Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:42
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
f9fd797dbef56a3900d2fe9d0a6e2e86
-
SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309
-
SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
-
SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
-
SSDEEP
49152:ivkt62XlaSFNWPjljiFa2RoUYIobRJ6MbR3LoGdNwhTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIobRJ6WK
Malware Config
Extracted
quasar
1.4.1
Office04
biseo-48321.portmap.host:48321
cb74f432-50f1-4947-8163-7687a0292fb0
-
encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
-
install_name
Svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
Svchost
Signatures
-
Quasar family
-
Quasar payload 7 IoCs
resource yara_rule behavioral1/memory/1940-1-0x0000000000A20000-0x0000000000D44000-memory.dmp family_quasar behavioral1/files/0x0008000000015f81-6.dat family_quasar behavioral1/memory/2688-8-0x00000000013B0000-0x00000000016D4000-memory.dmp family_quasar behavioral1/memory/2676-84-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar behavioral1/memory/1988-95-0x00000000003F0000-0x0000000000714000-memory.dmp family_quasar behavioral1/memory/2212-106-0x0000000000FC0000-0x00000000012E4000-memory.dmp family_quasar behavioral1/memory/2496-158-0x00000000001D0000-0x00000000004F4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2688 Svchost.exe 1300 Svchost.exe 2012 Svchost.exe 1744 Svchost.exe 916 Svchost.exe 2032 Svchost.exe 700 Svchost.exe 2676 Svchost.exe 1988 Svchost.exe 2212 Svchost.exe 2340 Svchost.exe 1628 Svchost.exe 2516 Svchost.exe 1632 Svchost.exe 2496 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2740 PING.EXE 2712 PING.EXE 2176 PING.EXE 2952 PING.EXE 444 PING.EXE 3008 PING.EXE 2792 PING.EXE 316 PING.EXE 2444 PING.EXE 3040 PING.EXE 444 PING.EXE 1332 PING.EXE 2552 PING.EXE 2344 PING.EXE 276 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2176 PING.EXE 3008 PING.EXE 316 PING.EXE 2444 PING.EXE 2952 PING.EXE 2792 PING.EXE 2552 PING.EXE 444 PING.EXE 444 PING.EXE 1332 PING.EXE 2740 PING.EXE 276 PING.EXE 3040 PING.EXE 2344 PING.EXE 2712 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe 1288 schtasks.exe 1576 schtasks.exe 2756 schtasks.exe 2712 schtasks.exe 1000 schtasks.exe 2316 schtasks.exe 2860 schtasks.exe 1972 schtasks.exe 848 schtasks.exe 2520 schtasks.exe 2264 schtasks.exe 2920 schtasks.exe 2264 schtasks.exe 2780 schtasks.exe 2816 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1940 Client-built.exe Token: SeDebugPrivilege 2688 Svchost.exe Token: SeDebugPrivilege 1300 Svchost.exe Token: SeDebugPrivilege 2012 Svchost.exe Token: SeDebugPrivilege 1744 Svchost.exe Token: SeDebugPrivilege 916 Svchost.exe Token: SeDebugPrivilege 2032 Svchost.exe Token: SeDebugPrivilege 700 Svchost.exe Token: SeDebugPrivilege 2676 Svchost.exe Token: SeDebugPrivilege 1988 Svchost.exe Token: SeDebugPrivilege 2212 Svchost.exe Token: SeDebugPrivilege 2340 Svchost.exe Token: SeDebugPrivilege 1628 Svchost.exe Token: SeDebugPrivilege 2516 Svchost.exe Token: SeDebugPrivilege 1632 Svchost.exe Token: SeDebugPrivilege 2496 Svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2756 1940 Client-built.exe 30 PID 1940 wrote to memory of 2756 1940 Client-built.exe 30 PID 1940 wrote to memory of 2756 1940 Client-built.exe 30 PID 1940 wrote to memory of 2688 1940 Client-built.exe 32 PID 1940 wrote to memory of 2688 1940 Client-built.exe 32 PID 1940 wrote to memory of 2688 1940 Client-built.exe 32 PID 2688 wrote to memory of 2712 2688 Svchost.exe 33 PID 2688 wrote to memory of 2712 2688 Svchost.exe 33 PID 2688 wrote to memory of 2712 2688 Svchost.exe 33 PID 2688 wrote to memory of 2644 2688 Svchost.exe 35 PID 2688 wrote to memory of 2644 2688 Svchost.exe 35 PID 2688 wrote to memory of 2644 2688 Svchost.exe 35 PID 2644 wrote to memory of 2548 2644 cmd.exe 37 PID 2644 wrote to memory of 2548 2644 cmd.exe 37 PID 2644 wrote to memory of 2548 2644 cmd.exe 37 PID 2644 wrote to memory of 3040 2644 cmd.exe 38 PID 2644 wrote to memory of 3040 2644 cmd.exe 38 PID 2644 wrote to memory of 3040 2644 cmd.exe 38 PID 2644 wrote to memory of 1300 2644 cmd.exe 39 PID 2644 wrote to memory of 1300 2644 cmd.exe 39 PID 2644 wrote to memory of 1300 2644 cmd.exe 39 PID 1300 wrote to memory of 2920 1300 Svchost.exe 40 PID 1300 wrote to memory of 2920 1300 Svchost.exe 40 PID 1300 wrote to memory of 2920 1300 Svchost.exe 40 PID 1300 wrote to memory of 2096 1300 Svchost.exe 42 PID 1300 wrote to memory of 2096 1300 Svchost.exe 42 PID 1300 wrote to memory of 2096 1300 Svchost.exe 42 PID 2096 wrote to memory of 2504 2096 cmd.exe 44 PID 2096 wrote to memory of 2504 2096 cmd.exe 44 PID 2096 wrote to memory of 2504 2096 cmd.exe 44 PID 2096 wrote to memory of 444 2096 cmd.exe 45 PID 2096 wrote to memory of 444 2096 cmd.exe 45 PID 2096 wrote to memory of 444 2096 cmd.exe 45 PID 2096 wrote to memory of 2012 2096 cmd.exe 46 PID 2096 wrote to memory of 2012 2096 cmd.exe 46 PID 2096 wrote to memory of 2012 2096 cmd.exe 46 PID 2012 wrote to memory of 1000 2012 Svchost.exe 47 PID 2012 wrote to memory of 1000 2012 Svchost.exe 47 PID 2012 wrote to memory of 1000 2012 Svchost.exe 47 PID 2012 wrote to memory of 2876 2012 Svchost.exe 49 PID 2012 wrote to memory of 2876 2012 Svchost.exe 49 PID 2012 wrote to memory of 2876 2012 Svchost.exe 49 PID 2876 wrote to memory of 1544 2876 cmd.exe 51 PID 2876 wrote to memory of 1544 2876 cmd.exe 51 PID 2876 wrote to memory of 1544 2876 cmd.exe 51 PID 2876 wrote to memory of 1332 2876 cmd.exe 52 PID 2876 wrote to memory of 1332 2876 cmd.exe 52 PID 2876 wrote to memory of 1332 2876 cmd.exe 52 PID 2876 wrote to memory of 1744 2876 cmd.exe 53 PID 2876 wrote to memory of 1744 2876 cmd.exe 53 PID 2876 wrote to memory of 1744 2876 cmd.exe 53 PID 1744 wrote to memory of 2316 1744 Svchost.exe 54 PID 1744 wrote to memory of 2316 1744 Svchost.exe 54 PID 1744 wrote to memory of 2316 1744 Svchost.exe 54 PID 1744 wrote to memory of 1928 1744 Svchost.exe 56 PID 1744 wrote to memory of 1928 1744 Svchost.exe 56 PID 1744 wrote to memory of 1928 1744 Svchost.exe 56 PID 1928 wrote to memory of 2164 1928 cmd.exe 58 PID 1928 wrote to memory of 2164 1928 cmd.exe 58 PID 1928 wrote to memory of 2164 1928 cmd.exe 58 PID 1928 wrote to memory of 2176 1928 cmd.exe 59 PID 1928 wrote to memory of 2176 1928 cmd.exe 59 PID 1928 wrote to memory of 2176 1928 cmd.exe 59 PID 1928 wrote to memory of 916 1928 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2712
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yvlVQtywyewh.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2920
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SAqM80CKOG8z.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2504
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:444
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1000
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\94gmk31abyvl.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fR28sFIa9Ivi.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2164
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2176
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:848
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\18vS19REMiG4.bat" "11⤵PID:2028
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1972
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vicDVc5nnT9I.bat" "13⤵PID:2964
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GLfRcKs7AHsQ.bat" "15⤵PID:1576
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bBIE0euaCZ8F.bat" "17⤵PID:2068
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2552
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PvI4wlCw9iUY.bat" "19⤵PID:1348
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:444
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2520
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DFNHcqGNEwuJ.bat" "21⤵PID:812
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2740
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WR3CPck6nzKw.bat" "23⤵PID:1092
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2344
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1288
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KC7xdkYNonb4.bat" "25⤵PID:1324
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:276
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eWnIMzEYLYmt.bat" "27⤵PID:1152
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:316
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hQ32S5ZCF81e.bat" "29⤵PID:1600
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2656
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2444
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1576
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wyYe0lqpwxk5.bat" "31⤵PID:2348
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD50359d3a1acba5d122bcf645ed3d7693b
SHA1cc398e42f7e1f5aef86ee6020ee6d63aafa2d8bc
SHA256bb1fbbf2d12834ab406048d18c2996f8d5d76c51bbbf17143eb66212120216ed
SHA512c5ed43befd5486cfd4859440c4840e23f98e17b59915e6a27ca82fa6274a398148539b39324856f214584d344a8a685336c1f7e854fb5220c536dd34ac994ba9
-
Filesize
209B
MD53f96aa4ca8332d96637a12af5e0cfc6c
SHA1055d5a061707136ef317594c5a9955f1faf20370
SHA256d3bf515b71f4e5cf0b4727ff6aae0e5fdb33696ee36e6e9520e08bba7bf8dd26
SHA512baac9803bf4e9eaae992956c2a5d14208eb93dd331682ee172a5a745734c3e039a06c3143c53578a9f82327583fc8a6cfd3a0eb3d636c22c924a91b7c5e66c9b
-
Filesize
209B
MD59d5bed2b6b6954b1ef31a676777adeb6
SHA10015ba94a7672be2cfdf76db02f7d9192bdb307f
SHA2562b1393aebe49ce364fecf1a50cf268a7d633721b598acc8d43a205f9655af521
SHA512e7f99523d45c90ec8748b3e869fbd261daddff7f4fe49bd52cbca82f8a82688237deb672161eb2e9b96c769f6c0a0e065cdaea3b4d360a8189cccd289d7337a6
-
Filesize
209B
MD5a6f7828e9d168abccee95a86eb0b3cfd
SHA11284f7113013d9ca89f60a1231e7c9edbcd4bcbb
SHA256f89c0cbfcee1f9decd5041d14ac4172680f850cb2faae07c38fb24e78e20589e
SHA51253454e281fc9c3bcf457b90b8baecdecabf90f7927768745b1ca6a414614b56640b86b34a551d337db44128e0f5eef103a54d1616997c95727a0ca252d259fed
-
Filesize
209B
MD56e27f6fa0a1f9739c41d8bdc777695a5
SHA16088b9a5c4bf17dd62985144cd82e11c3660c758
SHA25635c6b170f19720d833fcca35052cadbeb75bbb0fb273569e4a1dec971fa2b959
SHA5128b99ac14b398c6e916ee831358da550964a86bd598184afb9e3a087ef5b56c1d9d01e7b3adfa301107702b3da334e5617b4d17c0e3af45d7b471408aba509eb8
-
Filesize
209B
MD562195cd7aa0cc63a8773eddd42a2d8ad
SHA1ea5a83a7c9ce25ca461fbf35bffc5a47ba63d078
SHA2566f4e63e5637f014e25999559d51f9badbdedd1089d9357b59445e3c05b665fd0
SHA512790b9706cbcdce31af6487c7b1dff3ec99edb10a9f48a4966376dc6cfd8e2f7f5c4de230edcb3f7690316df83d807fbc9e746958cecd87565d947b87978a24cc
-
Filesize
209B
MD5d9f08becb1270409e00376e70f416dc3
SHA1cfd43cabe1fdc4a73c6e97cc47b9033289474794
SHA256efaa1be87c248d07925145fe310315a752e31bffa0c11ee41512a935d375322e
SHA51289def5f71d07ffb68e9fe26646e88faa150329f791c8833b5851aee596dc8ab68704a4f6f9b83f39c7af2fdc405a34dca69dcb1b52555c163eff8234286e064d
-
Filesize
209B
MD56cea4a5d452a398232f523a754293822
SHA1610c6dcd7a05d0cea31e380cd88a35e230ae529d
SHA2563e42476e372cb83b95231ba8fd72075db576fdc55335ab75c47616928f306374
SHA512840f5df16dce07122b3c2d66250bc8f17ce4c5be1640721ee24c920c429cb19c68dac83f6e272096bc3c524bee80baf18acddcdbcacbc2415260893f6212d81f
-
Filesize
209B
MD5f71ebfeef5ecd969ea981e148cf9353c
SHA1c4f085098526e701544cf79bc458821a610587ae
SHA2566df78bda67d0e12d94e85b4b5c1e1eddf4d8c863f9b45934abb2938bc8b307c2
SHA512ae38e2cfca44ece6c4b1cc6cb8ba81727c06cf2dbf69b939f42dddebdd01a165190c374c8227adfbed2d6a3808db396e056c4979bb39904924b4a23e6e87c87e
-
Filesize
209B
MD57506fdaac1aab7d38fec6848999dec88
SHA1f6172040342bae81279f51db7fdc67aa3265bf97
SHA25650b0ad3fdee16f780faeffb83d869a0e6761b35a075632d876f14d04fa9c9f1e
SHA5121180c2b4282e9004e733f2e375ba53e18da85faece7b7aa3b31ef7d63672b5cd424d71391d9269ed5594fa6ab17bd418effb90ce5d5a2d960bbbd7e57beb81ea
-
Filesize
209B
MD5acdd440f9457bb5a8a9c6a8178f3f3ed
SHA106be43f215f02494eb8fd6c481080c6b0306b2d7
SHA256d356d8efc434deaa38001d2a0ded9f2d87ccad0c2823c20db489f60985273e4a
SHA5120f2a6c840bb0ca6be59e57c5fd4c7d35afb1b348cc0696c2fdf240d59ec30e281fa27389216677cd2ffebd5adece3710c19d75b5ce9bab43a5b32b6cc4b3cc53
-
Filesize
209B
MD53556795a2d5e3ec38873b94f252b91aa
SHA1f477a4f160aa051dbaa165e0230941186eeaf8f9
SHA2568a4076af7de62ccc5f0af2a5b7e864161576bf68313114ef3907c1a575d77684
SHA512a1d05b7066be84cb512261cf99343d7584265ccb9c25717fb7591375b89a1cca75045fd61d2d0c3da3cd75b2dbba4c1508e1886cbc48935dc6af84721903274d
-
Filesize
209B
MD50b631d4368133aa5ebceb16d08baf530
SHA183f66576b7ff98daa3894806c5aaa3b015ebe9d6
SHA2569d159ede175e17b93b201317743a0eaf87b570ccdf86e2271438b29e0d6f4792
SHA51258b0452c838c79d1addaa958ea2e069afab040edea2397b7b8ae14178f67706b2905095c9ab57bbb20c423bcf696f6a90d20ef224ced40231db129140ca133bb
-
Filesize
209B
MD5bf9173ad5f92853730c005b34dd8507d
SHA199b678f0cd21a1066aba4d94b99fc69abdc8edd1
SHA2564a4f766c8e67e6df0fefa99e6b6ec165bc658da761ca4c565f072926d06d5cc7
SHA51216cf706f390a43ccfa5cb3619f2bfa24e5dfe2f2897326071140ad6d206d87484a43037949ebb6cf092206e387c22c657a8088b41877a77cba25ff19035adff5
-
Filesize
209B
MD557866161cf5e0433e8304dc6643ecb56
SHA182a291155b4fe932b78b7eaa1690bbb1c801b252
SHA2563e322986ae53db10da6baba2f42c7f4511d324654dbd995c22ecd027267289f0
SHA51244cc956129d45e12bd2b4746411e17a3ccefcd0da04e58aa6ca8aeb9ba99ecb23ae439f2749346692337b7556d8970399aa18874827f7ea6c6737dca767b3eae
-
Filesize
3.1MB
MD5f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1