Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 01:08
Behavioral task
behavioral1
Sample
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Resource
win7-20240215-en
General
-
Target
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
quasar
1.4.1
Office04
Kneegrowless-33547.portmap.host:33547
10674f25-f575-4b14-92cf-06a7073df875
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/2816-0-0x0000000001100000-0x0000000001424000-memory.dmp family_quasar behavioral1/memory/2636-13-0x0000000000190000-0x00000000004B4000-memory.dmp family_quasar behavioral1/memory/2440-26-0x0000000001300000-0x0000000001624000-memory.dmp family_quasar behavioral1/memory/1372-51-0x0000000000110000-0x0000000000434000-memory.dmp family_quasar behavioral1/memory/652-64-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral1/memory/1312-77-0x0000000000130000-0x0000000000454000-memory.dmp family_quasar behavioral1/memory/360-90-0x0000000001270000-0x0000000001594000-memory.dmp family_quasar behavioral1/memory/1832-139-0x0000000000040000-0x0000000000364000-memory.dmp family_quasar behavioral1/memory/1572-152-0x0000000001140000-0x0000000001464000-memory.dmp family_quasar behavioral1/memory/1532-165-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar behavioral1/memory/1052-178-0x0000000000F80000-0x00000000012A4000-memory.dmp family_quasar behavioral1/memory/2236-191-0x00000000000D0000-0x00000000003F4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 16 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2396 PING.EXE 1052 PING.EXE 2180 PING.EXE 1544 PING.EXE 2340 PING.EXE 320 PING.EXE 540 PING.EXE 2632 PING.EXE 776 PING.EXE 1548 PING.EXE 2464 PING.EXE 532 PING.EXE 1312 PING.EXE 2676 PING.EXE 2232 PING.EXE 2716 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription pid process Token: SeDebugPrivilege 2816 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2636 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2028 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1372 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 652 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1312 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 360 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2204 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2564 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2660 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1832 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1572 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1532 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1052 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2236 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exedescription pid process target process PID 2816 wrote to memory of 856 2816 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2816 wrote to memory of 856 2816 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2816 wrote to memory of 856 2816 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 856 wrote to memory of 2680 856 cmd.exe chcp.com PID 856 wrote to memory of 2680 856 cmd.exe chcp.com PID 856 wrote to memory of 2680 856 cmd.exe chcp.com PID 856 wrote to memory of 2676 856 cmd.exe PING.EXE PID 856 wrote to memory of 2676 856 cmd.exe PING.EXE PID 856 wrote to memory of 2676 856 cmd.exe PING.EXE PID 856 wrote to memory of 2636 856 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 856 wrote to memory of 2636 856 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 856 wrote to memory of 2636 856 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2636 wrote to memory of 2660 2636 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2636 wrote to memory of 2660 2636 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2636 wrote to memory of 2660 2636 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2660 wrote to memory of 2544 2660 cmd.exe chcp.com PID 2660 wrote to memory of 2544 2660 cmd.exe chcp.com PID 2660 wrote to memory of 2544 2660 cmd.exe chcp.com PID 2660 wrote to memory of 2716 2660 cmd.exe PING.EXE PID 2660 wrote to memory of 2716 2660 cmd.exe PING.EXE PID 2660 wrote to memory of 2716 2660 cmd.exe PING.EXE PID 2660 wrote to memory of 2440 2660 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2660 wrote to memory of 2440 2660 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2660 wrote to memory of 2440 2660 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2440 wrote to memory of 1832 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2440 wrote to memory of 1832 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2440 wrote to memory of 1832 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1832 wrote to memory of 2036 1832 cmd.exe chcp.com PID 1832 wrote to memory of 2036 1832 cmd.exe chcp.com PID 1832 wrote to memory of 2036 1832 cmd.exe chcp.com PID 1832 wrote to memory of 2340 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 2340 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 2340 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 2028 1832 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1832 wrote to memory of 2028 1832 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1832 wrote to memory of 2028 1832 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2028 wrote to memory of 2008 2028 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2028 wrote to memory of 2008 2028 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2028 wrote to memory of 2008 2028 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2008 wrote to memory of 2324 2008 cmd.exe chcp.com PID 2008 wrote to memory of 2324 2008 cmd.exe chcp.com PID 2008 wrote to memory of 2324 2008 cmd.exe chcp.com PID 2008 wrote to memory of 776 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 776 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 776 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1372 2008 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2008 wrote to memory of 1372 2008 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2008 wrote to memory of 1372 2008 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1372 wrote to memory of 2508 1372 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1372 wrote to memory of 2508 1372 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1372 wrote to memory of 2508 1372 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2508 wrote to memory of 2656 2508 cmd.exe chcp.com PID 2508 wrote to memory of 2656 2508 cmd.exe chcp.com PID 2508 wrote to memory of 2656 2508 cmd.exe chcp.com PID 2508 wrote to memory of 2396 2508 cmd.exe PING.EXE PID 2508 wrote to memory of 2396 2508 cmd.exe PING.EXE PID 2508 wrote to memory of 2396 2508 cmd.exe PING.EXE PID 2508 wrote to memory of 652 2508 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2508 wrote to memory of 652 2508 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2508 wrote to memory of 652 2508 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 652 wrote to memory of 1684 652 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 652 wrote to memory of 1684 652 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 652 wrote to memory of 1684 652 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1684 wrote to memory of 1460 1684 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uzrBa006fule.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2680
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8Ybc4omaofo1.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2544
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Bqc819dEdlQi.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2036
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\90DJKwPZojDS.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2324
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:776 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dZBGtzhEetCS.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2656
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uYnIKErDxrG6.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1460
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RT5hZ6b3rRXH.bat" "14⤵PID:2392
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:720
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:360 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mhRf9Y5wpgP7.bat" "16⤵PID:3048
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1724
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oB3g7KxpaIL8.bat" "18⤵PID:2200
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2608
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UcRTnjJsJBrD.bat" "20⤵PID:2640
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2628
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jWcoZHR84A51.bat" "22⤵PID:2792
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2840
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tuEkEbkkAxHQ.bat" "24⤵PID:1812
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1828
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:320 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ax4vSBMK3wcQ.bat" "26⤵PID:1584
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:472
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:540 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UBSQy542EXep.bat" "28⤵PID:1276
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:1484
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:532 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9YKoC1ZGdjxH.bat" "30⤵PID:1556
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:3060
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"31⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JSrJDZQLrhR0.bat" "32⤵PID:1448
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:2080
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- Runs ping.exe
PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD56e5d129976f0f0001b8a9ccc97c5145f
SHA1f4cfe37f4e1be734b348cb877472b7ccce9ff51f
SHA256b91ec6f6d0bc6ed2c8e21a169418c6d218deb52554d7e4e7e02d2314e31d4402
SHA5128ade9749e6583511bbf437218d91614d99495c6286fa3f4768b3ea94b4671843fb32d3fa6602de5a19385d14aabeb7df0d59bef02fb87176f741db20172a4b1b
-
Filesize
261B
MD5df8590143061feeea47a062208a28cdd
SHA177e2d074539e3acc099a974075057d69d9ead4bf
SHA256147aec2ed6a1b650285d82cd9485cfe04e8a32bc4fab7d9bb3e74c234bba8ec2
SHA512bfb2a6eb5a000cfbad13ab1a22ad353f05a89e774533c9c6b577862dda84f8bb29079a57d4c0ed3d130e221756f891b89a19c88607a5416c10573cfabee7583c
-
Filesize
261B
MD57485e02a9bab2a9a47805fb7936bec79
SHA152502f262d463e071f945e01afeefe86f62026ae
SHA256ca9efe640d2c97d258e126768bf31d924dceb0954f6e95bd5cc070872a0330d9
SHA51215d2ec8cfc6b1f7f6462def5349933bb2f071d86bdebd8e5f163564a640ec898d6517b08b14b510362685ec8d71d14c1b280bf68d8802749d3afb811b7af4d7a
-
Filesize
261B
MD5dc11a957bb5b61208087c6f8476d52ec
SHA19586859f2c9c7006c55a9c0be22590ff435f8bed
SHA2565364599056959c8e3438b53108fdace2686bee4fb0ff8f3e62cb82b0bfa39126
SHA51227041379fa1625ab6832b7028a945b21ec99961c8fa8d4366a9ca57c7bc0688e5fd94f1ccb0e38604649aca7ff9ab18cf3cf73b1f0e4e36e081685c32f6972e3
-
Filesize
261B
MD54cb7d942e92f1067cc47f84d989605b1
SHA1141c9cc395f766e626f004a720bfbe5a131c8081
SHA256fe3978cc871f8b556ced2b4132ec09215b0b3462d1a1c8d4513917c2d3f30628
SHA512ae3a593cfa1b07fb73ad0d0f29f9faf085708124ae9121cc3fde116a38b6a01bcf5d4e7fdc92475ef7db613999c2bc1e2d3946736b248382f85261cc11f28cdc
-
Filesize
261B
MD56d13f91e40d5e7306ce769973cadc020
SHA1ef423471df3dba6572b67940b7ee21b36e78331a
SHA256f16b6cb2e08c39a8edcf23ed249ba52f5bb52062265be68b2a287e8a97b55ddf
SHA51271eef0eedf9e9860998ff4db0770b5f7aa634a2683c7bd4c240a2e4b5e6419292c60fa08d9a6c3c4d2065adb093cabb1ca6598c42c2acb3a4a1d2fe165c6f519
-
Filesize
261B
MD56229c8908f91eb3056b48d0bdf3e7d5d
SHA1088d1cb17331f3eeb12dd6ac0bbd2e4cd0e2b652
SHA256a2e558e569e8fa2e3e3536acc901ad23801936889d7dca7024485f56c288d8ff
SHA5120a6fe6bdcc55018b54a979de44a03a55872f7af6e17cc0c654cb13c650563fc59b6777405926d62ec9da571bfb164b724b89052a74a8d961d52ae8ffb102945c
-
Filesize
261B
MD5f8949f6f8b1091974d659fe9d560b498
SHA100f986fea73427c76a367287edb8f47c8a5c8fad
SHA2563773293d121fd4c870ee09618270568ab5617542c0df42b6928576c6e7a8e40b
SHA5122783ed7bd26759d207e239b6ab363b45cbe2a328863f870e74b3df518a059aea2fc0f460ec6ab5781ae9ba67bb69dfa56bce9ef6ef895465f696e6f703c8e543
-
Filesize
261B
MD53638c6c648426d5cf21248a5c0df9aaa
SHA18110740832bcea2e26c77bde73a3d797c60ee19d
SHA256c447a4c0078bbd4ef095fb35cec422d63552d918dabde4258a82a24e211264ba
SHA512b2d744115f7c8029d2d6fa38b0e94ab339067feebf011e8422ea6166282e85264eed9e3f2facc66211257d21a3956fe6dac3d3d8f55736ef656c2cf7bc94e78a
-
Filesize
261B
MD59c2f97292fc0b46e4b449ebd7d2cbb7b
SHA1923d3a90c415276309ce1df9e15bed7bc95fe6f2
SHA256a975fb985ad997cd64f6dc91370e3595914d93c038b60b6b7acece5c04c070bf
SHA512e558e8e8878fabff45ff9d5c5c70d74d603de128ab5b38e4dec874725a2d988066919668f1ea558e80f8356dc2cf30c849f2a13d25afa62d23e9645c32554b8f
-
Filesize
261B
MD502757ab55efe0453aa303988dcc2a98a
SHA18b2ac63dc9a5d167b2be6164c339738b4091d3e8
SHA2560d546b2de99123e898446e188fc10dcf16eb4482ee199fa9133e172a056d9af3
SHA512de6ad71e514f82d43ebda91ac8310b3751e6b7be84c808d89647032ef9d41ddb1411f61cf098315b07fb4eaf095378964a0d4ad4e4cc72bcc0e71d5abaff1bcb
-
Filesize
261B
MD5ef5dc5cbc4400e7f97c9123e3e277223
SHA1659523aa8dc05eb36b0cbd168381c3653acfc00e
SHA25698744ae6f59b69d171523d546fd3a09cbb9597c82c726f45db18d9e807f98847
SHA5126d3395d3e324c53562bd9999ce57ac7c1223c7bd3a80a585c85e6b1d9313806ba0f3b547097ec0b449135d3078c823a6741212830f8a98bc034272ebd6c504fb
-
Filesize
261B
MD529c0e0ac4163e556d2bcecfaf85be20d
SHA120d793a217f1855dbd78c0a71ce3abc57f84288e
SHA256aa6d5c60103d406d947173651cb642800de865f62e67c03f2060561b7d7626ba
SHA5121b1fa157e2eaf73409d83c05e916c351e2726e9097c2d280393c5e34026028f14acf16c14c43f4fcd46ab9fff0483d4fea24d5a7f4358d3b1951bb4ddec6d166
-
Filesize
261B
MD54a5e30c0fb2f4e55c421ce3fc90d96c8
SHA1d56b26f17dc0f75b8096d1895df084198a529da4
SHA25606c920b9d8309ddbc598ba869fd56e0ba57bf2ec36f99d6ec7066a46a9830b33
SHA51286f92b63af8c0c5820da89fb7febf571cfd7db46450f498415c5b9eec7435fbfd84a165c51444356023e0677044d1d5e619c8e790772850a9406f4c6b4c33e94
-
Filesize
261B
MD59afd2f09f9a17793ac94174c2a1f1030
SHA15006842b40a683b53c0dcfb249e42c8e65256eca
SHA256c37beb70a4b6ffb61c1aeb80a10c08d98101e30bca4bd51ad09329131dad7363
SHA5122068088879a40a0f6bc59fed78b863de0b7226cb32eaf30e82108e63785801e9801cb248b2b85abe0fb35f27f048b60c8f505fd1bd9716bc1c5492f8d6a4387d
-
Filesize
261B
MD52a2ddbe04a877e4a623591b77783c8c6
SHA16280c6e071a19acf708a288a61768e1977069796
SHA2568aacac3b8aaf806d3efb75a6da340fa8d691ebfc38dc88dad0f70bddc5e5d886
SHA512e39decbe8e9d5c3a3f3eb305dc2441917401ec4296bc41d37f3301c59799e8ba14d17e3eacc999eb262877b78c965ebc12ed57c812f30ce82fa24f0cbc655e20
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e