 PING.EXE 628 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3704 schtasks.exe 3980 schtasks.exe 3008 schtasks.exe 4696 schtasks.exe 3496 schtasks.exe 1688 schtasks.exe 5020 schtasks.exe 2556 schtasks.exe 2360 schtasks.exe 2636 schtasks.exe 1736 schtasks.exe 3292 schtasks.exe 1692 schtasks.exe 60 schtasks.exe 5064 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 4364 sharpmonoinjector.exe Token: SeDebugPrivilege 4968 sharpmonoinjector.exe Token: SeDebugPrivilege 5052 sharpmonoinjector.exe Token: SeDebugPrivilege 4372 sharpmonoinjector.exe Token: SeDebugPrivilege 2496 sharpmonoinjector.exe Token: SeDebugPrivilege 2356 sharpmonoinjector.exe Token: SeDebugPrivilege 1004 sharpmonoinjector.exe Token: SeDebugPrivilege 4692 sharpmonoinjector.exe Token: SeDebugPrivilege 920 sharpmonoinjector.exe Token: SeDebugPrivilege 3304 sharpmonoinjector.exe Token: SeDebugPrivilege 5056 sharpmonoinjector.exe Token: SeDebugPrivilege 916 sharpmonoinjector.exe Token: SeDebugPrivilege 1400 sharpmonoinjector.exe Token: SeDebugPrivilege 3704 sharpmonoinjector.exe Token: SeDebugPrivilege 468 sharpmonoinjector.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4364 wrote to memory of 3704 4364 sharpmonoinjector.exe 83 PID 4364 wrote to memory of 3704 4364 sharpmonoinjector.exe 83 PID 4364 wrote to memory of 4312 4364 sharpmonoinjector.exe 85 PID 4364 wrote to memory of 4312 4364 sharpmonoinjector.exe 85 PID 4312 wrote to memory of 180 4312 cmd.exe 87 PID 4312 wrote to memory of 180 4312 cmd.exe 87 PID 4312 wrote to memory of 404 4312 cmd.exe 88 PID 4312 wrote to memory of 404 4312 cmd.exe 88 PID 4312 wrote to memory of 4968 4312 cmd.exe 99 PID 4312 wrote to memory of 4968 4312 cmd.exe 99 PID 4968 wrote to memory of 3980 4968 sharpmonoinjector.exe 100 PID 4968 wrote to memory of 3980 4968 sharpmonoinjector.exe 100 PID 4968 wrote to memory of 4760 4968 sharpmonoinjector.exe 102 PID 4968 wrote to memory of 4760 4968 sharpmonoinjector.exe 102 PID 4760 wrote to memory of 2568 4760 cmd.exe 105 PID 4760 wrote to memory of 2568 4760 cmd.exe 105 PID 4760 wrote to memory of 1840 4760 cmd.exe 106 PID 4760 wrote to memory of 1840 4760 cmd.exe 106 PID 4760 wrote to memory of 5052 4760 cmd.exe 111 PID 4760 wrote to memory of 5052 4760 cmd.exe 111 PID 5052 wrote to memory of 2636 5052 sharpmonoinjector.exe 112 PID 5052 wrote to memory of 2636 5052 sharpmonoinjector.exe 112 PID 5052 wrote to memory of 2012 5052 sharpmonoinjector.exe 115 PID 5052 wrote to memory of 2012 5052 sharpmonoinjector.exe 115 PID 2012 wrote to memory of 2216 2012 cmd.exe 117 PID 2012 wrote to memory of 2216 2012 cmd.exe 117 PID 2012 wrote to memory of 5016 2012 cmd.exe 118 PID 2012 wrote to memory of 5016 2012 cmd.exe 118 PID 2012 wrote to memory of 4372 2012 cmd.exe 123 PID 2012 wrote to memory of 4372 2012 cmd.exe 123 PID 4372 wrote to memory of 1692 4372 sharpmonoinjector.exe 124 PID 4372 wrote to memory of 1692 4372 sharpmonoinjector.exe 124 PID 4372 wrote to memory of 3928 4372 sharpmonoinjector.exe 127 PID 4372 wrote to memory of 3928 4372 sharpmonoinjector.exe 127 PID 3928 wrote to memory of 3632 3928 cmd.exe 129 PID 3928 wrote to memory of 3632 3928 cmd.exe 129 PID 3928 wrote to memory of 3936 3928 cmd.exe 130 PID 3928 wrote to memory of 3936 3928 cmd.exe 130 PID 3928 wrote to memory of 2496 3928 cmd.exe 131 PID 3928 wrote to memory of 2496 3928 cmd.exe 131 PID 2496 wrote to memory of 1688 2496 sharpmonoinjector.exe 132 PID 2496 wrote to memory of 1688 2496 sharpmonoinjector.exe 132 PID 2496 wrote to memory of 3620 2496 sharpmonoinjector.exe 135 PID 2496 wrote to memory of 3620 2496 sharpmonoinjector.exe 135 PID 3620 wrote to memory of 404 3620 cmd.exe 137 PID 3620 wrote to memory of 404 3620 cmd.exe 137 PID 3620 wrote to memory of 2596 3620 cmd.exe 138 PID 3620 wrote to memory of 2596 3620 cmd.exe 138 PID 3620 wrote to memory of 2356 3620 cmd.exe 140 PID 3620 wrote to memory of 2356 3620 cmd.exe 140 PID 2356 wrote to memory of 5020 2356 sharpmonoinjector.exe 141 PID 2356 wrote to memory of 5020 2356 sharpmonoinjector.exe 141 PID 2356 wrote to memory of 4784 2356 sharpmonoinjector.exe 144 PID 2356 wrote to memory of 4784 2356 sharpmonoinjector.exe 144 PID 4784 wrote to memory of 5096 4784 cmd.exe 146 PID 4784 wrote to memory of 5096 4784 cmd.exe 146 PID 4784 wrote to memory of 4400 4784 cmd.exe 147 PID 4784 wrote to memory of 4400 4784 cmd.exe 147 PID 4784 wrote to memory of 1004 4784 cmd.exe 150 PID 4784 wrote to memory of 1004 4784 cmd.exe 150 PID 1004 wrote to memory of 3008 1004 sharpmonoinjector.exe 151 PID 1004 wrote to memory of 3008 1004 sharpmonoinjector.exe 151 PID 1004 wrote to memory of 992 1004 sharpmonoinjector.exe 154 PID 1004 wrote to memory of 992 1004 sharpmonoinjector.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JugHQ0hpGA0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IABaEicFtA1m.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2568
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgKAhv4IVRRC.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2216
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BnnUuWDw3wtL.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:3632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hBRvBI61OWom.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:404
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MJstGA1KE9zM.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:5096
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iZuqx7936Dlf.bat" "14⤵PID:992
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4692 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMytIE5pXdHu.bat" "16⤵PID:3312
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKjXZt0yoSN0.bat" "18⤵PID:2260
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:1688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t4el5n7ClOGy.bat" "20⤵PID:3620
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:4104
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCnCPNenSTYB.bat" "22⤵PID:2296
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CDFzX2p3upZ6.bat" "24⤵PID:4816
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:3308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:3292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ZGXzHhXi9aZ.bat" "26⤵PID:4776
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:5000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fwptp0kqfyN9.bat" "28⤵PID:832
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4468
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:468 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PVMh6nx655By.bat" "30⤵PID:3980
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:4960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
214B
MD591d48152eea164d73972dbaf9caecdae
SHA1aaaa2d2a9b5dd87659a58eabf17b30eec3bba093
SHA25686a3dbd21b23e015d0f94c0b79ec21232a4078af058248e9b85c001dc57b2df6
SHA512534ddf57a694c53d84a3300e7a3f2b6cfb68273f66c87a92397b8ec97293dbfa75cd2d6206565ba8f6552a23f16c55d5898752f3aceef21cd7378db2cdc8d7be
-
Filesize
214B
MD59ad6d1436638570bb4f2aa537325ef85
SHA112a62ad9dc04ec4861b3d8f838404b0124072f50
SHA2564d7bdbdab6a79ab80a4e92f070d9792ed301b6c1fff55ff3ce43a161f7cc1cba
SHA512fe8fce6fa1edd25f34225390d7594afc5cd6775af22d9235c26703e8100105b1f70d032522b862d192c7e4255453c7a1dbe650ac5fd462d1fb431c78e81c6cc3
-
Filesize
214B
MD5d88e270b2af8b303b1d8c943c0146441
SHA13267207598290583befedbd68a988a294ba6b7c5
SHA2569ff62acb97d5feadbcd6106203e3a80bcfa184771985aa321ef3e5302ee4a3a4
SHA5121e4629885b51ac6ed58a5308bff941c9dafd01c207aa86e903fb72baea6643012c2ae668d6b4ca88fb4231edeb0abc442086ed8ff2965b1876df883f7f180168
-
Filesize
214B
MD5f7cd375ff436c6c10b0ec0e8ea6be2f7
SHA11662a409786873859af0468754c4fcc1fda5b424
SHA2569a7f530413e2e2d63331460c9eec82c29429a69510c2890ab07d4c521ed0370d
SHA51228616923af891bff3c00ca03ec7713347f9ea9a6f5991a6684cdf5f8420636f4f43cc1605282f415a05b79b4cff1b798ac5e36906d35db8482a892c040d59b50
-
Filesize
214B
MD5b3d0a68ffdb098363508cc0d3b267828
SHA1b4b56a12c8e04bcb355be6dd455f2cc4176b66b6
SHA256b560966f7c54bfd103ab7999185b34a1e748389faf485f6f6cf50d1c1523f6f2
SHA512757ba4c3df1677ced98e57ec0b8ecd35a8a14f3cb114d8257a5fe5a20f17fd60d39771b2530019e578eb12fbf7984a76e8a1ed2056b448c6f378a5bacfc428e5
-
Filesize
214B
MD5ff7b82605e939f49f9ac5af33fb25ef4
SHA15521841a415d0258af15235287feca5a46bda3c6
SHA2562ff2efa8550874c0fbb66eb4f6b5419b5a7eab1eb27a29615c28957b3d438fbe
SHA5120d9e9b9d323baa14a527a9546ff97d3a344af212720e471fb9d6b7ce49c8c1c33ceda865a9460fc25da4934bae8452966bbdf7f6af3700b3c5c5964d5b35e09e
-
Filesize
214B
MD562f0c379923931b264f88153d9d99498
SHA1394cf5ea885b8590dcbd7901c7a9a24eeeedd9ea
SHA256c3b77d520737f24396aa7981b2624c59dd6df1d9cd233eee0306ad8f0f8cd076
SHA5128a8a85e1186b1e9cd866bcb1499fecb92cf7aa4d60024827cd12df463182c6a458586b31f8cdf4cbb516ee9a6c31f17d47498581b522c2af03ef2fdcc25068d0
-
Filesize
214B
MD51f8af4eb407f39e225ceaf06f5ce5703
SHA1371b04dc82d297a0ebdf62f9dcfce419b57e0e83
SHA2563930262e6aceed626dd4278ba45d68ba681e2f5798056875485f51c444cef59c
SHA512bdab0a96be7eb0c2de97c9326dcb40762a95973325a8797d7e6cc5f200729e75409b0ba940a4af82d2943db5fc94c7c172bc8c2577b29c4efdfac92401158cb2
-
Filesize
214B
MD5b7e0fdb039f77d0c8b10e20a3da45126
SHA1f08b4cb9b5327c6ad439545d01c6234b042faad3
SHA256f5d718549dc58bfb03290f52dda3dc32e28652182a2e0afff9be7d42deb74bb6
SHA512babb5aff05614f4e88d8296d302d6cdfecf6246ae6cad7a9621822d32aaa2ab166bab1473ba5594577215224ad4dd441dc10fe6029a90d008d47e07db94bae1d
-
Filesize
214B
MD5acd9ac8d1b85da1f1c6504a6c5c3fe12
SHA1410ca1f33acf75d24ceac73f7bc231a9743d9424
SHA25648c8a96e9c56ebe94b96a6b446d2ccfd9369c3ef9c11290141ee69d3793fe6b3
SHA512884e388f0867343de4d83c0d0c4ac05f6ad6ce26e8041a99ab18912cf18c31fe8be8f5de5ac4870daf12e481df77eee4f3c0bc31a587501edb5179d6d211ea12
-
Filesize
214B
MD5fec98b64ee98aaadceffb51c561fd9e4
SHA15e6e9615ff7fc11ed2b7cfcec28ae8d9fa3db04d
SHA2568e87b2fa01063138bc64b1463776a2624f661b6ce599642dd80665c5f932eea9
SHA512f882658a38c91f0bd8a39ffca2bfee3d5818cd2b48c2225142c2b9fcef8c4f5283e2c844e2bf5876db988682d88ae4312b1efe223074290007139ecee248bfb9
-
Filesize
214B
MD5422bd750c9e615645f9f1e9d0f3a71ad
SHA1c984377de9ff74941b01c0c34874fb7efe5b5211
SHA256dde098af924adbfa5a48b5053167ee59de1d5999ec28c26abd8743014409a016
SHA51238a6293052c3b813991b95f0091ef30063e814a1ebd82e2d7764c2692b3275cf32a3dbb28a61875ced19e11592643549081d5c039e43f6226ac089e19fda0ac9
-
Filesize
214B
MD5548489dacb52ac4b2a8117a2f73afc27
SHA1867bdae900230f554ba1329367a75d8ca2b01f46
SHA256453331182a150695b4c734cadc729422342505d590193443cfded39916d4a9ff
SHA5120d3ee4b0c567cd5d4a99929b8d00c0f040e2c4a381419b4dff4fb6c21f48ca18d071c41b99c9aa905b44f12da5d08452e7c428559b00e2280daa5464bd510d36
-
Filesize
214B
MD584bb9aea74700c533b79faa00410ffbc
SHA13ee02cd1d3b09e4a40863a4df54b6e36781a7a3d
SHA256f56efcb682f7fdcc91401b165138cc9b1c685d44d5ad22e3e4269f8cc16de4ed
SHA51205f72a4db6f3f5b7373703b99392c4dd0d68655d7e66ea75e378a79fc0132af6c18649a28986fe7182b4ac449f6b015530d62da0c13b94c48fb942aecc794358
-
Filesize
214B
MD5e167291881adc25ad81b78e2f96a6b87
SHA1c4d7f4d02dca6a4e0a8b9742919d19e07c34eec7
SHA25622213c7932e58cc7f441a215ea83ca63d00fa3d6b8c3804bf1abf8b475d655ad
SHA512b12a52ae0c63eeb0223a781a6d97ba8bfdeb2715a364597014b62073bb005d3f556b9e4beda01050bafb3a82321dee4ad44679b3f9bb43d326caf9b732e2fa31