Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 01:01
Behavioral task
behavioral1
Sample
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Resource
win7-20240221-en
General
-
Target
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
quasar
1.4.1
Office04
Kneegrowless-33547.portmap.host:33547
10674f25-f575-4b14-92cf-06a7073df875
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-0-0x0000000000200000-0x0000000000524000-memory.dmp family_quasar -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-0-0x0000000000200000-0x0000000000524000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-0-0x0000000000200000-0x0000000000524000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-0-0x0000000000200000-0x0000000000524000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4728 PING.EXE 3676 PING.EXE 5580 PING.EXE 5228 PING.EXE 4604 PING.EXE 440 PING.EXE 3576 PING.EXE 3184 PING.EXE 3404 PING.EXE 3808 PING.EXE 2196 PING.EXE 1336 PING.EXE 2276 PING.EXE 4392 PING.EXE 5676 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription pid process Token: SeDebugPrivilege 2364 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 5724 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2992 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4268 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2648 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4140 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2824 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 376 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2400 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1384 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 8 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 5792 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2536 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 5724 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1476 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exedescription pid process target process PID 2364 wrote to memory of 4948 2364 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2364 wrote to memory of 4948 2364 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4948 wrote to memory of 2256 4948 cmd.exe chcp.com PID 4948 wrote to memory of 2256 4948 cmd.exe chcp.com PID 4948 wrote to memory of 1336 4948 cmd.exe PING.EXE PID 4948 wrote to memory of 1336 4948 cmd.exe PING.EXE PID 4948 wrote to memory of 5724 4948 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4948 wrote to memory of 5724 4948 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 5724 wrote to memory of 5396 5724 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 5724 wrote to memory of 5396 5724 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 5396 wrote to memory of 5388 5396 cmd.exe chcp.com PID 5396 wrote to memory of 5388 5396 cmd.exe chcp.com PID 5396 wrote to memory of 440 5396 cmd.exe PING.EXE PID 5396 wrote to memory of 440 5396 cmd.exe PING.EXE PID 5396 wrote to memory of 2992 5396 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 5396 wrote to memory of 2992 5396 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2992 wrote to memory of 3620 2992 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2992 wrote to memory of 3620 2992 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3620 wrote to memory of 368 3620 cmd.exe chcp.com PID 3620 wrote to memory of 368 3620 cmd.exe chcp.com PID 3620 wrote to memory of 4728 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 4728 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 4268 3620 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3620 wrote to memory of 4268 3620 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4268 wrote to memory of 1424 4268 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4268 wrote to memory of 1424 4268 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1424 wrote to memory of 5304 1424 cmd.exe chcp.com PID 1424 wrote to memory of 5304 1424 cmd.exe chcp.com PID 1424 wrote to memory of 3576 1424 cmd.exe PING.EXE PID 1424 wrote to memory of 3576 1424 cmd.exe PING.EXE PID 1424 wrote to memory of 2648 1424 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1424 wrote to memory of 2648 1424 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2648 wrote to memory of 5448 2648 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2648 wrote to memory of 5448 2648 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 5448 wrote to memory of 1028 5448 cmd.exe chcp.com PID 5448 wrote to memory of 1028 5448 cmd.exe chcp.com PID 5448 wrote to memory of 3676 5448 cmd.exe PING.EXE PID 5448 wrote to memory of 3676 5448 cmd.exe PING.EXE PID 5448 wrote to memory of 4140 5448 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 5448 wrote to memory of 4140 5448 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4140 wrote to memory of 2196 4140 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4140 wrote to memory of 2196 4140 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2196 wrote to memory of 1952 2196 cmd.exe chcp.com PID 2196 wrote to memory of 1952 2196 cmd.exe chcp.com PID 2196 wrote to memory of 2276 2196 cmd.exe PING.EXE PID 2196 wrote to memory of 2276 2196 cmd.exe PING.EXE PID 2196 wrote to memory of 2824 2196 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2196 wrote to memory of 2824 2196 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2824 wrote to memory of 4364 2824 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2824 wrote to memory of 4364 2824 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4364 wrote to memory of 1624 4364 cmd.exe chcp.com PID 4364 wrote to memory of 1624 4364 cmd.exe chcp.com PID 4364 wrote to memory of 3184 4364 cmd.exe PING.EXE PID 4364 wrote to memory of 3184 4364 cmd.exe PING.EXE PID 4364 wrote to memory of 376 4364 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4364 wrote to memory of 376 4364 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 376 wrote to memory of 4164 376 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 376 wrote to memory of 4164 376 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4164 wrote to memory of 1900 4164 cmd.exe chcp.com PID 4164 wrote to memory of 1900 4164 cmd.exe chcp.com PID 4164 wrote to memory of 3404 4164 cmd.exe PING.EXE PID 4164 wrote to memory of 3404 4164 cmd.exe PING.EXE PID 4164 wrote to memory of 2400 4164 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4164 wrote to memory of 2400 4164 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B6Qr5xuri0MQ.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2256
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WBNKSc7YqxHZ.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:5388
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:440 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IU7MkvoWPN89.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:368
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ic6o0TEDzaul.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:5304
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lm3U0aHl8yDh.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:5448 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1028
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsBSjKzGd8h0.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1952
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gz7FjJS4VDK1.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1624
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWxLMRP0ArFF.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1900
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dPt59TNSZPlX.bat" "18⤵PID:5092
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:640
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiWcxPYLgnLk.bat" "20⤵PID:1672
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:4068
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:8 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmsDsSdswnyt.bat" "22⤵PID:2480
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1852
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:5228 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEPfOObRDCbt.bat" "24⤵PID:3956
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:3880
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fXB9HtgbAFEM.bat" "26⤵PID:3208
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2136
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A66tV2t88DhR.bat" "28⤵PID:5240
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2336
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeCdS39Mnr0S.bat" "30⤵PID:3216
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:2656
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:5676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log
Filesize2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
261B
MD567ab5fe211fbce2285b26980c71b6381
SHA137788f8a1fa045266533973f66f68e0289b71b3d
SHA25649b2df6a0f3a9929999be2362abfc24f0c530f6a7c8f99d23ab47bc1fd939819
SHA51239f14b89acc10a33576577df5e7aa1fc9f1a763cba5c1c43b063cb201969f00dd278f59814a1183faed56ddc4bfca484082f90ee9f51845917121fd007d81559
-
Filesize
261B
MD55ab0024c270038f4b11594e0eec74a43
SHA10e74f8c7a3ed0ad4bd51b622a4f25b343fe9e4ce
SHA256bae6fd348097162693021f5f37c924c4502ecb298766959c1b68962290ca82dd
SHA51260f4af975becfd91c733f8b10c008a450946efc50ed6b664af5ae5e9593c0c56ba8bc6393087125365a24d70d5630c9a90ce283b32a9bd31cf71e4c3c1c782a0
-
Filesize
261B
MD52a2663761c7cc9e5136be4dc64f691e3
SHA1f5f94ce067bb40bea6ef091f74c60b1e64d7ddec
SHA25637c79fa5882995298adad9cfc8f0bb9480e49aa17ed98f4ea26bfc5bb3e4fea2
SHA5126d68e3506cf2d4f5635cf9603944b57528cc5e80e2a69b74e3c0315e857883c291e38111bf66f3c3dabd567ff65b1182d4c998eca660c727c37a4295cb8fa972
-
Filesize
261B
MD5d9d83cec1c3a8129d4807c7bc28ef3e8
SHA10fe55b9ce659f700381a2009bfaf4cafffc6b7a9
SHA25607d08e5a8abc3e73148d57a3fe8b0a52d905de3edd897111770979a1c1e5800d
SHA512ca5e33b0ea20bee6e9caad50d655b0a867e78097abdfab1b4f4e8e319b18f64fbf1fd3e1005dd32f929947edb775a96cf28ca14447285b7f627d9047de71c5a2
-
Filesize
261B
MD50b8fd3e33695e016100d6162b110ee9b
SHA1c1cd98063ab53c291aad4f4eee810045c18f8abf
SHA25625381ba5bdfa3bf1f3924150a8412af43ff7b9735255b3c779b143aac0583337
SHA512178e33379a3242e09ac14dfc19525235e70e5dac3cd1e7ee9c079ee8e328810b287e1331946bf11131f73bf6bf90c0a449f4e9fb8f2e65f3680d95ca25de6f5c
-
Filesize
261B
MD5aa75a9b672331c0b9b3dc6260931106d
SHA19c0a770fe591cc67605185b15e0f9ddaa035e0bd
SHA256d88c30a15c6db41bc7cc6025e5f06c4602df348e99343a4f243365928b55f378
SHA512693da3f3d3ce676ff2a707ee6f2f09caacfa906a2b7742485ba928de1841c241b62ccc2c5002985d2aade6b57b6ed60dc84438f9111e1b96c473b6f3b5eb25db
-
Filesize
261B
MD5a1b54ca8d0a3151b6b8476c97ae618db
SHA159ba3a7244b1c5b86fa43ccc9d3fdd0e5ab173b7
SHA25609de529a155a7a9fb693ec4f67a1b2a8827a9a0163eff31a8f339de3eb5ecc2a
SHA512075bc688d8c9048f884deb8e8e4572a57bc4232aa25c62ed5256162f1b37b71f7a04548c0300e6640db335d15a123ec0587a9f48344b19fb1261a7148d546c3d
-
Filesize
261B
MD5159c38ee85d7bfb5368b271cdd4d37d7
SHA16b95bb982b9676c40ab24b9293b31480a1ff2dfc
SHA25634332ecac8377798168d135b0e195668d26b3fed345333704162d54d65ac2189
SHA51205f2b1e14e065d47da55a977ba163d2eee6565b8b9d4223677832bd40cbac829f8f7076283474ade9ba4ff9ca5fe582941958ba44f5cf5292e0e818b326eb5a7
-
Filesize
261B
MD55f94421aa7db953fe2d3715f75382126
SHA16ec97f04840a7dac41408062f21e9e8d4fe26954
SHA256d1c0884b89581428d11ffa865a472447a88237b24da782af3ff722d9ca0d80d4
SHA512f6a469728a57fd7bf8510c5e9b4b5972ea7b96f92203d54df028750740fa67a0de7102becfeb99c38301f34f715cd7a5f70eeed398b62da91014f68ae55f5e48
-
Filesize
261B
MD539b8c5a7ac2b233e948b6f19f3a8c2c8
SHA1a8fff5103488d56d8e035c49831fd30b4db82a24
SHA25627812be4f42c4d5f7c1e62f52ca80d50c26a856b08bec3e6eff026b451dfcca2
SHA51237a0c516951b92b32a232454ea8e35209957966c2e965cd33090f83d50c2315c4ea76839e6ed2e0c055b9b72dcddae89c9406910a411647bfa8cd93e7598c74a
-
Filesize
261B
MD505a3e226b08fbe7f98370fbabe248d6a
SHA1fb2496156f114e362aba1fb8104b4fca2e1ff727
SHA256c9e7ec7ccc3f8aefab58d15cc01e3b0ad9e1846d466daf3afb08ae0d039903f1
SHA512082846e4ec628de35bac23282425ea61889d3ee33ed3f231f224690023a42f89cb0e332ac282ba72fa3686587f04f6c93b6a78d4c856fb7e6147d9a849625200
-
Filesize
261B
MD544fa127b70a18c826ae5aebe32b619c2
SHA171a260b41d2398a28dd7d6277e292d2425cbba9f
SHA2562e408e5c450fc51a5041511b0fd155df9b5ab9b96216079e785d230bc593036a
SHA512d44f1faa5238ecc18c018968845ba175a71aa72f7982621e679a30beb51982c0a88fe5c0ec09ead6243ba2de942d153be13e51602648153cb7d7b97ef1724c9d
-
Filesize
261B
MD58b34af3b125450f32183f3a6fb8c8bc5
SHA1348a3f990d8c82e587016e32f659e87ab8fcd1c6
SHA25602d9a20932cc52c1dac0fc077ef2d6a10ac593dfc0c44d8b6b2804d42de179d1
SHA51200f2bb08eb736a9ff6d5feeec551109768e2d555ae0fcb2c138d90bb8f6b8953b252d9bf11cd93905ff96e86eb9f7054cc06889d4047159561ed2d41a648bafb
-
Filesize
261B
MD504bc50d9a5e09aa08d51c362caf30bdc
SHA1e1ad769ca24e64445495af8f67a09c74c007f132
SHA2565afc3b5c86f115768ed86795563b647480be89fd2c83a4b74a77e45091a313e7
SHA51237c17e69b2f2d25926e8cadb57a1c2724fab1cd32e08709dd39588ea36f6921039883011c3fb2076b991f8e3ce606b786d0a1f3045b56bad9634abc40cbab7e5
-
Filesize
261B
MD53de21e95b0e9586eecfae2c92204516c
SHA1deb6f830795c2ea29d52918a27a4a79e2cdef247
SHA2562c0f91920f1694e28e697e6a169963bffe288dba305a7d7d35efcc45b79345a6
SHA512e4afa5755007df7527f24bfd1f5f05901b1a1231bce10280d364ac23c2a38dcb6c5bf4f35b6f36ce80ae945608947c5029738f647ea39bed4501200547a356b5