Analysis
-
max time kernel
68s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 13:16
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20230831-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
84196815c135e19db65295a1cea9a522
-
SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f
-
SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
-
SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
SSDEEP
49152:7vWhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaYiRJ6TbR3LoGdjTHHB72eh2NT:7v4t2d5aKCuVPzlEmVQ0wvwfYiRJ6F
Malware Config
Extracted
quasar
1.4.1
slave
cherrywoods-29890.portmap.host:29890:16243
5d49d039-8bce-40c5-82b6-413e6ca1279a
-
encryption_key
2E34CBDFC0A612A970A99A781D3AB0C010E1A59C
-
install_name
cvvhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security notification icon
-
subdirectory
SubDir
Signatures
-
Quasar payload 15 IoCs
Processes:
resource yara_rule behavioral2/memory/4676-0-0x0000000000FC0000-0x00000000012E4000-memory.dmp family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\system32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe -
Executes dropped EXE 6 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 3884 cvvhost.exe 2176 cvvhost.exe 2228 cvvhost.exe 4584 cvvhost.exe 2492 cvvhost.exe 3876 cvvhost.exe -
Drops file in System32 directory 15 IoCs
Processes:
cvvhost.exeClient-built.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription ioc process File opened for modification C:\Windows\system32\SubDir cvvhost.exe File created C:\Windows\system32\SubDir\cvvhost.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4980 schtasks.exe 2652 schtasks.exe 1928 schtasks.exe 1136 schtasks.exe 3852 schtasks.exe 2704 schtasks.exe 3968 schtasks.exe 4468 schtasks.exe 4788 schtasks.exe 2152 schtasks.exe 4048 schtasks.exe 3372 schtasks.exe 4116 schtasks.exe 1260 schtasks.exe -
Runs ping.exe 1 TTPs 13 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4488 PING.EXE 3944 PING.EXE 1692 PING.EXE 4528 PING.EXE 4672 PING.EXE 4504 PING.EXE 4780 PING.EXE 2988 PING.EXE 2148 PING.EXE 3548 PING.EXE 2976 PING.EXE 2952 PING.EXE 3424 PING.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Client-built.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription pid process Token: SeDebugPrivilege 4676 Client-built.exe Token: SeDebugPrivilege 3884 cvvhost.exe Token: SeDebugPrivilege 2176 cvvhost.exe Token: SeDebugPrivilege 2228 cvvhost.exe Token: SeDebugPrivilege 4584 cvvhost.exe Token: SeDebugPrivilege 2492 cvvhost.exe Token: SeDebugPrivilege 3876 cvvhost.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 3884 cvvhost.exe 2176 cvvhost.exe 2228 cvvhost.exe 4584 cvvhost.exe 2492 cvvhost.exe 3876 cvvhost.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 3884 cvvhost.exe 2176 cvvhost.exe 2228 cvvhost.exe 4584 cvvhost.exe 2492 cvvhost.exe 3876 cvvhost.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
Client-built.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.exedescription pid process target process PID 4676 wrote to memory of 2652 4676 Client-built.exe schtasks.exe PID 4676 wrote to memory of 2652 4676 Client-built.exe schtasks.exe PID 4676 wrote to memory of 3884 4676 Client-built.exe cvvhost.exe PID 4676 wrote to memory of 3884 4676 Client-built.exe cvvhost.exe PID 3884 wrote to memory of 4788 3884 cvvhost.exe schtasks.exe PID 3884 wrote to memory of 4788 3884 cvvhost.exe schtasks.exe PID 3884 wrote to memory of 2664 3884 cvvhost.exe cmd.exe PID 3884 wrote to memory of 2664 3884 cvvhost.exe cmd.exe PID 2664 wrote to memory of 4704 2664 cmd.exe chcp.com PID 2664 wrote to memory of 4704 2664 cmd.exe chcp.com PID 2664 wrote to memory of 3944 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 3944 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2176 2664 cmd.exe cvvhost.exe PID 2664 wrote to memory of 2176 2664 cmd.exe cvvhost.exe PID 2176 wrote to memory of 2704 2176 cvvhost.exe schtasks.exe PID 2176 wrote to memory of 2704 2176 cvvhost.exe schtasks.exe PID 2176 wrote to memory of 4960 2176 cvvhost.exe cmd.exe PID 2176 wrote to memory of 4960 2176 cvvhost.exe cmd.exe PID 4960 wrote to memory of 3100 4960 cmd.exe chcp.com PID 4960 wrote to memory of 3100 4960 cmd.exe chcp.com PID 4960 wrote to memory of 1692 4960 cmd.exe PING.EXE PID 4960 wrote to memory of 1692 4960 cmd.exe PING.EXE PID 4960 wrote to memory of 2228 4960 cmd.exe cvvhost.exe PID 4960 wrote to memory of 2228 4960 cmd.exe cvvhost.exe PID 2228 wrote to memory of 3968 2228 cvvhost.exe schtasks.exe PID 2228 wrote to memory of 3968 2228 cvvhost.exe schtasks.exe PID 2228 wrote to memory of 2312 2228 cvvhost.exe cmd.exe PID 2228 wrote to memory of 2312 2228 cvvhost.exe cmd.exe PID 2312 wrote to memory of 3376 2312 cmd.exe chcp.com PID 2312 wrote to memory of 3376 2312 cmd.exe chcp.com PID 2312 wrote to memory of 2988 2312 cmd.exe PING.EXE PID 2312 wrote to memory of 2988 2312 cmd.exe PING.EXE PID 2312 wrote to memory of 4584 2312 cmd.exe cvvhost.exe PID 2312 wrote to memory of 4584 2312 cmd.exe cvvhost.exe PID 4584 wrote to memory of 4468 4584 cvvhost.exe schtasks.exe PID 4584 wrote to memory of 4468 4584 cvvhost.exe schtasks.exe PID 4584 wrote to memory of 4020 4584 cvvhost.exe cmd.exe PID 4584 wrote to memory of 4020 4584 cvvhost.exe cmd.exe PID 4020 wrote to memory of 2984 4020 cmd.exe chcp.com PID 4020 wrote to memory of 2984 4020 cmd.exe chcp.com PID 4020 wrote to memory of 2148 4020 cmd.exe PING.EXE PID 4020 wrote to memory of 2148 4020 cmd.exe PING.EXE PID 4020 wrote to memory of 2492 4020 cmd.exe cvvhost.exe PID 4020 wrote to memory of 2492 4020 cmd.exe cvvhost.exe PID 2492 wrote to memory of 1928 2492 cvvhost.exe schtasks.exe PID 2492 wrote to memory of 1928 2492 cvvhost.exe schtasks.exe PID 2492 wrote to memory of 1988 2492 cvvhost.exe cmd.exe PID 2492 wrote to memory of 1988 2492 cvvhost.exe cmd.exe PID 1988 wrote to memory of 4508 1988 cmd.exe chcp.com PID 1988 wrote to memory of 4508 1988 cmd.exe chcp.com PID 1988 wrote to memory of 4528 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 4528 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 3876 1988 cmd.exe cvvhost.exe PID 1988 wrote to memory of 3876 1988 cmd.exe cvvhost.exe PID 3876 wrote to memory of 1260 3876 cvvhost.exe schtasks.exe PID 3876 wrote to memory of 1260 3876 cvvhost.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQGTvFTws8mp.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qY34PKLaxJTf.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6KhRcZmY9WdE.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYbJ8V6vZ1r4.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EVbP0461OGJA.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0XxP5jTz83d4.bat" "13⤵
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"14⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEia2j5d9LqB.bat" "15⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"16⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFpAqLWZkDgo.bat" "17⤵
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"18⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEzgMuTCdz1J.bat" "19⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"20⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F7JAGvYAcYDj.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"22⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6tuRLM3lyX5j.bat" "23⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"24⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UhJ6ixl0CBYl.bat" "25⤵
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"26⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f27⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mn1i6ycjL5bR.bat" "27⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\chcp.comchcp 650011⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 650011⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 650011⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvvhost.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\0XxP5jTz83d4.batFilesize
197B
MD545e09b6ee313fe4c976ff33cc3a046af
SHA1b9ee27722e3278e8b3162112ebf9b18881c82f51
SHA256aa2124c044596ad8afc5d13ccaf909238efdbfd3d4f154458316b4b682101755
SHA51260a4dd955c4fcfb66a7a527b2ee66f8c3fa422f244da758566b268dcf8c4308aad01e172cee031969a33726c8787b14705688e5e1c18cc20bc4e60d5f737bc6d
-
C:\Users\Admin\AppData\Local\Temp\6KhRcZmY9WdE.batFilesize
197B
MD50dd17d97d22ecfac29e4d43e64952bb2
SHA160334236c810b0e3f348ed4ff1407ac8d3ea0a2b
SHA2561fcd53db5e63cd5ff486a69ba0f2726616c89c5d995f5c4029036c9f682850dd
SHA512e4d2f92b8c0f6859e95a193403ecf81fb2201de848975f95e0f79c3f3c3f8704dcfbaa8a9c893a7d9495a4d28b7603d9a001bcf7f54f27459a83a6ad8614ce55
-
C:\Users\Admin\AppData\Local\Temp\6tuRLM3lyX5j.batFilesize
197B
MD5f1a10a4b4afacde8290c6d35d508e174
SHA1bc7dba5ddc39fdde1ac0e5403ba16f2fd97f8fd8
SHA256081c652a27b3fe10b964833debd0f40a1a20e511df923a4af79921b87427571b
SHA5126d280f245eeee5fca1ec2d8d53394921b1974dbaf2495d4c9fa1b7add6a06e190d52e3a094b97eef13d7f2bc09d78097e5ad718aa3f3a0f2dc5ad2f8ee1f3799
-
C:\Users\Admin\AppData\Local\Temp\EVbP0461OGJA.batFilesize
197B
MD5aa45518dc0039200a0c18753e7d65e3f
SHA1bd1ba4666b2afe45f4d06b8bc1e61b944e2e9505
SHA256f6f0147e865fb15051344144fb6a400cc7785614fc79810b6847172555306a87
SHA51281400cddc527b4566cee6e42c57960eef027b2606667f374b25f26d3571b936b280fa20704e7f06211952bc66c43319097e41b1fda5277e71646068077fca5b8
-
C:\Users\Admin\AppData\Local\Temp\F7JAGvYAcYDj.batFilesize
197B
MD572818fa0779c3a4bc3ffb6000eba4c38
SHA1bd01e5be2b743160fd1418326094b28b9217d699
SHA256f2ca21924d8cb1bb3e974ab22e1c7b5f737b75498c2f177b96f342d95de44703
SHA512a2e6ffbd6f24614d16832149d0128c534e83341afc0a7556a05801da31894a89f3722f4afd1ab5df27cf9942c152d7e3ac4bbd36ea9b9bed58b065aeae553ddd
-
C:\Users\Admin\AppData\Local\Temp\NQGTvFTws8mp.batFilesize
197B
MD54c184b1f52ca6dace641ddca6ae7cc47
SHA1b81950cede829e33401527cfd3b24689ed60874f
SHA256a5e3881ec9ec0ccb1c9bcbf007d2046be22bf577813e41b1f4f0fe4e5f8e7bf0
SHA5128666482996418e53f316a74223a138271323493617d019521df33e4ea7bc4f5dbf6cffb8f5b5d5d51c9b371aec672b4749bc39c60a4363db2669419a978644cc
-
C:\Users\Admin\AppData\Local\Temp\UhJ6ixl0CBYl.batFilesize
197B
MD5c91f70d6d47915ecdd8c09efecd19c5a
SHA1f764f456730aeea5688b30d738ad07f3bbcd6242
SHA25648e852fbaf6728e9a91eda0b9ef0fa35991522ef7f87365a5655142b383873e4
SHA5126935810bce0fb7f8964447e58749d2b8b87b32225fe2159464eb6f67e350537121a3f7bdd4bffa1a17f0a96c03ca2285764ba9a5180ddd41a9af18b8a3fc104b
-
C:\Users\Admin\AppData\Local\Temp\hEzgMuTCdz1J.batFilesize
197B
MD5eb7007b4e25c1d46f405e9a38f149e90
SHA12c483e4ffdb5fcef65d388082c752f829cba27a2
SHA256b67aff1e60a18c73de344f5f7b72a17e1e00b298032dd64c1c4113cb79f0964f
SHA51279e75e91292ec5c47720f4c9d19942bd52ed473d31d80055c85ad90d0806e1a04edaee6c1445992d0b6479358fb346140e7afa97385611cd34a49628e2512a1e
-
C:\Users\Admin\AppData\Local\Temp\jYbJ8V6vZ1r4.batFilesize
197B
MD5bbb4faaac002be4c1e1ac51831d8e51d
SHA19016cef44599d16c092063e9c110ac5f7b1e5705
SHA256ded6c533bd4aa00658e411a4abc548accc775ca15f7b99cd02ea2751a8d37f0d
SHA5123073ab7e0f2392f7b922e3ef524e84c5d51b38c2334d85605f08661d81ccf08b239ceb293092f00c7bb23323b2d076f8f73b936a0f6c4718ee97cdf8347a3b2d
-
C:\Users\Admin\AppData\Local\Temp\mn1i6ycjL5bR.batFilesize
197B
MD5748d215ade1e439dcceafb52b0b743b9
SHA16b426152a23fb5b0b6395944ed85ea6a4249be83
SHA256adfba4e6dc3d6fbe9436d0437bb609153cf9e90753f979b9024465dd49a7e85d
SHA512c1a87f57d86f32b2a9ab5d7b20bc81764a43e6a315bf5f22663515474729d25e1e838ff9a4a0721b5aa340a662d641354c614569b815b5186084ef9ed51dc897
-
C:\Users\Admin\AppData\Local\Temp\qY34PKLaxJTf.batFilesize
197B
MD503aa9fbcbb990ced69782f8b9a3dd197
SHA1f9b4df984d27f5cf318fc82e4f158728455aacf8
SHA256041165480b6c1cce722b4152eed36df1fbfd2fe871ff7d9102e52dbccf81b9c8
SHA512dc4e71be12be635c1906b430d82df6545e1915bd36152a36d755b2145138f041d7f043134f47036210a2be273eab459ee3c6b885d953d3f8d9b97172788f0289
-
C:\Users\Admin\AppData\Local\Temp\sEia2j5d9LqB.batFilesize
197B
MD5ad3ccfa82438fdcfa96ca95b41ba25e7
SHA119309e8cb369c379f808cc5dd97b441fbc15a68a
SHA256694fdfda8455df911dadfa09c3b9f6d0cc862673ec399a944aa0736e550e3752
SHA5121fdd1b7b3c37f2c537de875970a24a9fb0724c3c5140b4c98250c1af0c1397a0a55c8f344e89ada9251dba867112d2456b82e6da622125306552dd7b0213eb2e
-
C:\Users\Admin\AppData\Local\Temp\zFpAqLWZkDgo.batFilesize
197B
MD5bfa331f4af38edcc4267052d36ec69fc
SHA1cd6203368350064807e7c85456426223aad8e935
SHA256c90e9317565fa86a3bc01ab62b2b145c8c1a044aa53d1d26bd1fc0d1004a9f9f
SHA51252d9c7a9ae82682631320b5f2a78c67081770f9927841b8a992cd552493461ee2b1e77144249af9792222000426232d5fbaf47b74b37d5d8ba01671b7b4fce38
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
2.6MB
MD5cafd5dbfa2593a925165ce70bfbdc50d
SHA1bec3fd8b19b438555aa55d57ff0497d3fc494c81
SHA256b5f9bcb1409cc06e1eedc0bcea50ed5b7b7dac82b7fa7f237b551a3477c46b31
SHA5127dedc93174be19ea2ccc4c090ede0cd487472d8ceb41fc537f4ea973612a951957bcfbedca5d5e2fecfcecac03f7f5a9676548e034908a92ff5c5b60150bbb9e
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\system32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
memory/2176-22-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/2176-23-0x000000001B3F0000-0x000000001B400000-memory.dmpFilesize
64KB
-
memory/2176-27-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/2228-36-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/2228-31-0x0000000003260000-0x0000000003270000-memory.dmpFilesize
64KB
-
memory/2228-30-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/2488-68-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmpFilesize
10.8MB
-
memory/2488-62-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmpFilesize
10.8MB
-
memory/2488-63-0x000000001B3D0000-0x000000001B3E0000-memory.dmpFilesize
64KB
-
memory/2492-52-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmpFilesize
10.8MB
-
memory/2492-47-0x000000001B580000-0x000000001B590000-memory.dmpFilesize
64KB
-
memory/2492-46-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmpFilesize
10.8MB
-
memory/2584-103-0x0000000001780000-0x0000000001790000-memory.dmpFilesize
64KB
-
memory/2584-102-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/2584-108-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/3364-78-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/3364-79-0x000000001B9D0000-0x000000001B9E0000-memory.dmpFilesize
64KB
-
memory/3364-84-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/3732-100-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/3732-94-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/3732-95-0x000000001C010000-0x000000001C020000-memory.dmpFilesize
64KB
-
memory/3876-55-0x000000001B270000-0x000000001B280000-memory.dmpFilesize
64KB
-
memory/3876-54-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmpFilesize
10.8MB
-
memory/3876-60-0x00007FFF68AB0000-0x00007FFF69571000-memory.dmpFilesize
10.8MB
-
memory/3884-9-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/3884-11-0x000000001BEE0000-0x000000001BEF0000-memory.dmpFilesize
64KB
-
memory/3884-12-0x000000001CA80000-0x000000001CAD0000-memory.dmpFilesize
320KB
-
memory/3884-13-0x000000001CB90000-0x000000001CC42000-memory.dmpFilesize
712KB
-
memory/3884-19-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/3952-87-0x000000001B8E0000-0x000000001B8F0000-memory.dmpFilesize
64KB
-
memory/3952-92-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/3952-86-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/4584-38-0x00007FFF69340000-0x00007FFF69E01000-memory.dmpFilesize
10.8MB
-
memory/4584-39-0x000000001BDF0000-0x000000001BE00000-memory.dmpFilesize
64KB
-
memory/4584-44-0x00007FFF69340000-0x00007FFF69E01000-memory.dmpFilesize
10.8MB
-
memory/4676-0-0x0000000000FC0000-0x00000000012E4000-memory.dmpFilesize
3.1MB
-
memory/4676-10-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/4676-2-0x0000000001B90000-0x0000000001BA0000-memory.dmpFilesize
64KB
-
memory/4676-1-0x00007FFF69550000-0x00007FFF6A011000-memory.dmpFilesize
10.8MB
-
memory/4756-110-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/4756-111-0x000000001B0F0000-0x000000001B100000-memory.dmpFilesize
64KB
-
memory/4756-116-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/4960-76-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/4960-70-0x00007FFF68B60000-0x00007FFF69621000-memory.dmpFilesize
10.8MB
-
memory/4960-71-0x000000001B300000-0x000000001B310000-memory.dmpFilesize
64KB