Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 01:01
Behavioral task
behavioral1
Sample
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Resource
win7-20240221-en
General
-
Target
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
quasar
1.4.1
Office04
Kneegrowless-33547.portmap.host:33547
10674f25-f575-4b14-92cf-06a7073df875
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral1/memory/1752-13-0x00000000010C0000-0x00000000013E4000-memory.dmp family_quasar behavioral1/memory/1160-37-0x0000000000300000-0x0000000000624000-memory.dmp family_quasar behavioral1/memory/2752-50-0x0000000000010000-0x0000000000334000-memory.dmp family_quasar behavioral1/memory/2052-63-0x0000000000F90000-0x00000000012B4000-memory.dmp family_quasar behavioral1/memory/2032-76-0x00000000012A0000-0x00000000015C4000-memory.dmp family_quasar behavioral1/memory/2340-89-0x0000000000040000-0x0000000000364000-memory.dmp family_quasar behavioral1/memory/1720-102-0x0000000000230000-0x0000000000554000-memory.dmp family_quasar behavioral1/memory/2688-114-0x0000000000DC0000-0x00000000010E4000-memory.dmp family_quasar behavioral1/memory/2684-151-0x00000000012C0000-0x00000000015E4000-memory.dmp family_quasar behavioral1/memory/2948-163-0x0000000000370000-0x0000000000694000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1752-13-0x00000000010C0000-0x00000000013E4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1160-37-0x0000000000300000-0x0000000000624000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2752-50-0x0000000000010000-0x0000000000334000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2052-63-0x0000000000F90000-0x00000000012B4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2032-76-0x00000000012A0000-0x00000000015C4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2340-89-0x0000000000040000-0x0000000000364000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1720-102-0x0000000000230000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2688-114-0x0000000000DC0000-0x00000000010E4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2684-151-0x00000000012C0000-0x00000000015E4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2948-163-0x0000000000370000-0x0000000000694000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1752-13-0x00000000010C0000-0x00000000013E4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1160-37-0x0000000000300000-0x0000000000624000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2752-50-0x0000000000010000-0x0000000000334000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2052-63-0x0000000000F90000-0x00000000012B4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2032-76-0x00000000012A0000-0x00000000015C4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2340-89-0x0000000000040000-0x0000000000364000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1720-102-0x0000000000230000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2688-114-0x0000000000DC0000-0x00000000010E4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2684-151-0x00000000012C0000-0x00000000015E4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2948-163-0x0000000000370000-0x0000000000694000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/1752-13-0x00000000010C0000-0x00000000013E4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/1160-37-0x0000000000300000-0x0000000000624000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2752-50-0x0000000000010000-0x0000000000334000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2052-63-0x0000000000F90000-0x00000000012B4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2032-76-0x00000000012A0000-0x00000000015C4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2340-89-0x0000000000040000-0x0000000000364000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/1720-102-0x0000000000230000-0x0000000000554000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2688-114-0x0000000000DC0000-0x00000000010E4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2684-151-0x00000000012C0000-0x00000000015E4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer behavioral1/memory/2948-163-0x0000000000370000-0x0000000000694000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 13 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2712 PING.EXE 792 PING.EXE 1556 PING.EXE 1780 PING.EXE 1932 PING.EXE 2120 PING.EXE 1400 PING.EXE 2660 PING.EXE 2528 PING.EXE 2916 PING.EXE 2528 PING.EXE 1684 PING.EXE 1840 PING.EXE -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription pid process Token: SeDebugPrivilege 1928 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 520 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1160 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2052 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2032 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2340 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1720 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2688 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1496 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2432 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2684 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2948 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exedescription pid process target process PID 1928 wrote to memory of 1664 1928 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1928 wrote to memory of 1664 1928 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1928 wrote to memory of 1664 1928 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1664 wrote to memory of 2456 1664 cmd.exe chcp.com PID 1664 wrote to memory of 2456 1664 cmd.exe chcp.com PID 1664 wrote to memory of 2456 1664 cmd.exe chcp.com PID 1664 wrote to memory of 2916 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 2916 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 2916 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 1752 1664 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1664 wrote to memory of 1752 1664 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1664 wrote to memory of 1752 1664 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1752 wrote to memory of 2392 1752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1752 wrote to memory of 2392 1752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1752 wrote to memory of 2392 1752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2392 wrote to memory of 2536 2392 cmd.exe chcp.com PID 2392 wrote to memory of 2536 2392 cmd.exe chcp.com PID 2392 wrote to memory of 2536 2392 cmd.exe chcp.com PID 2392 wrote to memory of 2528 2392 cmd.exe PING.EXE PID 2392 wrote to memory of 2528 2392 cmd.exe PING.EXE PID 2392 wrote to memory of 2528 2392 cmd.exe PING.EXE PID 2392 wrote to memory of 520 2392 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2392 wrote to memory of 520 2392 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2392 wrote to memory of 520 2392 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 520 wrote to memory of 1164 520 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 520 wrote to memory of 1164 520 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 520 wrote to memory of 1164 520 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1164 wrote to memory of 1828 1164 cmd.exe chcp.com PID 1164 wrote to memory of 1828 1164 cmd.exe chcp.com PID 1164 wrote to memory of 1828 1164 cmd.exe chcp.com PID 1164 wrote to memory of 1780 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1780 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1780 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1160 1164 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1164 wrote to memory of 1160 1164 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1164 wrote to memory of 1160 1164 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1160 wrote to memory of 2464 1160 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1160 wrote to memory of 2464 1160 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1160 wrote to memory of 2464 1160 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2464 wrote to memory of 2680 2464 cmd.exe chcp.com PID 2464 wrote to memory of 2680 2464 cmd.exe chcp.com PID 2464 wrote to memory of 2680 2464 cmd.exe chcp.com PID 2464 wrote to memory of 2712 2464 cmd.exe PING.EXE PID 2464 wrote to memory of 2712 2464 cmd.exe PING.EXE PID 2464 wrote to memory of 2712 2464 cmd.exe PING.EXE PID 2464 wrote to memory of 2752 2464 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2464 wrote to memory of 2752 2464 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2464 wrote to memory of 2752 2464 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2752 wrote to memory of 2080 2752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2752 wrote to memory of 2080 2752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2752 wrote to memory of 2080 2752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2080 wrote to memory of 1648 2080 cmd.exe chcp.com PID 2080 wrote to memory of 1648 2080 cmd.exe chcp.com PID 2080 wrote to memory of 1648 2080 cmd.exe chcp.com PID 2080 wrote to memory of 792 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 792 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 792 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 2052 2080 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2080 wrote to memory of 2052 2080 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2080 wrote to memory of 2052 2080 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2052 wrote to memory of 1304 2052 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2052 wrote to memory of 1304 2052 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2052 wrote to memory of 1304 2052 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1304 wrote to memory of 1580 1304 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hcu9hM6fwUmg.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2456
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2hX7YoXAiZtn.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2536
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xC4qmhW8BKM9.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1828
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lDxNTViNea5x.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2680
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\05h3WIkJ3JWL.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1648
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:792 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QoM3mH8QPiCm.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1580
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vBjIcygJHTap.bat" "14⤵PID:1140
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1340
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5NOMARytxZyT.bat" "16⤵PID:2968
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1736
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3wvPcY20s03U.bat" "18⤵PID:3012
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2952
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fc1GE2bZ1Cr4.bat" "20⤵PID:2380
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2428
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lYNF9gfitPQ5.bat" "22⤵PID:2296
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1976
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\c6nVYq2JAFej.bat" "24⤵PID:1296
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:784
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EPRRIO65ntoo.bat" "26⤵PID:2068
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2084
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD5b7d022da4052719ebc25ec97b38bc120
SHA146fa0637e1405599d989df63fb92cc7ace19b3d9
SHA2566515ccd60a2652059f5ffde3f5f280f19355a36456df5959c12b077e2f864e62
SHA512109d56cb0c11460748c5578f0aa914aafcd082241597363f8784ad1f3ee2d6428ad7630d069f780cce6e6c0ba54b06b803fe6553cdeaa17d742bf85bbb7af5ad
-
Filesize
261B
MD51019e84cb679410d60d364aa68a7c444
SHA16271297c71980f5f87910a1e943b48ff9e3f5bba
SHA256d6caa377b09b76b2474190137f29c89e262f7a8ef78eeb92341cdb617a75ee34
SHA512b6dbdc75ca844661262c8744235b67f254c4c8e00441224f2b30fdca61e426bf6e0a71236c5a9aa23d17c13b29a6ec596b506b9a7745f2a9357bc0acc9ecf36f
-
Filesize
261B
MD59bca9428f0205524bf6ec6e432a57aee
SHA1df9c9ab41a0f3bc1031d36c52c251e98e39f6127
SHA256228a34234193587aae5446e6931e2bd353b5d257ed95a09283384d3ee7d829b2
SHA512801c8f98c4bafc181407bc08c4e1446400c76c1931c6e0a9c5d003e302574bdd3db4120cc0d4846bc9bced002dc712bf07336bf1513532e29996d125ca1df8a1
-
Filesize
261B
MD53a445552121e356b6417a8dfdac924b3
SHA159718b2d1995a3cd148fa180568c65da668797e1
SHA2564336e9fd1f467f2b255e53282e63153c12dc6a51397ccb669283c33ac4822ce3
SHA512927acd1c5e96ba90bf27fc16fddb27f265448b671a1006061cb131482fb2c5e0107c0a7b94e64a41bfeb527417b00d84cb1439f01b6056dfa3646600a2b6deca
-
Filesize
261B
MD52bd52235f0fa633d2a24ea74f32f0598
SHA1aeb68984499f3ad9276e6098e27a535ec62e7677
SHA2565ba6913677db71eebc384679a1f8c423a3c6d4eea43893d9007962dfd45dd73a
SHA51240186c23c1f2297f2ac4f906f8295916646cb75fdf07f8514274b4ba6af80a35f7c74f97832d4a215ab215ccd19ad2f9d896393d3563792450889f4f0d44cf6f
-
Filesize
261B
MD5394799fde98fd2b30076d34967b2c1f8
SHA1ded9ec3132b45bd19d50963a45b37281f065a8f5
SHA256d2a4811632ba4b10424834437113255e525fb130fad0bd220a8ae97e26c7c8d1
SHA512f26db0f5c0509b7fa0ec5c8acabebb052d60c718a7083c5d173bb52b4e7564e339b0efa54c0932e0e0f3bacd8ec9c0cafbf0eb0e6405d188f8f09c5868c3e2fa
-
Filesize
261B
MD5c6fee6af024cf8b19d13371cde0489c2
SHA19e47089efc056230caa24bbe03e0feeec97c5193
SHA256859996a44869025ca8aad327dbcb96a01b930dec5b486edca9940f44341d1f9f
SHA512e4da56b7a534d06b427765abd937b93573daa13c8f831f8df7ed72a840dc7c8827a7a702251b2676f87990d30bc4dfb22c2093c33438b97b21461db775519dc4
-
Filesize
261B
MD5c022916344d079d14191fca07654feeb
SHA15c76bf7ae0c583f4d33c96ba90d882753a583971
SHA2560f886fe5789b43a882127a11d3d808084236272cedad2c9674ebdfdedbbb689b
SHA51257adf2150feef58e67ef5f270885acf33721a66e38a6bb6d0f16598942be0e0fc4dbb350597697faa9d0451bce39cb93cc0a9b03c75200c8c4329ac98767b55a
-
Filesize
261B
MD529e9a6fdad894c88b423a3d70707e6b4
SHA1df57c7ce65bb1f2be34b6507dcf8fbbbdee19db0
SHA25619e8521bce329ffa467ae0ab29ca8d5a2d227ff4af79e6f8aeff3835a5fdee25
SHA512134c80deebc99b7f26f3bba67fb53575aca62075f00b302949605a08f7a6ecd0eeeaa8ced921be0e838abbfaf9c97e1d57490f0b34b158a4bdd66e1bec00d959
-
Filesize
261B
MD58304391c94d2146dea826f3cd04b4907
SHA1c16a5862f46322011b46ccb7e111c9a906150fda
SHA256e0d6b4942dd8fbc42587a4aa4924f4f0e9aef48d49142c193b0d09c8ee71fd64
SHA5129efb293d8bfe07d063805084a44b3441e1dc19b5994e7baea1e8899bbb2b446de328761bcafa07d6c59b367cf0920304cf252920bc429e5f026c612325e8415f
-
Filesize
261B
MD529a148d140ea905ba5e4e4f81348ab25
SHA1c4937d89c71e8aa41e8e0e6de3a7db1d683b4d18
SHA256ede7cd9af4e2d5882bf4dc7b4ce463af5604c507e64c02d5c100699cebb0359d
SHA512e36ab9dbeaa034031622c5b6350c936249f560e47ca4565b14790698deec4a940a6c53b1397b94da5e0df53d7cbf11858992431d1af5ae2ba692c46174a7ffee
-
Filesize
261B
MD5c71037d0bc69ec703c221da34ffc9ded
SHA1c60155200e3363369825fb71ad0af880b106ab8c
SHA256d799e596f802828f53bd8782602c918c8bb1f98d045f29a41bc7cdce0d595b92
SHA51295d66ba91f25bbd7cb3d663053e247818347c8d0b2fb2fce854217c8308ad58bc5752da547332bfc3d005e09a61abf36926d6bdb55f0b2334e990e4abccaa84b
-
Filesize
261B
MD5fb18e3783c6a5dd53c95881f46ada07c
SHA14f5d356d9bcdf87336652d660d94c1fdf34cede7
SHA25689a15234b4c1bc820b3144c881d2f3b140dc758f9a0ed1ff48b2a939beb08585
SHA51212cebc52e958703a3e74047bf592726d7e7e52fd33adc12e67324ef564efe8ba0e040e10c0f1a772a8b9ca0ce2fe2fd9e8b07e63ac217c9217bb47aee9df6c6d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e