Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 08:08
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240220-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
43d43e073f37fcbce4db2a8efea58450
-
SHA1
24014a045dfda1401b81e63435fdf46963967fd4
-
SHA256
e4c6e99ac6e6ddb98b3f0fea20d97c067b593ffdce6d2909ff693d03868e605b
-
SHA512
9c8ca9dee9c24431ea98ce9743cf826b5ba844c339b0cc94ef4261af68f2bf89b7251e1884011e8ff58be5afbebe98b699a243d1cacf83272018baac439ca9bf
-
SSDEEP
49152:3v1t62XlaSFNWPjljiFa2RoUYI4xDEDwNk/JxSoGdk+THHB72eh2NT:3vH62XlaSFNWPjljiFXRoUYI4xWQU
Malware Config
Extracted
quasar
1.4.1
Office04
IPv4:4782
865ecc2b-abfd-4e2c-92cb-d87fb0c27dfe
-
encryption_key
4EC818ABEB58692E09D25328E09F987FEC20E0DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-0-0x0000000000F40000-0x0000000001264000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2968-9-0x0000000000A90000-0x0000000000DB4000-memory.dmp family_quasar behavioral1/memory/2404-22-0x0000000000E10000-0x0000000001134000-memory.dmp family_quasar behavioral1/memory/1864-49-0x00000000013D0000-0x00000000016F4000-memory.dmp family_quasar behavioral1/memory/1948-156-0x00000000001F0000-0x0000000000514000-memory.dmp family_quasar -
Executes dropped EXE 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2968 Client.exe 2404 Client.exe 2308 Client.exe 1864 Client.exe 1148 Client.exe 2888 Client.exe 2340 Client.exe 1972 Client.exe 2600 Client.exe 1740 Client.exe 1648 Client.exe 1948 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2584 schtasks.exe 2692 schtasks.exe 1464 schtasks.exe 1516 schtasks.exe 2080 schtasks.exe 2564 schtasks.exe 2860 schtasks.exe 2784 schtasks.exe 2864 schtasks.exe 2260 schtasks.exe 2160 schtasks.exe 1552 schtasks.exe 2276 schtasks.exe -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 456 PING.EXE 3064 PING.EXE 2320 PING.EXE 1464 PING.EXE 924 PING.EXE 2472 PING.EXE 2180 PING.EXE 2104 PING.EXE 2440 PING.EXE 1504 PING.EXE 1660 PING.EXE 1084 PING.EXE -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 2036 Client-built.exe Token: SeDebugPrivilege 2968 Client.exe Token: SeDebugPrivilege 2404 Client.exe Token: SeDebugPrivilege 2308 Client.exe Token: SeDebugPrivilege 1864 Client.exe Token: SeDebugPrivilege 1148 Client.exe Token: SeDebugPrivilege 2888 Client.exe Token: SeDebugPrivilege 2340 Client.exe Token: SeDebugPrivilege 1972 Client.exe Token: SeDebugPrivilege 2600 Client.exe Token: SeDebugPrivilege 1740 Client.exe Token: SeDebugPrivilege 1648 Client.exe Token: SeDebugPrivilege 1948 Client.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2968 Client.exe 2404 Client.exe 2308 Client.exe 1864 Client.exe 1148 Client.exe 2888 Client.exe 2340 Client.exe 1972 Client.exe 2600 Client.exe 1740 Client.exe 1648 Client.exe 1948 Client.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2968 Client.exe 2404 Client.exe 2308 Client.exe 1864 Client.exe 1148 Client.exe 2888 Client.exe 2340 Client.exe 1972 Client.exe 2600 Client.exe 1740 Client.exe 1648 Client.exe 1948 Client.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2968 Client.exe 2404 Client.exe 2308 Client.exe 1864 Client.exe 1148 Client.exe 2888 Client.exe 2340 Client.exe 1972 Client.exe 2600 Client.exe 1740 Client.exe 1648 Client.exe 1948 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 2036 wrote to memory of 2860 2036 Client-built.exe schtasks.exe PID 2036 wrote to memory of 2860 2036 Client-built.exe schtasks.exe PID 2036 wrote to memory of 2860 2036 Client-built.exe schtasks.exe PID 2036 wrote to memory of 2968 2036 Client-built.exe Client.exe PID 2036 wrote to memory of 2968 2036 Client-built.exe Client.exe PID 2036 wrote to memory of 2968 2036 Client-built.exe Client.exe PID 2968 wrote to memory of 2584 2968 Client.exe schtasks.exe PID 2968 wrote to memory of 2584 2968 Client.exe schtasks.exe PID 2968 wrote to memory of 2584 2968 Client.exe schtasks.exe PID 2968 wrote to memory of 2408 2968 Client.exe cmd.exe PID 2968 wrote to memory of 2408 2968 Client.exe cmd.exe PID 2968 wrote to memory of 2408 2968 Client.exe cmd.exe PID 2408 wrote to memory of 2164 2408 cmd.exe chcp.com PID 2408 wrote to memory of 2164 2408 cmd.exe chcp.com PID 2408 wrote to memory of 2164 2408 cmd.exe chcp.com PID 2408 wrote to memory of 2440 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 2440 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 2440 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 2404 2408 cmd.exe Client.exe PID 2408 wrote to memory of 2404 2408 cmd.exe Client.exe PID 2408 wrote to memory of 2404 2408 cmd.exe Client.exe PID 2404 wrote to memory of 2784 2404 Client.exe schtasks.exe PID 2404 wrote to memory of 2784 2404 Client.exe schtasks.exe PID 2404 wrote to memory of 2784 2404 Client.exe schtasks.exe PID 2404 wrote to memory of 344 2404 Client.exe cmd.exe PID 2404 wrote to memory of 344 2404 Client.exe cmd.exe PID 2404 wrote to memory of 344 2404 Client.exe cmd.exe PID 344 wrote to memory of 1616 344 cmd.exe chcp.com PID 344 wrote to memory of 1616 344 cmd.exe chcp.com PID 344 wrote to memory of 1616 344 cmd.exe chcp.com PID 344 wrote to memory of 1504 344 cmd.exe PING.EXE PID 344 wrote to memory of 1504 344 cmd.exe PING.EXE PID 344 wrote to memory of 1504 344 cmd.exe PING.EXE PID 344 wrote to memory of 2308 344 cmd.exe Client.exe PID 344 wrote to memory of 2308 344 cmd.exe Client.exe PID 344 wrote to memory of 2308 344 cmd.exe Client.exe PID 2308 wrote to memory of 2692 2308 Client.exe schtasks.exe PID 2308 wrote to memory of 2692 2308 Client.exe schtasks.exe PID 2308 wrote to memory of 2692 2308 Client.exe schtasks.exe PID 2308 wrote to memory of 1212 2308 Client.exe cmd.exe PID 2308 wrote to memory of 1212 2308 Client.exe cmd.exe PID 2308 wrote to memory of 1212 2308 Client.exe cmd.exe PID 1212 wrote to memory of 1800 1212 cmd.exe chcp.com PID 1212 wrote to memory of 1800 1212 cmd.exe chcp.com PID 1212 wrote to memory of 1800 1212 cmd.exe chcp.com PID 1212 wrote to memory of 1660 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1660 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1660 1212 cmd.exe PING.EXE PID 1212 wrote to memory of 1864 1212 cmd.exe Client.exe PID 1212 wrote to memory of 1864 1212 cmd.exe Client.exe PID 1212 wrote to memory of 1864 1212 cmd.exe Client.exe PID 1864 wrote to memory of 1464 1864 Client.exe schtasks.exe PID 1864 wrote to memory of 1464 1864 Client.exe schtasks.exe PID 1864 wrote to memory of 1464 1864 Client.exe schtasks.exe PID 1864 wrote to memory of 3028 1864 Client.exe cmd.exe PID 1864 wrote to memory of 3028 1864 Client.exe cmd.exe PID 1864 wrote to memory of 3028 1864 Client.exe cmd.exe PID 3028 wrote to memory of 2224 3028 cmd.exe chcp.com PID 3028 wrote to memory of 2224 3028 cmd.exe chcp.com PID 3028 wrote to memory of 2224 3028 cmd.exe chcp.com PID 3028 wrote to memory of 1084 3028 cmd.exe PING.EXE PID 3028 wrote to memory of 1084 3028 cmd.exe PING.EXE PID 3028 wrote to memory of 1084 3028 cmd.exe PING.EXE PID 3028 wrote to memory of 1148 3028 cmd.exe Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2860 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2584 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ag7RosmhjHvA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2164
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2440 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:2784 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ps7FYjZLdHoq.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1616
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1504 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:2692 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eMuzochL1ULn.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1800
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:1660 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:1464 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lXMkkZMFQC7E.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2224
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:1084 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1148 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:1516 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YysqV1BWNefK.bat" "11⤵PID:2144
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:784
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:456 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:2864 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4klWBfhPkcin.bat" "13⤵PID:2924
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:664
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:924 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:2260 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\s8RxB61IVTer.bat" "15⤵PID:900
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2216
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:3064 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1972 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:2080 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\n76Puo8ELHhy.bat" "17⤵PID:2716
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2516
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:2472 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2600 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:2160 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\L6FqclHmcAV9.bat" "19⤵PID:2380
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2552
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:2320 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:2276 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CZfHO9YT2IIk.bat" "21⤵PID:2332
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2192
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:2180 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
PID:2564 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UZjXizOEhkwd.bat" "23⤵PID:1212
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1604
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
PID:1464 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1948 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
PID:1552 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E5obhvPzWCN8.bat" "25⤵PID:624
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1784
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5c19bff39f1a90ac50216678d5d6ec352
SHA18fd3aba7c1ab7b08e5cadc8263f4b79d35027c0f
SHA2561e5050a3fa4efd9055cabdb95d685613ead61cce7186f4176df08ae0e3e3ad1c
SHA512ac62c026679b57f4cdc7837107e8f88653982a982f3406e0443468211da88648de7715481248d448e8e75cf80011c32cc8a4343cd6ff0a86f943b2693ac1d74a
-
Filesize
207B
MD5a59eff0476167bc5b4d1a3a020fa277c
SHA1f450d556334c179a8330310d4186514f76d0fc30
SHA25664ad06dc7383f0690467a9cca85b2e37f5adfae0ff968a645af28f345407f270
SHA5128079e4c0e4d6085010d7ed84249ebdab0b9323630e351494f269daa9f5f50c001d587158f9532432e9dfba29bc9f86e0a5b8640da829dec8ce408bb53c476c13
-
Filesize
207B
MD5975e2bab28cad418e98922384e35d859
SHA1bf67923cd864d823f086dc5f7b36660ceeb6c935
SHA25656f125ebd0b70f179d830fed8ecbbd7f068a1cb39ebd973e0e7391ea8be9877a
SHA512d981abe427f1ca0485b5bff4a4ec35bedcd028cdc14e85b9642cc90324bcdef45680e985c5c76cf8f7dc94c520c46ffc6d1cc64f84a8732fc6f19f922b26d3fa
-
Filesize
207B
MD5e8252b1f2b0a7990e6a1814ad6ddf292
SHA18669f12399063b881aca17631f4af7d2ab0a5e63
SHA256f8871dd3bc28dd9f561194202527a15abf8d02c4b020ce7d247aa001c8334a34
SHA512fcefc9949ed544ab855fa466da58a2c0113e2ad8bb6946acd812f1d4d0aafb2b2bff84d471b7e4095641c06d3a3390cea6cccdeadddc50ff904238a0eb8ae6c5
-
Filesize
207B
MD51c9fb7293f87b6f984f5c60550bf53fb
SHA137f58e8944de488bccd790fb61b99610da693bf6
SHA256a23fe5d1be5d99a9ae8f26bf8ae464ad953f629baac977632bf7c67534596770
SHA512523065249067a1f0363342876401571ad3829bac809b7a7eda62d0c59a2ccb0386b49bf1920c5fdb36ee705913ad215a1f8ac8e15ea4e32dbeadb1d38fba9bfa
-
Filesize
207B
MD5a4f2bef145460860066d6d60522c27a6
SHA1ae4ed931348147c041b1708c3cbe2f4bfaff4ceb
SHA25644406f3a923c1f181ca29e0780ca47c4f366de4b35ff2e649c781c8e0a2afc03
SHA51291128395d3ce7e695c49c5b989aaa92795353bf0dc41566043359a0d63ad3902151e63356c7bee352120c95dbccede6163f76f9a8ccfa00999d8d8ca9c7d6371
-
Filesize
207B
MD5875fc53972024bc746dceac7e6829724
SHA1cc2d325949e5d383bdbd3775cd0ec64060d3cf25
SHA256d028ec8c759422969e1d98414724c12358adfba77d5cd56bb8a7aff7a6066d9b
SHA512a3561d53dbe8338d15756ea2648e8b02045261994b20407946cc73a1ac23e7e2ddf18f1fbfd70278d32986be195b12a0bf6396a3bd51382b6b62b5888b0fc5e3
-
Filesize
207B
MD5a965a673c66c7569d3e14626d02349e4
SHA17798ae0bb352220f27e8d15b169c9cdec6b04a1d
SHA2568740d93c9c1d0b8d02cea73ef95d82a157b521af92d54c6ac64d6861b4a03923
SHA512da5bbc497267526b080ac98cb667800dbcc440ee2da7849e368067d3f475664aafadb9ab997ebc9c8f27059f857b0c27725e369a18f4f22b28fdecd09f588bfb
-
Filesize
207B
MD5243a8ffc4c0ff1c27dbe42d976cb2f71
SHA1c6752a0e6c7a1c7d7f2e583a642394e6617916ec
SHA256c9c3424822b412617d41177adc07b5a670608aa8bd12938858497ee2ee7adbed
SHA5121f4ab8e91e2cd654ea7e4551240e69dbe3281ce24825610ecff4739db3d431998380c30f6b3839495f98f773a9dcd44a627a24ee8dc6e347d6fcb3069963982c
-
Filesize
207B
MD5fa363f439834d9f8d364722f51344a3c
SHA1ea2ce55bfd1a0364998d9b65b3a40f6baf55eb1d
SHA2569fcd18fe13b1c49b94e8d4e1d03052c944a5e99ace4c29d1e8e5bf16d55f4cfe
SHA512cf65fece60d87b4592e84ccaa65c6209888f8a0e559fe3d71b76839a0309dd52779f67e6408f3b077c20aeb48bc5476b0c1f42cd0d1551f1e47ea7beb6353a96
-
Filesize
207B
MD5be6828338d5c68ce1e30d5ef4e45c2d8
SHA1f2b330f6f356977dad8e9f9e69f2241bc910fd78
SHA256d006be4db3c01670a3eefd531d78cd376691eba3834c8485ca08a5bb601881a6
SHA5121b657bf57cbb84721377114efb7645aac867c945aace5d28bef8e75b8bfe419d16683f45117068beb7af376aa1ba328b8c38c35adde91d90dddc6aa262289853
-
Filesize
207B
MD587960fb5a69bbf35be1f0693918e2cd1
SHA174bce7ef7341e729ebb426dc355b7a0007d5d9c7
SHA2566dc49b5b8fcddaeab0dbcc750067c145fd7ce2e1ff006639e9a7b8c34fc54762
SHA512965381383267cc0e37eb2b7c911f1d913f84752d12bbb91d7625b644ebff45c56e0751636ee7fec4e6da761416cd74a1a2fdb38e61145459b3a722bd31e1dcf9
-
Filesize
3.1MB
MD543d43e073f37fcbce4db2a8efea58450
SHA124014a045dfda1401b81e63435fdf46963967fd4
SHA256e4c6e99ac6e6ddb98b3f0fea20d97c067b593ffdce6d2909ff693d03868e605b
SHA5129c8ca9dee9c24431ea98ce9743cf826b5ba844c339b0cc94ef4261af68f2bf89b7251e1884011e8ff58be5afbebe98b699a243d1cacf83272018baac439ca9bf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e