Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:30
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20241010-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
f67e6aafbd9c86771f11c05ae83ae83e
-
SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0
-
SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
-
SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a
-
SSDEEP
49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 6 IoCs
resource yara_rule behavioral1/memory/392-1-0x0000000001120000-0x0000000001444000-memory.dmp family_quasar behavioral1/files/0x0003000000018334-6.dat family_quasar behavioral1/memory/2840-9-0x0000000001280000-0x00000000015A4000-memory.dmp family_quasar behavioral1/memory/2256-75-0x00000000013E0000-0x0000000001704000-memory.dmp family_quasar behavioral1/memory/2068-97-0x0000000000260000-0x0000000000584000-memory.dmp family_quasar behavioral1/memory/3052-108-0x0000000001220000-0x0000000001544000-memory.dmp family_quasar -
Executes dropped EXE 13 IoCs
pid Process 2840 Client.exe 2596 Client.exe 3044 Client.exe 2232 Client.exe 2620 Client.exe 1372 Client.exe 2256 Client.exe 2872 Client.exe 2068 Client.exe 3052 Client.exe 2228 Client.exe 1076 Client.exe 2000 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1484 PING.EXE 2268 PING.EXE 680 PING.EXE 2376 PING.EXE 1516 PING.EXE 2724 PING.EXE 1812 PING.EXE 1776 PING.EXE 1456 PING.EXE 2312 PING.EXE 2592 PING.EXE 2300 PING.EXE 2096 PING.EXE -
Runs ping.exe 1 TTPs 13 IoCs
pid Process 1776 PING.EXE 2268 PING.EXE 2592 PING.EXE 2300 PING.EXE 2096 PING.EXE 2376 PING.EXE 1484 PING.EXE 1812 PING.EXE 1516 PING.EXE 2312 PING.EXE 680 PING.EXE 2724 PING.EXE 1456 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1992 schtasks.exe 2984 schtasks.exe 1096 schtasks.exe 2408 schtasks.exe 2696 schtasks.exe 2504 schtasks.exe 2432 schtasks.exe 2556 schtasks.exe 2064 schtasks.exe 1644 schtasks.exe 2380 schtasks.exe 2600 schtasks.exe 2804 schtasks.exe 1004 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 392 Client-built.exe Token: SeDebugPrivilege 2840 Client.exe Token: SeDebugPrivilege 2596 Client.exe Token: SeDebugPrivilege 3044 Client.exe Token: SeDebugPrivilege 2232 Client.exe Token: SeDebugPrivilege 2620 Client.exe Token: SeDebugPrivilege 1372 Client.exe Token: SeDebugPrivilege 2256 Client.exe Token: SeDebugPrivilege 2872 Client.exe Token: SeDebugPrivilege 2068 Client.exe Token: SeDebugPrivilege 3052 Client.exe Token: SeDebugPrivilege 2228 Client.exe Token: SeDebugPrivilege 1076 Client.exe Token: SeDebugPrivilege 2000 Client.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 2840 Client.exe 2596 Client.exe 3044 Client.exe 2232 Client.exe 2620 Client.exe 1372 Client.exe 2256 Client.exe 2872 Client.exe 2068 Client.exe 3052 Client.exe 2228 Client.exe 1076 Client.exe 2000 Client.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2840 Client.exe 2596 Client.exe 3044 Client.exe 2232 Client.exe 2620 Client.exe 1372 Client.exe 2256 Client.exe 2872 Client.exe 2068 Client.exe 3052 Client.exe 2228 Client.exe 1076 Client.exe 2000 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2840 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 392 wrote to memory of 2804 392 Client-built.exe 29 PID 392 wrote to memory of 2804 392 Client-built.exe 29 PID 392 wrote to memory of 2804 392 Client-built.exe 29 PID 392 wrote to memory of 2840 392 Client-built.exe 31 PID 392 wrote to memory of 2840 392 Client-built.exe 31 PID 392 wrote to memory of 2840 392 Client-built.exe 31 PID 2840 wrote to memory of 2408 2840 Client.exe 32 PID 2840 wrote to memory of 2408 2840 Client.exe 32 PID 2840 wrote to memory of 2408 2840 Client.exe 32 PID 2840 wrote to memory of 2924 2840 Client.exe 34 PID 2840 wrote to memory of 2924 2840 Client.exe 34 PID 2840 wrote to memory of 2924 2840 Client.exe 34 PID 2924 wrote to memory of 2716 2924 cmd.exe 36 PID 2924 wrote to memory of 2716 2924 cmd.exe 36 PID 2924 wrote to memory of 2716 2924 cmd.exe 36 PID 2924 wrote to memory of 2724 2924 cmd.exe 37 PID 2924 wrote to memory of 2724 2924 cmd.exe 37 PID 2924 wrote to memory of 2724 2924 cmd.exe 37 PID 2924 wrote to memory of 2596 2924 cmd.exe 38 PID 2924 wrote to memory of 2596 2924 cmd.exe 38 PID 2924 wrote to memory of 2596 2924 cmd.exe 38 PID 2596 wrote to memory of 2696 2596 Client.exe 39 PID 2596 wrote to memory of 2696 2596 Client.exe 39 PID 2596 wrote to memory of 2696 2596 Client.exe 39 PID 2596 wrote to memory of 1172 2596 Client.exe 41 PID 2596 wrote to memory of 1172 2596 Client.exe 41 PID 2596 wrote to memory of 1172 2596 Client.exe 41 PID 1172 wrote to memory of 1580 1172 cmd.exe 43 PID 1172 wrote to memory of 1580 1172 cmd.exe 43 PID 1172 wrote to memory of 1580 1172 cmd.exe 43 PID 1172 wrote to memory of 1484 1172 cmd.exe 44 PID 1172 wrote to memory of 1484 1172 cmd.exe 44 PID 1172 wrote to memory of 1484 1172 cmd.exe 44 PID 1172 wrote to memory of 3044 1172 cmd.exe 45 PID 1172 wrote to memory of 3044 1172 cmd.exe 45 PID 1172 wrote to memory of 3044 1172 cmd.exe 45 PID 3044 wrote to memory of 2064 3044 Client.exe 46 PID 3044 wrote to memory of 2064 3044 Client.exe 46 PID 3044 wrote to memory of 2064 3044 Client.exe 46 PID 3044 wrote to memory of 2540 3044 Client.exe 48 PID 3044 wrote to memory of 2540 3044 Client.exe 48 PID 3044 wrote to memory of 2540 3044 Client.exe 48 PID 2540 wrote to memory of 1448 2540 cmd.exe 50 PID 2540 wrote to memory of 1448 2540 cmd.exe 50 PID 2540 wrote to memory of 1448 2540 cmd.exe 50 PID 2540 wrote to memory of 1812 2540 cmd.exe 51 PID 2540 wrote to memory of 1812 2540 cmd.exe 51 PID 2540 wrote to memory of 1812 2540 cmd.exe 51 PID 2540 wrote to memory of 2232 2540 cmd.exe 52 PID 2540 wrote to memory of 2232 2540 cmd.exe 52 PID 2540 wrote to memory of 2232 2540 cmd.exe 52 PID 2232 wrote to memory of 2504 2232 Client.exe 53 PID 2232 wrote to memory of 2504 2232 Client.exe 53 PID 2232 wrote to memory of 2504 2232 Client.exe 53 PID 2232 wrote to memory of 2428 2232 Client.exe 55 PID 2232 wrote to memory of 2428 2232 Client.exe 55 PID 2232 wrote to memory of 2428 2232 Client.exe 55 PID 2428 wrote to memory of 2052 2428 cmd.exe 57 PID 2428 wrote to memory of 2052 2428 cmd.exe 57 PID 2428 wrote to memory of 2052 2428 cmd.exe 57 PID 2428 wrote to memory of 1776 2428 cmd.exe 58 PID 2428 wrote to memory of 1776 2428 cmd.exe 58 PID 2428 wrote to memory of 1776 2428 cmd.exe 58 PID 2428 wrote to memory of 2620 2428 cmd.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2804
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2408
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1mVBOOgCHipG.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gV2VfKLbZXZt.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2064
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\G0EP3AzOt4qo.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1812
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2504
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lGVXERRwkuHy.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1776
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1644
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4MvOOZmw82L1.bat" "11⤵PID:456
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1992
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JXC6U1Jj7z6y.bat" "13⤵PID:1528
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1004
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DmocuASl0VEn.bat" "15⤵PID:2912
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2312
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2984
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7j1Zp7taXRRP.bat" "17⤵PID:2732
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2600
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\89jzZPKp8FJh.bat" "19⤵PID:2352
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2300
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1096
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\P3BbRBOu0vsQ.bat" "21⤵PID:2900
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2272
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2096
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2432
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UXq7KvVt1jo3.bat" "23⤵PID:2412
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2128
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:680
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2556
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hggaLg8cWCg3.bat" "25⤵PID:2528
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2460
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2376
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1004
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UWazPnwgJVh4.bat" "27⤵PID:2372
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5d5bccf29146f577f9f67aa4e724ef201
SHA1668ef1dd042fb96d38445cb69bd2081eff3c87d4
SHA25600fd07e937ae6dd094b425d408023120fdc3097d73f3a96dd488a9c18ac6d83e
SHA512dec110ba9cffa345b78a0b1960fabf4a4fb76ddabccdd46035582cc5108aa864020abf93573ef2aa1093b84f46b6aa88f3f64ade8a17650a192d8a88c0056d9c
-
Filesize
207B
MD5222e90e8a3bc8536ff005ec255a98d13
SHA102b949f41b313b8b984adcce96d943ae7f6b35d3
SHA256e3ca82b66708f8c86dfbc483986a4c6c9a6a155c755776b6b9de2e4ce8b47fbb
SHA512fc141f85298d08ab1f97568d742b02bfc562ec45311927ea60ad04b0b3697df60fbb892a9fc7388c8002bce6cd8c29830cf6cbe05bcd16713beccd8a4eb27934
-
Filesize
207B
MD5d2e2f3fccf58e813e1c286ef2b460bc7
SHA112f667a89528380e2faaaf424fef79989020a891
SHA25690f4b40c436ed2e4479f31c8d55da61446120e8ffcd22d0645ce90276fececad
SHA512c899a9ad052583ca659f96f5d047c6d52caef1afc05bc0ab0de499debeb6405cefb94035a00bf3afffdbbe72a6fd5e5958003ef529b7026ce9c67f9637cb2b32
-
Filesize
207B
MD5205bf424efccac9f03a08f474ae91258
SHA11bda5d67df8f6ddc3204709fe84d68a7c26043a5
SHA256c5e471e8a842362450be910ae70e2d360acb0ebb9c4ea313c2366e638e70984c
SHA512590dc3625c9fc04a2c2883978a4102dd48842107f39f1feba58b209c31f1b5dc2b5a5ee61a952dea2f970491bce0b5e3876c2b9001b2480af4548c644c787c0b
-
Filesize
207B
MD5d8532a8b47ca1ee465e5f3f1be1f1aed
SHA121fe4fd6c714030a51c8bd0e2ed80fac42528395
SHA2564262558d5e8e829be9658561765b036109b32137d08be9ba47e9b7442eb1fb58
SHA512b3415ebf34a17921282b9ca9548f0b40c26618d79192c37218a9612be458f7dfa4beee71b14d8c4ccc34c7186af80ba951c21466a179383f097b9f893879ea78
-
Filesize
207B
MD5a9eae1fb2a4668c1af7d537d71422e1e
SHA17d3ad5f816efd0f20e9b3ced044c701a466c1a0b
SHA256d3229ada66c65ff730669a1fa48cdb71ca2914359a9fdb0378f0847cacc83225
SHA512463e6ea331e363f147f880bba26332a931c97f2d3d224d9be8a27d546ac683f4098a6869aadd8aba71a7318f938ce8e9551488b3d3a9a2f8708246574c165175
-
Filesize
207B
MD559e655c0fe003bb0d5f02bda8c48dc6c
SHA1de367e4c0c61c862a6f5017314fa3b9b694b4d08
SHA2567905141d9877b1ee65ac8d1b7a589e81318e955946349a1d78bb6bb74407adb5
SHA5120bd067b264463a99d3da468031c940879eedb64307ff35045c872489df23322a7de9e18b60d215f1d06e670fca73f4f2e6e0bdfb00635580907b53c7528d6ab2
-
Filesize
207B
MD507ee2fcf0796f98579830bc1afd6cd27
SHA1ae057767419d7edaa4524d6257ef5d29e1313161
SHA256bb07dad5edd5980801986e27367da53b73dce0f190711cc5d8dcf6bfff8e8f79
SHA5122719eb89daa0abdbfdbcea98d0edfbfa364b406d9e70bd00885b53b1fcc2f1978b0003afe1e5610fd66a7b6f0f6a28351a7c36449b6beb7a93f11e93c106e616
-
Filesize
207B
MD5b8da356b5a40fdab1aaab55011ebadfb
SHA1f0b412b8356adb813f25b4b13e8ab3181bc8d5fc
SHA25606b280d4782778b6f87b335bc9ab7ee4ee06b06c95741a54ad7274a92831d6a9
SHA512b8ab4a53b7abb1f2d7cee4bdb064c5208e73d62ee9212e31903ec8f7a1e1871ee6776b1c365da497faeed7f155cc41879c5898bd27f5df86f191c6d2c71746df
-
Filesize
207B
MD54e51b6607235e0f6e19589f78f8eeda2
SHA13c6ebfbe224159068debb4a79f5c0cedfdf9367d
SHA25605a21de9cf95bde111a81993ba6f7dd0c277a19083f42b9d85bd15bd38fff77a
SHA512fb12df245dfa299b01295ccfb4fa8b0fdd4ad7da12cbc1e127c4a2c7cc6eb6dab9ada039da2cb549af9f0bf12f06a9ef4c1ada15a0c2a7b816c92b928db69264
-
Filesize
207B
MD5891ff552d3a63b399dc9a46bb94b6f23
SHA15597ab0e2a07b568990288e6f23945f5ecfa604a
SHA2564ce5c85d90953df6ee68eda80871a38bab277b5d9452bfd98cb6ba91827734b9
SHA5122ee2ce93bacd859e6050001159b5bff09690e18af0da5f0910daeb96fd7b255c93e15f35dc6df9b007b46d24bab49a9aad8fbe914271e8cd24b493f2c273de94
-
Filesize
207B
MD5a09e3c888580e8af8082d0b94231d2d8
SHA1cb8848ba7b42f4d2149399904bf1babd89e39b3e
SHA256dd5189508bdb2d83ffdb0912e58d7f17c19f16044445a3be566d1014340f71c6
SHA512c9926bef1ae06771a177b439aa6a0dc59aef5eddc35a394e71c3861e4f74100c1662ac92dd0a07cf7ec0ad6c1048c7c9e780714a60700bd26688c1d4045f0c29
-
Filesize
207B
MD5388baebfe73bfeb4259df12c6077ed24
SHA18a09625044a0cfdea704f99ac5b267575f3b32c8
SHA256e430b823e689cea32d11b274ff231d3667efa077b0a658d0b7496301b55341b5
SHA5129cbf55b9fa75699831dac36287403c484a52e85d54275d4c90480ef246d1d6bfb567303a9b25c6171868b3626491996aedee5fa05656ce60b19226aa33c93827
-
Filesize
3.1MB
MD5f67e6aafbd9c86771f11c05ae83ae83e
SHA1c9fe04c78139d000182d89f4dd013e647db64cc0
SHA256534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
SHA512f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a