Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/03/2025, 03:58
Behavioral task
behavioral1
Sample
b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
Resource
win7-20240903-en
General
-
Target
b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe
-
Size
3.4MB
-
MD5
61a23a5c02f19dda41b5f63b48784a96
-
SHA1
def21ab5c10bf3b4e5a5d2b2abb5d00b8e2dea18
-
SHA256
b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574
-
SHA512
2e210707c58c71aa20a6ddffd95b83fd5c61e039a4201a807409ad1570c4650bb6549e85bb161631ccae26e310799379864e1b3c090145d103f1a6bdc9573cf4
-
SSDEEP
49152:XvulL26AaNeWgPhlmVqvMQ7XSKeK8FEzUkk/bZLoGd5YTHHB72eh2NT:XveL26AaNeWgPhlmVqkQ7XSKH8tp
Malware Config
Extracted
quasar
1.4.1
Kaspersky
mmdrza.ddns.net:25565
fba445f3-0d80-4a93-bed3-c92c762015fc
-
encryption_key
953F5906F7FC4FE5000EA40834065AE361109E51
-
install_name
kaspsersky32.exe
-
log_directory
Failture logs
-
reconnect_delay
3000
-
startup_key
Kaspersky auto update
-
subdirectory
Kaspersky
Signatures
-
Quasar family
-
Quasar payload 13 IoCs
resource yara_rule behavioral1/memory/2644-1-0x0000000001090000-0x00000000013F6000-memory.dmp family_quasar behavioral1/files/0x00070000000191f3-6.dat family_quasar behavioral1/memory/916-9-0x0000000000D80000-0x00000000010E6000-memory.dmp family_quasar behavioral1/memory/2560-23-0x0000000001320000-0x0000000001686000-memory.dmp family_quasar behavioral1/memory/1296-34-0x00000000000D0000-0x0000000000436000-memory.dmp family_quasar behavioral1/memory/2900-46-0x00000000012B0000-0x0000000001616000-memory.dmp family_quasar behavioral1/memory/1188-68-0x00000000002C0000-0x0000000000626000-memory.dmp family_quasar behavioral1/memory/2964-79-0x0000000000DD0000-0x0000000001136000-memory.dmp family_quasar behavioral1/memory/316-91-0x0000000001270000-0x00000000015D6000-memory.dmp family_quasar behavioral1/memory/2060-113-0x00000000000B0000-0x0000000000416000-memory.dmp family_quasar behavioral1/memory/2000-124-0x00000000012E0000-0x0000000001646000-memory.dmp family_quasar behavioral1/memory/552-135-0x0000000000080000-0x00000000003E6000-memory.dmp family_quasar behavioral1/memory/2780-147-0x0000000000200000-0x0000000000566000-memory.dmp family_quasar -
Executes dropped EXE 13 IoCs
pid Process 916 kaspsersky32.exe 2560 kaspsersky32.exe 1296 kaspsersky32.exe 2900 kaspsersky32.exe 2444 kaspsersky32.exe 1188 kaspsersky32.exe 2964 kaspsersky32.exe 316 kaspsersky32.exe 2120 kaspsersky32.exe 2060 kaspsersky32.exe 2000 kaspsersky32.exe 552 kaspsersky32.exe 2780 kaspsersky32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1328 PING.EXE 2116 PING.EXE 3040 PING.EXE 2796 PING.EXE 1356 PING.EXE 1744 PING.EXE 2864 PING.EXE 2432 PING.EXE 1308 PING.EXE 2952 PING.EXE 1272 PING.EXE 2420 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 3040 PING.EXE 2796 PING.EXE 1356 PING.EXE 2420 PING.EXE 1744 PING.EXE 2864 PING.EXE 2432 PING.EXE 1328 PING.EXE 1272 PING.EXE 1308 PING.EXE 2116 PING.EXE 2952 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2460 schtasks.exe 2764 schtasks.exe 1968 schtasks.exe 2256 schtasks.exe 1408 schtasks.exe 2184 schtasks.exe 2216 schtasks.exe 2624 schtasks.exe 2260 schtasks.exe 1584 schtasks.exe 2768 schtasks.exe 2784 schtasks.exe 2816 schtasks.exe 2396 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe Token: SeDebugPrivilege 916 kaspsersky32.exe Token: SeDebugPrivilege 2560 kaspsersky32.exe Token: SeDebugPrivilege 1296 kaspsersky32.exe Token: SeDebugPrivilege 2900 kaspsersky32.exe Token: SeDebugPrivilege 2444 kaspsersky32.exe Token: SeDebugPrivilege 1188 kaspsersky32.exe Token: SeDebugPrivilege 2964 kaspsersky32.exe Token: SeDebugPrivilege 316 kaspsersky32.exe Token: SeDebugPrivilege 2120 kaspsersky32.exe Token: SeDebugPrivilege 2060 kaspsersky32.exe Token: SeDebugPrivilege 2000 kaspsersky32.exe Token: SeDebugPrivilege 552 kaspsersky32.exe Token: SeDebugPrivilege 2780 kaspsersky32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2460 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe 31 PID 2644 wrote to memory of 2460 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe 31 PID 2644 wrote to memory of 2460 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe 31 PID 2644 wrote to memory of 916 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe 33 PID 2644 wrote to memory of 916 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe 33 PID 2644 wrote to memory of 916 2644 b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe 33 PID 916 wrote to memory of 2764 916 kaspsersky32.exe 34 PID 916 wrote to memory of 2764 916 kaspsersky32.exe 34 PID 916 wrote to memory of 2764 916 kaspsersky32.exe 34 PID 916 wrote to memory of 2860 916 kaspsersky32.exe 36 PID 916 wrote to memory of 2860 916 kaspsersky32.exe 36 PID 916 wrote to memory of 2860 916 kaspsersky32.exe 36 PID 2860 wrote to memory of 2588 2860 cmd.exe 38 PID 2860 wrote to memory of 2588 2860 cmd.exe 38 PID 2860 wrote to memory of 2588 2860 cmd.exe 38 PID 2860 wrote to memory of 3040 2860 cmd.exe 39 PID 2860 wrote to memory of 3040 2860 cmd.exe 39 PID 2860 wrote to memory of 3040 2860 cmd.exe 39 PID 2860 wrote to memory of 2560 2860 cmd.exe 40 PID 2860 wrote to memory of 2560 2860 cmd.exe 40 PID 2860 wrote to memory of 2560 2860 cmd.exe 40 PID 2560 wrote to memory of 2624 2560 kaspsersky32.exe 41 PID 2560 wrote to memory of 2624 2560 kaspsersky32.exe 41 PID 2560 wrote to memory of 2624 2560 kaspsersky32.exe 41 PID 2560 wrote to memory of 1304 2560 kaspsersky32.exe 43 PID 2560 wrote to memory of 1304 2560 kaspsersky32.exe 43 PID 2560 wrote to memory of 1304 2560 kaspsersky32.exe 43 PID 1304 wrote to memory of 320 1304 cmd.exe 45 PID 1304 wrote to memory of 320 1304 cmd.exe 45 PID 1304 wrote to memory of 320 1304 cmd.exe 45 PID 1304 wrote to memory of 2796 1304 cmd.exe 46 PID 1304 wrote to memory of 2796 1304 cmd.exe 46 PID 1304 wrote to memory of 2796 1304 cmd.exe 46 PID 1304 wrote to memory of 1296 1304 cmd.exe 47 PID 1304 wrote to memory of 1296 1304 cmd.exe 47 PID 1304 wrote to memory of 1296 1304 cmd.exe 47 PID 1296 wrote to memory of 1968 1296 kaspsersky32.exe 48 PID 1296 wrote to memory of 1968 1296 kaspsersky32.exe 48 PID 1296 wrote to memory of 1968 1296 kaspsersky32.exe 48 PID 1296 wrote to memory of 1516 1296 kaspsersky32.exe 50 PID 1296 wrote to memory of 1516 1296 kaspsersky32.exe 50 PID 1296 wrote to memory of 1516 1296 kaspsersky32.exe 50 PID 1516 wrote to memory of 1544 1516 cmd.exe 52 PID 1516 wrote to memory of 1544 1516 cmd.exe 52 PID 1516 wrote to memory of 1544 1516 cmd.exe 52 PID 1516 wrote to memory of 1272 1516 cmd.exe 53 PID 1516 wrote to memory of 1272 1516 cmd.exe 53 PID 1516 wrote to memory of 1272 1516 cmd.exe 53 PID 1516 wrote to memory of 2900 1516 cmd.exe 54 PID 1516 wrote to memory of 2900 1516 cmd.exe 54 PID 1516 wrote to memory of 2900 1516 cmd.exe 54 PID 2900 wrote to memory of 2256 2900 kaspsersky32.exe 55 PID 2900 wrote to memory of 2256 2900 kaspsersky32.exe 55 PID 2900 wrote to memory of 2256 2900 kaspsersky32.exe 55 PID 2900 wrote to memory of 2040 2900 kaspsersky32.exe 57 PID 2900 wrote to memory of 2040 2900 kaspsersky32.exe 57 PID 2900 wrote to memory of 2040 2900 kaspsersky32.exe 57 PID 2040 wrote to memory of 1856 2040 cmd.exe 59 PID 2040 wrote to memory of 1856 2040 cmd.exe 59 PID 2040 wrote to memory of 1856 2040 cmd.exe 59 PID 2040 wrote to memory of 1356 2040 cmd.exe 60 PID 2040 wrote to memory of 1356 2040 cmd.exe 60 PID 2040 wrote to memory of 1356 2040 cmd.exe 60 PID 2040 wrote to memory of 2444 2040 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe"C:\Users\Admin\AppData\Local\Temp\b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2460
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\muP5QlcThn5o.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2624
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qbOpyXGI7rAe.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2796
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1968
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E7GncAgFi6pJ.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1272
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2256
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1o4w9l75BACA.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1356
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1408
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZJNw1vJNCw46.bat" "11⤵PID:1936
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2364
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2420
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\N0quFsWD8bmT.bat" "13⤵PID:984
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1584
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\nGn3xjYgNeX1.bat" "15⤵PID:2128
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2864
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\brjkgrt2SJKq.bat" "17⤵PID:2524
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2584
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2432
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2784
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\M7FNbtnh17hX.bat" "19⤵PID:2628
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1328
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gFjdH3R7De9j.bat" "21⤵PID:2936
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1308
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\u6GZrw9xJI6y.bat" "23⤵PID:844
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1472
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2116
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2396
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dTwcfubIgcFW.bat" "25⤵PID:928
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:652
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Kaspersky auto update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kaspersky\kaspsersky32.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD584528c7d9026bb1e363510eb4350767a
SHA123f8720dd9c3a9ca226fd3027c82ba36d9eb3ab5
SHA2569c83e811e17eb40ef66e6b7f82ff05b8cf67a6f929c16843efae6a2e23fbd320
SHA5121cdef99c18935d1bac18e7a81f5f8665c275d2096c6ccb33af3cb100c2f748440234df1331af0f7dccff1d7a6d50ae908e87aa75fcbce7c4d1a35be36b25eb8f
-
Filesize
216B
MD5bbb41e038f580910f241a9a5bac072f8
SHA107c1dab2b79da0d1e1d23a17ea188dbdbdf93b23
SHA2565b3bffc07310677e8312ffc48a2d5cdb973ec4d4eee8c94b02a90fb2e1bd96db
SHA512659d755c6cda0957c6065cbbabbd016af33e24b2789068ac9b731d87e80ad7955afd1f71eb57919fbdc90e191cb3586911685629e10e5b91b0ec3b0335d79e88
-
Filesize
216B
MD50585f09eaa51cfe43a6ea24228793d82
SHA1c53bb8c8accfc6886c519beab4df7c466a62e3a6
SHA25644eb7656899c75691e68e34a638f30ae70cb85d9f7d6fe3ed01e4a92c8eb0f56
SHA512dec310f9cd0fdd562c833b22c92b9cf0ff70e387e26aa59c1a5037a61d92d38ddeb31744bbee8a3ecbd0cebd65bd87b35e73bf9777b216a00953c3310f212627
-
Filesize
216B
MD5ff563d39611382032af460029b049b63
SHA186f94b0fa8fdb9508de37ff86b119418e5b81b68
SHA25658943338f1eef0b49b6167d467c9934021248ce66a5c968be6db460efd7aad19
SHA512ff500d7b5355655908e2f400a898f8abb29624d357b45c4e535796de0cd8462b5980e28fb3b1268b3ce5e9e00f8633c4f4e8cb83ea34b534d2c7f905c1fe3306
-
Filesize
216B
MD547c17f7404dae1a592c3f66dc621b8f4
SHA1823466656396f6a37d5cd705b749009d00489f1d
SHA2567c5216b4ff96158e200291ea3fcca6c6f0d28f19c47f543e57a217a7b9ac4253
SHA5122320f72f4112dcd76240942b6a41b9daaf2d57240621f041907de32dcff572cb8e821f4926a4581b151200e81111cb8ee3a33172c4eb1ec5dfee14e85debb33b
-
Filesize
216B
MD5b643fd6e6db05ce148ff470c3566ee8b
SHA1937461f94f901077f76bc70e5c37960a7d78c81b
SHA256990ef1dd414da05c23deffd91b268a967bd964d0b9fa4fa847263ea3d8fedb7f
SHA512b777a691a92f107ee9c0bbe3fccf62867d56ddfa92d51f44d77c9e3d1578563f81c52296164e4abbde8b075ef6558c91b96f4a0a669bf0c47e96f4bcfd06ec0c
-
Filesize
216B
MD55b7ed4e0a663c19bbe57da3baafcf18f
SHA19fb257f782f00564fd76eabb13d42810990a4a08
SHA2561e880b5516e2f440410b0e426963e9d6f251021e79a4acf5f20e31c982341489
SHA51263f6da5fc5ecb381fbd32d7b1703165febfe8b387063111be7857ceb434bbcfb13df6d1295eab0e93239f7814c7bb7dd6cc20a68ad4873121f7896e6c26fd193
-
Filesize
216B
MD5ee9e73be90192606009e27968f9f8a80
SHA17abe3bc6c9cb102d7cfbfe3c8cff91fae4a9c8cb
SHA2566af7727ca693df6a39d3ea0608031a5a3318caeb5ef7b25a8a2af3b4e30622e3
SHA5126ee5f489efd24c9d1170f3a9b35208a2830b2cad2cae09dfbfaca97f4950b42c9d72d4961bb6183075836ef556dc6738f94b68d81a755f6f5dd1f15e1130be18
-
Filesize
216B
MD528f41d08d3fa01fdb2e6e3aa37a370cf
SHA149b9fc395873b3259818426e656f69a132a8231a
SHA256026634f2b8a6f15c60200001ee548bed8daa1f946c4be55c2bd36ef149d830de
SHA51206b24dda12cd4cb455c5b44587d03c16c1319d506f4c066792e698c9e2a5a682befb9f43d48154c2d2c2b2fc348c6b1594ceba2b8f1b02c5c8607c0f3b911d50
-
Filesize
216B
MD586b4238d0863a1618184cb1606e490c6
SHA130ad5520088814debbd413c539449f0977b4754e
SHA256aa53c5c71532b717454123390dc91532482b8920553230ee3afe32ca8a790923
SHA5121d85007e23b4bc3dd85195224a725b4ab2502b5dff4dffe07b800d0753d3a531f9974f50574f4721c6158f29536717719d57874a9c442d33ef80da06dde4c42f
-
Filesize
216B
MD5d5dabd2a705751f5982079fece271eab
SHA145b2e2fbb35f7d065a03bf76ccc58c418b3eeceb
SHA256c0ea33c6fd73da8d0cc9675d8dc0a5812809a9445cd01e6cbbc3200df5ba4bda
SHA512d83e4b47e9dbf4f42511d9416ddc02eb47a3f56c051937cd6b4efd9225861b35dc1b7671fcbfd95917e4d1a074566155a54cf8ee569c1ff815dc30ba74605de6
-
Filesize
216B
MD5f16ca880934f2aba449f09966cd3ec36
SHA1141727aee81cbc86bfa14888461ef2fda4afc402
SHA256ee326760ca55957e80967846852194d68cd37113c9fe583327368477aba1342a
SHA512dd70d26e20b4211f7a140359879fa5d411b13c096c736c6dbb45ee3786025b815427da5c5fe629e319ac172118596bde191e3b9853373f0916e4128236c5aeab
-
Filesize
3.4MB
MD561a23a5c02f19dda41b5f63b48784a96
SHA1def21ab5c10bf3b4e5a5d2b2abb5d00b8e2dea18
SHA256b93b5cc63a5ee1981c074abb7921a4bdb147197dc85dd1af42305066736d8574
SHA5122e210707c58c71aa20a6ddffd95b83fd5c61e039a4201a807409ad1570c4650bb6549e85bb161631ccae26e310799379864e1b3c090145d103f1a6bdc9573cf4