Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 01:08
Behavioral task
behavioral1
Sample
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Resource
win7-20240215-en
General
-
Target
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
-
Size
3.1MB
-
MD5
24e7acb706dffb37b3e682424719f5ab
-
SHA1
5d4864f3acb3076ee4005990114a4a1f2520d456
-
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
-
SHA512
3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50
-
SSDEEP
49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS
Malware Config
Extracted
quasar
1.4.1
Office04
Kneegrowless-33547.portmap.host:33547
10674f25-f575-4b14-92cf-06a7073df875
-
encryption_key
E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2440-0-0x0000000000810000-0x0000000000B34000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 636 PING.EXE 3548 PING.EXE 3988 PING.EXE 944 PING.EXE 2356 PING.EXE 3616 PING.EXE 692 PING.EXE 5024 PING.EXE 4896 PING.EXE 1736 PING.EXE 1036 PING.EXE 640 PING.EXE 4956 PING.EXE 2836 PING.EXE 4536 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exedescription pid process Token: SeDebugPrivilege 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 4200 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3600 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3232 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1604 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1480 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 344 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3720 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3632 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3088 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 1436 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3360 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 3160 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 964 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe Token: SeDebugPrivilege 2016 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exe0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.execmd.exedescription pid process target process PID 2440 wrote to memory of 3660 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2440 wrote to memory of 3660 2440 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3660 wrote to memory of 4092 3660 cmd.exe chcp.com PID 3660 wrote to memory of 4092 3660 cmd.exe chcp.com PID 3660 wrote to memory of 2356 3660 cmd.exe PING.EXE PID 3660 wrote to memory of 2356 3660 cmd.exe PING.EXE PID 3660 wrote to memory of 4200 3660 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3660 wrote to memory of 4200 3660 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4200 wrote to memory of 5116 4200 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4200 wrote to memory of 5116 4200 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 5116 wrote to memory of 1036 5116 cmd.exe chcp.com PID 5116 wrote to memory of 1036 5116 cmd.exe chcp.com PID 5116 wrote to memory of 636 5116 cmd.exe PING.EXE PID 5116 wrote to memory of 636 5116 cmd.exe PING.EXE PID 5116 wrote to memory of 3600 5116 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 5116 wrote to memory of 3600 5116 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3600 wrote to memory of 1532 3600 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3600 wrote to memory of 1532 3600 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1532 wrote to memory of 4916 1532 cmd.exe chcp.com PID 1532 wrote to memory of 4916 1532 cmd.exe chcp.com PID 1532 wrote to memory of 4896 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 4896 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 3232 1532 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1532 wrote to memory of 3232 1532 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3232 wrote to memory of 2388 3232 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3232 wrote to memory of 2388 3232 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2388 wrote to memory of 888 2388 cmd.exe chcp.com PID 2388 wrote to memory of 888 2388 cmd.exe chcp.com PID 2388 wrote to memory of 3616 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 3616 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 1604 2388 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2388 wrote to memory of 1604 2388 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1604 wrote to memory of 216 1604 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1604 wrote to memory of 216 1604 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 216 wrote to memory of 3028 216 cmd.exe chcp.com PID 216 wrote to memory of 3028 216 cmd.exe chcp.com PID 216 wrote to memory of 4536 216 cmd.exe PING.EXE PID 216 wrote to memory of 4536 216 cmd.exe PING.EXE PID 216 wrote to memory of 1480 216 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 216 wrote to memory of 1480 216 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1480 wrote to memory of 4776 1480 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1480 wrote to memory of 4776 1480 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 4776 wrote to memory of 2668 4776 cmd.exe chcp.com PID 4776 wrote to memory of 2668 4776 cmd.exe chcp.com PID 4776 wrote to memory of 4956 4776 cmd.exe PING.EXE PID 4776 wrote to memory of 4956 4776 cmd.exe PING.EXE PID 4776 wrote to memory of 344 4776 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 4776 wrote to memory of 344 4776 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 344 wrote to memory of 1520 344 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 344 wrote to memory of 1520 344 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 1520 wrote to memory of 1948 1520 cmd.exe chcp.com PID 1520 wrote to memory of 1948 1520 cmd.exe chcp.com PID 1520 wrote to memory of 692 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 692 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 3720 1520 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 1520 wrote to memory of 3720 1520 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 3720 wrote to memory of 2232 3720 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 3720 wrote to memory of 2232 3720 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe cmd.exe PID 2232 wrote to memory of 3284 2232 cmd.exe chcp.com PID 2232 wrote to memory of 3284 2232 cmd.exe chcp.com PID 2232 wrote to memory of 3548 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 3548 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 3632 2232 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe PID 2232 wrote to memory of 3632 2232 cmd.exe 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZxhL8XxZI7DC.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4092
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SS4PQujQyOxd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1036
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:636 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujWzwWWjMyMd.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4916
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilmcCVHJxEqJ.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:888
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhPLqedx5Woe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:3028
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meUnP5wWZn2Y.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2668
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4B9SDuTH3dC.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1948
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:692 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gw5gkKXU1DyV.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3284
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1WttLNFQVACq.bat" "18⤵PID:1572
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:216
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOkdQsqFpLRZ.bat" "20⤵PID:2428
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:4964
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:640 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H1bMgaGJO1sy.bat" "22⤵PID:2304
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2176
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0agnF48wud31.bat" "24⤵PID:4996
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:3936
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U5RAxoiKq1Vy.bat" "26⤵PID:1320
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4908
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1t2iyHgQuYX.bat" "28⤵PID:224
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:3480
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:944 -
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCk0rgR8Is4b.bat" "30⤵PID:4364
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:1176
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log
Filesize2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
261B
MD5abef8f136208d60e3edc2ada7559ea23
SHA18faa843d692d29c0fba3975c30ed3e6cd18cea51
SHA2561ce8ab144b78ea12140a467272ba2c07d60744803780e773f1c292164ae8efaa
SHA512acf4148d05b78f56670353ee5b1b071dceb8bd5a01a8e1bdc02b8a9f2602b83f5b7e0bc47f85c9b08a7d711a16a53e3837c02f60a81daff1d2b89300267d459a
-
Filesize
261B
MD536713f9270419e27dc38c791999d980e
SHA13dc114f10e3f9103af7b6d29abe3cd6089a6f192
SHA256e13cd3bf18e4bf1c3e4eedff6d455dfd8430e698970ee1f9ba52aa983ca2605d
SHA512a51e3354a2e2fc0cc200cbfc9a604de9c43506f2540d28e281c931b0145b2ab0d3e22da0e80cee0d82bd50b8966faa4f1b8f93af99b05afa607bf8fc120d29bc
-
Filesize
261B
MD553b6ad4c470486aa8544cf7d91afae4a
SHA1826b49471159bef41e0722a60046ea82122675b3
SHA25607c5dc09bcf65838cdf386184b3c840c5e0e5dfe6faaf51040d069d7161a9f5b
SHA51256d14c7f0da9768b284f668309c80bd1e2680552d50532e740bebc11675756ad4711b29f8e4a89cdb279448995b2eb41f4c48901845bc7aeda9cc43ee52154a2
-
Filesize
261B
MD5592a782b8dab9ee0d830518ffc507076
SHA11836d8f4af3f4b6a92ee5597b22077147ec43a51
SHA256dec46edb42debbeecde945b74ea94f91571bb7b9daf606284f96464ecf81f138
SHA512cc97d6d4631270eda1bf805866af10280225508def18b63e7a0b6f3793c8c82db7d38bbb38ef2604d9224d09e2dde5f02701b617e4b4920214900d5c8ef00039
-
Filesize
261B
MD54c7556d01b6723fc166e54da3cdf3080
SHA13e2bc9cc4006c1b2719914a461cb1a9aba5d7dbe
SHA25666e4bbfcb8e441182243201842eba9012d07bcb269b6a102a5200bacff0ea493
SHA512db4324e94b3f06a885fa3c7abd4f54771480d7e4078b8fb182d1bc436a2cf258866f070fd6a0bac3cb230e708dfc3d4cfcc7f0befcb165f9de06b390eacc2c31
-
Filesize
261B
MD55659a0d36613b4cc5efdf58bbb1b7641
SHA1df189b6716d226432e74a36744a0de9297e720a9
SHA256a4ff5ae8ab471c9daf46cd7639b526b8177d89f24138c7a1faa5db2af7d59258
SHA51229447338f46696392f6faa5e1f66432dc2c26bb843bb3eb5243f7e4abf6e8e1065fb35e992cb531828ae4cd30ff89e9b397e6cce35e2bd42b9b7f2fb1dc8813e
-
Filesize
261B
MD553eefa787cace21dfe06b3a4cf38fde4
SHA1071a53ac3399cf49be990a59c23a31e250a310bb
SHA25606d3ab7bbc862c10255c09f74bb2efee3eda91a09ccb976459173c39ec0db28c
SHA5122692055687e20f6018f0c45a2ec95aed4dfb38d8be13b43ce1a709bbcb177169d02a070d128e4e47a738439d2640b8fa9d8259838e9312f84afc453d8443a7f3
-
Filesize
261B
MD55674126ea427a461ad8770563c605f0b
SHA14c21e691e7caa87066dd04e19151794b435462de
SHA256e665eb2c7fe3c21417a22498797d0bce39843e73bdc45c28efd098d98c9028cd
SHA51260312c55f46d048975290bee1f43ca20132957c019f424ff6a5477562408e5d32cb34ca3c6a55b81e7d427f553498ecf56187e09ffa21458baeb3d0be56e0528
-
Filesize
261B
MD5979f8b8211e76d2297a489f41ecbe79d
SHA1c19f7c332469bd9fdba0a7159f54161404dfe858
SHA256dc039ff270910ab5f0336a29e72062a61c850909795f8c3793bcbf2c7fd7b31c
SHA5127e0495e14e816ad91e6ecc8ee1b8b66e3ddd354f4d0f55576c30dc9323d026451251e7d7c7013c9d4b68fc548aca83893bcc345fb6302790aa6c1c6475c19ebb
-
Filesize
261B
MD5deee4de2b361d6677ed095649cf42dcc
SHA1b4195f569604b90c03203341e3f68d88fccab7d8
SHA256210ac4b15f9b1f4a69b3ca51f98f6942276116f30bf7f35dc5f32996b1640421
SHA5121e49417778d57100e121cfac25e2ef207e2f5a1568a47e67ecec423642ebf38703c740c5823cfcda3b747ace728966ccc4b49a728313b4c151b5545843bb4cde
-
Filesize
261B
MD55d133e5a40cbd7e77dffdb92942224d8
SHA118e43e4bc079ca91c90b721e737cda2ec8dfc738
SHA256fbc7f9656b7d3347cbc856818720126d552990d8b1b7418ab2d8bb04ff6a327b
SHA512d5509053bb32db017b93bfc1e058d7cdaac3fd672183f1936701576bc1cfa613698691a547bdea80b547e182c8b2f53c652564c93ff9a0ecf722297502dfaca9
-
Filesize
261B
MD5697a6c0c57d3f185b5779f86ec32e79b
SHA1198edde59011469630829f5f8de94d0428f9ffc6
SHA25617b5b8773072a60033831906241fc5551b7a924fa476d0f1fce2132ce35842d5
SHA5120a578f462311f0c98b8ff97031f731f73013b6ac2660ec693e1cad2d54a6cb4afa3adb276bbe1b8d84315b2dc765f25c45cbeb4fcfc4cfc587588aa3aba33631
-
Filesize
261B
MD5cedf91aef7d92a75a532e95f11746cfe
SHA16f0af95c143368a9ee2d4ab781ddb56c44a31b1d
SHA2569d0a407c20a6de81073464cc15bb93fd3798fb75362131e16a32fbb2ac70cea4
SHA512b8156256c821c2b34066b6ed3835db414f66e172a99084328ae596f61380aa41b2733a1ae635b0d10673a083842d4b93016a1d43d55e761b74f90a21048e3eb8
-
Filesize
261B
MD5efbd784d104f77abfc681c15b45288df
SHA1212d598b6c0406cf5e0ea0704dfa5bf63d02fa96
SHA25622a7f5275e02555a4fadd3a6a9f84637c40902b87801a8e28b7e1787c56946b7
SHA512cdf3efcfee043ea3c57339270949031b499fa061987010998617428ed13e9f9be6dadda5ca66a57dfbec7c90eb2355039466783e696640f4a94d9a6ece83bc2b
-
Filesize
261B
MD55a5aa673d2af5cd2434c37b9cc5b97fa
SHA1eb0899d3b2dbe0270319d87da903c7b96c47da46
SHA2566159b3dc262ceee84a11b53ed888fa982958f574bf39671b9e165555b43462a5
SHA512bd259fea2de62e1f9be40e9c07b37a4e52e646c2484102e99392dcd1a63af769d57b97e082d0ba537e3dd292f7815879043ca710b7b166af7a848a70b9a83ea5