Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 08:28
Behavioral task
behavioral1
Sample
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Resource
win7-20240220-en
General
-
Target
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
quasar
1.4.1
Office04
Kneegrowless-33547.portmap.host:33547
10674f25-f575-4b14-92cf-06a7073df875
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2908-0-0x0000000001390000-0x00000000016B4000-memory.dmp family_quasar behavioral1/memory/2640-13-0x00000000013B0000-0x00000000016D4000-memory.dmp family_quasar behavioral1/memory/684-64-0x00000000003C0000-0x00000000006E4000-memory.dmp family_quasar behavioral1/memory/1224-77-0x0000000000030000-0x0000000000354000-memory.dmp family_quasar behavioral1/memory/856-90-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar behavioral1/memory/2784-103-0x0000000000150000-0x0000000000474000-memory.dmp family_quasar behavioral1/memory/2476-116-0x0000000000A60000-0x0000000000D84000-memory.dmp family_quasar behavioral1/memory/996-141-0x0000000000D00000-0x0000000001024000-memory.dmp family_quasar behavioral1/memory/1932-167-0x0000000001330000-0x0000000001654000-memory.dmp family_quasar behavioral1/memory/956-180-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 952 PING.EXE 2316 PING.EXE 2468 PING.EXE 2668 PING.EXE 1012 PING.EXE 684 PING.EXE 1564 PING.EXE 2880 PING.EXE 1544 PING.EXE 1932 PING.EXE 1092 PING.EXE 624 PING.EXE 2420 PING.EXE 2772 PING.EXE 2536 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription pid process Token: SeDebugPrivilege 2908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2640 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 852 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1912 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2744 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 684 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1224 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 856 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2784 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2476 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1120 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 996 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2036 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1932 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 956 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2144 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exedescription pid process target process PID 2908 wrote to memory of 2460 2908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2908 wrote to memory of 2460 2908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2908 wrote to memory of 2460 2908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2460 wrote to memory of 2628 2460 cmd.exe chcp.com PID 2460 wrote to memory of 2628 2460 cmd.exe chcp.com PID 2460 wrote to memory of 2628 2460 cmd.exe chcp.com PID 2460 wrote to memory of 2536 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 2536 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 2536 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 2640 2460 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2460 wrote to memory of 2640 2460 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2460 wrote to memory of 2640 2460 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2640 wrote to memory of 2372 2640 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2640 wrote to memory of 2372 2640 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2640 wrote to memory of 2372 2640 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2372 wrote to memory of 2520 2372 cmd.exe chcp.com PID 2372 wrote to memory of 2520 2372 cmd.exe chcp.com PID 2372 wrote to memory of 2520 2372 cmd.exe chcp.com PID 2372 wrote to memory of 2880 2372 cmd.exe PING.EXE PID 2372 wrote to memory of 2880 2372 cmd.exe PING.EXE PID 2372 wrote to memory of 2880 2372 cmd.exe PING.EXE PID 2372 wrote to memory of 852 2372 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2372 wrote to memory of 852 2372 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2372 wrote to memory of 852 2372 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 852 wrote to memory of 2708 852 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 852 wrote to memory of 2708 852 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 852 wrote to memory of 2708 852 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2708 wrote to memory of 864 2708 cmd.exe chcp.com PID 2708 wrote to memory of 864 2708 cmd.exe chcp.com PID 2708 wrote to memory of 864 2708 cmd.exe chcp.com PID 2708 wrote to memory of 1544 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 1544 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 1544 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 1912 2708 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2708 wrote to memory of 1912 2708 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2708 wrote to memory of 1912 2708 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1912 wrote to memory of 2740 1912 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1912 wrote to memory of 2740 1912 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1912 wrote to memory of 2740 1912 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2740 wrote to memory of 2108 2740 cmd.exe chcp.com PID 2740 wrote to memory of 2108 2740 cmd.exe chcp.com PID 2740 wrote to memory of 2108 2740 cmd.exe chcp.com PID 2740 wrote to memory of 1564 2740 cmd.exe PING.EXE PID 2740 wrote to memory of 1564 2740 cmd.exe PING.EXE PID 2740 wrote to memory of 1564 2740 cmd.exe PING.EXE PID 2740 wrote to memory of 2744 2740 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2740 wrote to memory of 2744 2740 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2740 wrote to memory of 2744 2740 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2744 wrote to memory of 2004 2744 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2744 wrote to memory of 2004 2744 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2744 wrote to memory of 2004 2744 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2004 wrote to memory of 2324 2004 cmd.exe chcp.com PID 2004 wrote to memory of 2324 2004 cmd.exe chcp.com PID 2004 wrote to memory of 2324 2004 cmd.exe chcp.com PID 2004 wrote to memory of 1932 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1932 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1932 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 684 2004 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2004 wrote to memory of 684 2004 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2004 wrote to memory of 684 2004 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 684 wrote to memory of 1680 684 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 684 wrote to memory of 1680 684 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 684 wrote to memory of 1680 684 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1680 wrote to memory of 1100 1680 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2628
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2520
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:864
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2108
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2324
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1100
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat" "14⤵PID:1692
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:984
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat" "16⤵PID:1432
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1896
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:624 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat" "18⤵PID:2788
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2360
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat" "20⤵PID:2416
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2736
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat" "22⤵PID:2604
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2340
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat" "24⤵PID:1204
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2108
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat" "26⤵PID:2324
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2760
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat" "28⤵PID:1808
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:608
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:684 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat" "30⤵PID:472
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:1676
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:952 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"31⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD5ad6ae24774af0c07ef852cf64742d3ac
SHA1fcb65db282a3ba8b4c5ced241e02cfcc28bd8919
SHA2564f9f9d1626531ff4f5f446f3d31098802e78c5b57ede3e972c7803c0e536c827
SHA51271bbc927b9ad0fc5af1913b211620256bca22370f56abd0a466595ea790aad4232eee8aa75fa9b35ebcde6077713a0ee3cb9638baaa61e10e7ddc3b36752ac2f
-
Filesize
261B
MD564bc6daee30bf47baef1ef673a6396c2
SHA127cd70cd5c5805cad0dd17d78e2752bd8aaa4741
SHA25620ef3daf40b27f9f234583397bbd2c6c5e93a00a4040344a60ee6584017d38f5
SHA512eaea7fbc5a477ac47a5950f9fc5e416838bcabd96e824c604fd27fd2ff4d9eebad7b613b90a2322951f4b85fd75c73071d7c581920d1e179ef595712b054aa0c
-
Filesize
261B
MD5af4e86ae3f7040fab91462faebdd1d38
SHA1431c9ed4ffd4fe92a9a009a6ab3d0d42ecd1387b
SHA2569be261d0e1ff707160dd2fd71b9d2a2a07c63928497d865d3030ce363e90e923
SHA512eb57bbecb878bce0b9b9a9190dff396d518441ae26b516526201fa4d6569a4c520247e38dc010da0b776bfab092554f0b181ddae08d8536fcf7569eead0bdb16
-
Filesize
261B
MD56b6b0f39413373c6f2470c925ee0b2d4
SHA16f0410f48611941a57de13f8c584e8f377a21ee2
SHA2567cbeb3c04e6392bbebd34539400f857681c9c8fe55374420886b37062d6d3d14
SHA512e2a57564e9c3694ba7745a5e31ac07722874c09a84d2e38b1d8ab24a98495071a80e8b155ede670850b3afb57bce5fd4f97c4bc3045a90ed3c0aa98da7abe7db
-
Filesize
261B
MD5af1ab3dc342fc192ead81650a0ee2a9a
SHA10bdbe6906273db0a83045af9acae8dda0d81dd7a
SHA256cdf10af883e8df8ac1a438bf104a569cf351c44ac9b6e73243161c354756aa12
SHA512d515e371217c05cb6672da8eb75cd56bfb553394866dbb055a2fb3b761a5c34ad78b80c3b9cf54c4f9036ab4ad6be98a3d6fb0a8df53cd92e902778bd5f89c13
-
Filesize
261B
MD575d6dd20e4ec2e7ad0e012e154b0132a
SHA1ace943c9b38fd7f564099e73300b15fc28ee4db7
SHA256ee7a73627b3dc1b07a0d25b69ee8578fa26e7a5e20714f69d704540b87b80e67
SHA512def49f172eee71f135ccebcd6e8caccb2c37f889665bbd1dc9437027498c7d91a7f10b748342205a1e8902bd0488d294bfad6a4f651d1255ab623d64bb033885
-
Filesize
261B
MD5de72f9efaed0cbb2c59b96a9033d2e18
SHA11973454e80fb72908289b03e437402095391c311
SHA25652f9f883adaa89a4c24ec067d8da422378d530a02d3024a7a7d8fd93cf5e4091
SHA5125c503358ab917f5cccfb322a0177ef5f926a7861101760da2560b242e77753312058e32957d228d0d3b1120b3e3fbe3d6e7636cf68c99249f8c5675fb20ce14d
-
Filesize
261B
MD58ca1e6e5cc7549cc131a1a08ebc30d35
SHA1ed890a3b1099d5f27eb4485894429e13c848789c
SHA256aed77d52c4e4557fc4e19b41eb153091bc6efa31bfba48ea8004673d96baa11c
SHA512df28d694b66da089796c455cbeb9a64a09234e803426db3a1b645cc61315144bb52fc9107985d07d42b75ba56c3d7def8f606a418f5943fe0496615e5cb93edb
-
Filesize
261B
MD5f6a07864e27a16d2ace7af0e9da382ec
SHA1584d8a508ccd906957aadb7b925e3886cf51a3fb
SHA256f2af395fc87030c6c2e61369da2b632aac86814999365a625e2a9da5100f19d3
SHA512af7da8cf1601e47df455d565bbc1c29450a4de041197e780bfa3dbc0ac2ca12da01c2ed56c8aedd973b7adea0cd9cb525d6d888b58012063d3215e9d30c48cf4
-
Filesize
261B
MD54ee7f1dfc35e471fe6b11cb141ba0235
SHA1c6eef3555be9e9a21e0b30f0950776872df0550f
SHA2564d1d8dda32a499484fe6fce3fb67e51018aa3fd21d6cee1d5e42cbeb0cbea2b4
SHA512ea6fd8151ec9c64e652ff574e4bb87a364729c7d6272d3254c97ddbc8af4b74c77ae8f258d618f7f698eadabd0760a32f203a06ce9588e0504dde815a1fc0971
-
Filesize
261B
MD5a38ca59fcb858ced5afb007501195b2e
SHA14f2632fd59291ccebc64ec730e099a541f8ae441
SHA256f3d0dfe20aa0ab78594fe8b9927d826d4e29ebf991c2eefaec4157d41cee60f0
SHA5126eb294f93f9d6e7da4653b61393f325c8a19235863d2c6faf6990436c46f34e7c5a794e3fc0a62a48e78a32b7c5bfeb64fcf4c9f0b3ec670b035f2bb77714bb0
-
Filesize
261B
MD5b7db03e65e3be8e5b82769ab3e42cc90
SHA11feb7de0f7ef4e4fd80b28c8d1ae47662461b3c5
SHA256ff4de53d3edacf189fa9bd34e0458b72838ed3d165e3911c0f0499c05e44ded3
SHA512c53cc79380245fa9365f97399edfb16261d72cd4f09a14eda00bbeca2825d3bf317d8ea72d522a6e6820d3964ab61376daae8be98103187c4fe63fea10a3cdcc
-
Filesize
261B
MD554fee6e97ef24dcef302ce92971641c6
SHA1f4fc612c9dfbad280bf56f60faa2b8b840bc0064
SHA2561feca84d142ff923312d3f1fb2f4ca634bcd5a03677c48b01ea9086e2b952acd
SHA5127ad978c4040baa3ba0cde78d6ec6716acb19f838a5fa5e57370c7c352be756b7603c9c64b5098cd35038da072ac188c6c6cbfe52d4630d32cba23e772841851f
-
Filesize
261B
MD58e16dc3d02da6d855a07a19813bbe279
SHA1d61456dca73465210ba1444652b7c97a1e1e5e76
SHA2568d9137a843dabd538c41f597bde2281941c782b7ec81be39d79a2464314e819c
SHA5120ddeb5a3ff30367e62b461e2977d01c9d1e9e9f499053111f2b4290ba7c58fc2acbf6489503ec898058a477cb94b570ced50fa9a01bb80ca2bbe3a898eab365a
-
Filesize
261B
MD5cb4c618c05794d9e3649f5d676409a56
SHA12ba14b87670e3f6bb79d46a16956bb270854e5c9
SHA25685269ceae894cfe05d513cf2e6c5f9f42c5028d3390a9e426e59dbf28d247610
SHA512ff30cac47c4b3fee49d1065cb73d75c62a19897fe0838265743f9433ecf0fc3d97b9064aa693583f9dd6612032625edbef90d6cd481ca597bb436b0ecaba1a23
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e