Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 08:28
Behavioral task
behavioral1
Sample
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Resource
win7-20240220-en
General
-
Target
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
quasar
1.4.1
Office04
Kneegrowless-33547.portmap.host:33547
10674f25-f575-4b14-92cf-06a7073df875
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-0-0x0000000000D60000-0x0000000001084000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 5036 PING.EXE 4292 PING.EXE 1448 PING.EXE 1528 PING.EXE 4880 PING.EXE 3860 PING.EXE 1232 PING.EXE 5080 PING.EXE 3348 PING.EXE 3156 PING.EXE 2252 PING.EXE 5020 PING.EXE 4292 PING.EXE 4968 PING.EXE 2068 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription pid process Token: SeDebugPrivilege 3588 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4260 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4564 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4632 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4060 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2748 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2376 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3724 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4472 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4424 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3852 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2944 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3724 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exedescription pid process target process PID 3588 wrote to memory of 2540 3588 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3588 wrote to memory of 2540 3588 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2540 wrote to memory of 2376 2540 cmd.exe chcp.com PID 2540 wrote to memory of 2376 2540 cmd.exe chcp.com PID 2540 wrote to memory of 5036 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 5036 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 4752 2540 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2540 wrote to memory of 4752 2540 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4752 wrote to memory of 2424 4752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4752 wrote to memory of 2424 4752 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2424 wrote to memory of 4428 2424 cmd.exe chcp.com PID 2424 wrote to memory of 4428 2424 cmd.exe chcp.com PID 2424 wrote to memory of 5080 2424 cmd.exe PING.EXE PID 2424 wrote to memory of 5080 2424 cmd.exe PING.EXE PID 2424 wrote to memory of 4260 2424 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2424 wrote to memory of 4260 2424 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4260 wrote to memory of 3748 4260 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4260 wrote to memory of 3748 4260 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3748 wrote to memory of 2740 3748 cmd.exe chcp.com PID 3748 wrote to memory of 2740 3748 cmd.exe chcp.com PID 3748 wrote to memory of 1528 3748 cmd.exe PING.EXE PID 3748 wrote to memory of 1528 3748 cmd.exe PING.EXE PID 3748 wrote to memory of 4564 3748 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3748 wrote to memory of 4564 3748 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4564 wrote to memory of 2344 4564 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4564 wrote to memory of 2344 4564 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2344 wrote to memory of 1596 2344 cmd.exe chcp.com PID 2344 wrote to memory of 1596 2344 cmd.exe chcp.com PID 2344 wrote to memory of 3348 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 3348 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 4632 2344 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2344 wrote to memory of 4632 2344 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4632 wrote to memory of 3492 4632 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4632 wrote to memory of 3492 4632 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3492 wrote to memory of 3276 3492 cmd.exe chcp.com PID 3492 wrote to memory of 3276 3492 cmd.exe chcp.com PID 3492 wrote to memory of 3156 3492 cmd.exe PING.EXE PID 3492 wrote to memory of 3156 3492 cmd.exe PING.EXE PID 3492 wrote to memory of 4060 3492 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3492 wrote to memory of 4060 3492 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4060 wrote to memory of 4964 4060 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4060 wrote to memory of 4964 4060 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4964 wrote to memory of 1332 4964 cmd.exe chcp.com PID 4964 wrote to memory of 1332 4964 cmd.exe chcp.com PID 4964 wrote to memory of 4292 4964 cmd.exe PING.EXE PID 4964 wrote to memory of 4292 4964 cmd.exe PING.EXE PID 4964 wrote to memory of 3908 4964 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4964 wrote to memory of 3908 4964 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3908 wrote to memory of 4032 3908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3908 wrote to memory of 4032 3908 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4032 wrote to memory of 4772 4032 cmd.exe chcp.com PID 4032 wrote to memory of 4772 4032 cmd.exe chcp.com PID 4032 wrote to memory of 1448 4032 cmd.exe PING.EXE PID 4032 wrote to memory of 1448 4032 cmd.exe PING.EXE PID 4032 wrote to memory of 2748 4032 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4032 wrote to memory of 2748 4032 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2748 wrote to memory of 4412 2748 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2748 wrote to memory of 4412 2748 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4412 wrote to memory of 4004 4412 cmd.exe chcp.com PID 4412 wrote to memory of 4004 4412 cmd.exe chcp.com PID 4412 wrote to memory of 4880 4412 cmd.exe PING.EXE PID 4412 wrote to memory of 4880 4412 cmd.exe PING.EXE PID 4412 wrote to memory of 2376 4412 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4412 wrote to memory of 2376 4412 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3KQk3tmpXwm.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2376
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcAlz1FrFZia.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:4428
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUgQD8fR0YvW.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2740
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auDM4HqLAjRF.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1596
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUBwOXrOcha.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:3276
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmBHU99RhLni.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1332
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\drDaaP3uiAO4.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:4772
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fNADFXAmWs8s.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4004
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YzPQMnl5pjh4.bat" "18⤵PID:4376
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:4372
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\me4vO7g5QPse.bat" "20⤵PID:1252
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1096
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5LbzD7dp01xA.bat" "22⤵PID:1548
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:4808
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FN8zHBs0afkA.bat" "24⤵PID:3636
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2356
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSFbXLsBohmm.bat" "26⤵PID:2140
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:3000
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v21sVDRmH4OA.bat" "28⤵PID:3908
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:3956
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6LXbjoqgH6c8.bat" "30⤵PID:1268
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:1448
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log
Filesize2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
261B
MD5fc7f21f016c12cc477c705287cc6fe43
SHA133f0dae29457932a4a2b6784625560565209f424
SHA25685793ad1977f93da9a2f6af16a7f17ddbfc3e1f94eabf94220994fcabd50c6eb
SHA512c3f31aa0fb194644d26bc9dce4b23e03791367fea1680e037792bef2e390dcc2f967fffd5c0574e53b98621302f988a2a664fd18387bfffbf678cc8bb9492872
-
Filesize
261B
MD5d9240491f65ed7937d17fff8d3243099
SHA13093ca8fd107d0daa8f0c672b5980b0714bae1dc
SHA25675b03a65fe71394cb71680db1417650836ee48dbec7a7146359a0f7014ea7d81
SHA512f1360c9324a134339eab6685226a13275e5bd10b79aab2bbea2eee437df061a66b671f8bba49860f852e5769a2063ceb44203a801bedcdc81c19ce03a1486774
-
Filesize
261B
MD5f33ec1172e16d4af403b20051ad7d34f
SHA1415d1f5fa64a5ff36262a439fd92d61d0ef74f75
SHA256efbaaca56bad4a859387043c9e96a8a2555d6e9d473e94c2a04d4aeec8912d94
SHA51283f1bdc136cc007eb7fdbb024021f596101120fdf01bca380168f84568b4d677bd78c95ac97cb5abc014c1c5e14e29783e64dad6793b9eddd7109841c83f3a6a
-
Filesize
261B
MD51b47ee3a07eac0c65b606bebc2894098
SHA121cf856d7ece442620cee37406f1cb1e168728b2
SHA256195d30503fc702b870bf91aa303777842319c8c34a17f2cc916e7ed0df516edd
SHA5122f0cf117d8e59dfb0f03d7bb027860034ffdc29a183dc33e736cc2ca91e6729006c2fae58684538ed7dfa0b32c44922431d406087b54d042ff0e17dc8a3dc5ef
-
Filesize
261B
MD59ce3bbdfb904dde5b71a23a944151596
SHA1f2d6c088a3a8c8832593cd4e90b52309bd64472b
SHA256f4b7511c568b9aad659ad049557cad133382de6bbce1914524a2a8fcb0e9c8ff
SHA51251f51d3b8cb739dfcdd6c3da432a331253c489eb43da7ba5abbf4cf2b1f8c80dc3209f476c3c4aecc4b27254d0ed70d67a89d7e4981d31e1125a723769758fcf
-
Filesize
261B
MD5bbb4081b0aa65aa30e60547d0addf02e
SHA19929006fe4cac0ffde932d51cc931ad097aa1d8a
SHA25633022b05c96a7e3ef3516fdf54047521dbe764d6f825f13b160997995f00bcdc
SHA51216f5b13043491c08ff5db54b449040bf0a515e373534fa78b47bd729f6265064af63365dee4fd1daff9dd3934409b4bb1bcff0bebbefcd8a866edab1788e27b2
-
Filesize
261B
MD59927c04f3a0274f4857ec9c6ac39e385
SHA13671b3327904e3b3245ab343ba052556871c8912
SHA2560c2c78c03f6b82c3cc4c84268cfc3d558ab8e914ae8516508458890a163e66da
SHA512dd86f5f94bd8a39c2c2e0ee137ea0b89d75025c534ebb15c1d09d32a5802bcbc64a7aa86fafce6d61c026f7b3cb2c6eaf03afb83081908c92d91e92d7ee6b418
-
Filesize
261B
MD56245a85655979483d03e83afe72e9d94
SHA104824ed4b2c699756db8f0fe65f26d7a98b5429d
SHA2566261b7a15fa6b23353da9160f9c9c23403f977c1bf612ee9d4d2ab3ec0b9f240
SHA512b0d62b2ee99af8bd1317f405432b228288493be1bb3918a68d5825ee38d60290ff7d035ed31f101b0dba0422a16ddb7dc297915696485057584b73966610df06
-
Filesize
261B
MD5cabe5979daf5138f88a7938cf9fae9c9
SHA16d6e5fb1dd2eb3b20f2ec0d486188aee22327bf0
SHA256256dbe03803a7166e2a8a73c2525658bd7929cd0a57d6601d9b253a265f2bac0
SHA5125e0011dbaae8ec7ccefce42d53cc79fe4d3f9d4fe9e56e63018585c70a639313f810052d970ac0cd49ba024ee96b334c46a3997d34a2304a53ef014cd16b0d52
-
Filesize
261B
MD592a6075d5b7e432a11b8fa99345c1c67
SHA16f90a94817ec42a9cb1ffa59f158ec5d8aad1226
SHA256e9623096ea4438e35a84719039c2b2dab4de3d1f901c17e7db164841e55f1f09
SHA5123a8cc06ee84ac3418bc7e1f294491b0085e8478e8b2da9e68ee0b45185c14bc8b45100977f8b8ec320eb0d4eae747dd33e774071416191b2c548181d20552fb9
-
Filesize
261B
MD5309c155aa3118f88dba9c37dea7c3347
SHA1f16248043245eac6045857a40250570bded17123
SHA256be2c1bc79a66390f03c17ae2b44d5879fd71a94dea926e909f3f416482ea59f7
SHA51221dc857213cd4188d202439a921643804dbd303a6b8ddd31ae668594dfbfb85d346502a2bb59ca34bd2c116fb506fdcde7cf1569b2392469c1469b4b2e96472c
-
Filesize
261B
MD52bdc01b553462bf9dfa842a6903a2dc5
SHA1efcda5c7a432376c5a9cc5e374032dde9f4f2b5d
SHA2569ed413ef0669ff13db9344c3585cb7a1e910b176898fc9c37813bae1c23b17e3
SHA512ce1989c50f647cb8ce974026806c7699ea64ffdd893c80ed4c671329a75deac762c40450977eae48c5718a9f35d3c893837c81584c67213bae47226627198403
-
Filesize
261B
MD520a908ad6915eb284f377c7bfd67900f
SHA148b34666995f3fa4decbb68656f745595e4cf88e
SHA2564f980d4bb45f4abad4ef6b378b37f01106740a6aa2a193bba3bed9b81765fa6d
SHA512c303444360242c2b8c7ca892b70ebb77a7826aa389864e5f5a8bc51f39b68b66830146a1ebbd9589d3ddbb4f9563df0029122d15b30ea27e36b0fca8e4ab6fec
-
Filesize
261B
MD5edbb0f9f0f7c3a683af3ff8118ba15dd
SHA14cf1d27b63ae433f3779e7063a337ce432ebfbf5
SHA2566c3bd81d5c3e712f6174f94de56cfc24d73cef7d9b76544aa46b71dafb867f67
SHA512c910cf3c14ea3a2f6e8937f37909465f3f33c192680bf68e2299e0ed649f6fe5e06edf3630c8c4ba9b0e36755323e1cf715e80be70e18805d5cd7058109afdae
-
Filesize
261B
MD5400839890e6dfa8e6c3b50f848b412f7
SHA175fded159706d796d97d0a721472cffe5169aedc
SHA2563a8d5dee07b6955fe48cc7820c0434306015a6bb9c96e599a8efe78b5d885388
SHA5128b7a792e6455d0b1f1832174233bf296d74f59e0d7b868b583e793a6c3d04ed63e5fa9a87f39a466e0a62161c4a1eef26a2b1c75654cf92ec12fff4e475fc8d3