Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:42
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
f9fd797dbef56a3900d2fe9d0a6e2e86
-
SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309
-
SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
-
SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
-
SSDEEP
49152:ivkt62XlaSFNWPjljiFa2RoUYIobRJ6MbR3LoGdNwhTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIobRJ6WK
Malware Config
Extracted
quasar
1.4.1
Office04
biseo-48321.portmap.host:48321
cb74f432-50f1-4947-8163-7687a0292fb0
-
encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
-
install_name
Svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
Svchost
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3248-1-0x0000000000290000-0x00000000005B4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cd5-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Svchost.exe -
Executes dropped EXE 15 IoCs
pid Process 2776 Svchost.exe 4448 Svchost.exe 1364 Svchost.exe 3876 Svchost.exe 3008 Svchost.exe 456 Svchost.exe 2640 Svchost.exe 4920 Svchost.exe 4168 Svchost.exe 4224 Svchost.exe 100 Svchost.exe 2412 Svchost.exe 2088 Svchost.exe 3876 Svchost.exe 2096 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2756 PING.EXE 4196 PING.EXE 1840 PING.EXE 3216 PING.EXE 2928 PING.EXE 4468 PING.EXE 4900 PING.EXE 4612 PING.EXE 3824 PING.EXE 2268 PING.EXE 4200 PING.EXE 4176 PING.EXE 3276 PING.EXE 4712 PING.EXE 844 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4612 PING.EXE 3216 PING.EXE 4176 PING.EXE 2756 PING.EXE 844 PING.EXE 4196 PING.EXE 4900 PING.EXE 2928 PING.EXE 2268 PING.EXE 1840 PING.EXE 3276 PING.EXE 4712 PING.EXE 4200 PING.EXE 4468 PING.EXE 3824 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3876 schtasks.exe 4980 schtasks.exe 4348 schtasks.exe 1384 schtasks.exe 4564 schtasks.exe 1664 schtasks.exe 3216 schtasks.exe 960 schtasks.exe 2688 schtasks.exe 2776 schtasks.exe 1816 schtasks.exe 4940 schtasks.exe 4120 schtasks.exe 1104 schtasks.exe 5116 schtasks.exe 3716 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3248 Client-built.exe Token: SeDebugPrivilege 2776 Svchost.exe Token: SeDebugPrivilege 4448 Svchost.exe Token: SeDebugPrivilege 1364 Svchost.exe Token: SeDebugPrivilege 3876 Svchost.exe Token: SeDebugPrivilege 3008 Svchost.exe Token: SeDebugPrivilege 456 Svchost.exe Token: SeDebugPrivilege 2640 Svchost.exe Token: SeDebugPrivilege 4920 Svchost.exe Token: SeDebugPrivilege 4168 Svchost.exe Token: SeDebugPrivilege 4224 Svchost.exe Token: SeDebugPrivilege 100 Svchost.exe Token: SeDebugPrivilege 2412 Svchost.exe Token: SeDebugPrivilege 2088 Svchost.exe Token: SeDebugPrivilege 3876 Svchost.exe Token: SeDebugPrivilege 2096 Svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4168 Svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3248 wrote to memory of 3876 3248 Client-built.exe 85 PID 3248 wrote to memory of 3876 3248 Client-built.exe 85 PID 3248 wrote to memory of 2776 3248 Client-built.exe 87 PID 3248 wrote to memory of 2776 3248 Client-built.exe 87 PID 2776 wrote to memory of 1816 2776 Svchost.exe 88 PID 2776 wrote to memory of 1816 2776 Svchost.exe 88 PID 2776 wrote to memory of 4260 2776 Svchost.exe 90 PID 2776 wrote to memory of 4260 2776 Svchost.exe 90 PID 4260 wrote to memory of 3596 4260 cmd.exe 92 PID 4260 wrote to memory of 3596 4260 cmd.exe 92 PID 4260 wrote to memory of 844 4260 cmd.exe 93 PID 4260 wrote to memory of 844 4260 cmd.exe 93 PID 4260 wrote to memory of 4448 4260 cmd.exe 101 PID 4260 wrote to memory of 4448 4260 cmd.exe 101 PID 4448 wrote to memory of 4980 4448 Svchost.exe 102 PID 4448 wrote to memory of 4980 4448 Svchost.exe 102 PID 4448 wrote to memory of 4972 4448 Svchost.exe 104 PID 4448 wrote to memory of 4972 4448 Svchost.exe 104 PID 4972 wrote to memory of 540 4972 cmd.exe 107 PID 4972 wrote to memory of 540 4972 cmd.exe 107 PID 4972 wrote to memory of 4612 4972 cmd.exe 108 PID 4972 wrote to memory of 4612 4972 cmd.exe 108 PID 4972 wrote to memory of 1364 4972 cmd.exe 116 PID 4972 wrote to memory of 1364 4972 cmd.exe 116 PID 1364 wrote to memory of 3216 1364 Svchost.exe 117 PID 1364 wrote to memory of 3216 1364 Svchost.exe 117 PID 1364 wrote to memory of 400 1364 Svchost.exe 120 PID 1364 wrote to memory of 400 1364 Svchost.exe 120 PID 400 wrote to memory of 3472 400 cmd.exe 122 PID 400 wrote to memory of 3472 400 cmd.exe 122 PID 400 wrote to memory of 4712 400 cmd.exe 123 PID 400 wrote to memory of 4712 400 cmd.exe 123 PID 400 wrote to memory of 3876 400 cmd.exe 128 PID 400 wrote to memory of 3876 400 cmd.exe 128 PID 3876 wrote to memory of 4348 3876 Svchost.exe 129 PID 3876 wrote to memory of 4348 3876 Svchost.exe 129 PID 3876 wrote to memory of 4344 3876 Svchost.exe 132 PID 3876 wrote to memory of 4344 3876 Svchost.exe 132 PID 4344 wrote to memory of 4072 4344 cmd.exe 134 PID 4344 wrote to memory of 4072 4344 cmd.exe 134 PID 4344 wrote to memory of 3824 4344 cmd.exe 135 PID 4344 wrote to memory of 3824 4344 cmd.exe 135 PID 4344 wrote to memory of 3008 4344 cmd.exe 137 PID 4344 wrote to memory of 3008 4344 cmd.exe 137 PID 3008 wrote to memory of 4940 3008 Svchost.exe 138 PID 3008 wrote to memory of 4940 3008 Svchost.exe 138 PID 3008 wrote to memory of 1704 3008 Svchost.exe 141 PID 3008 wrote to memory of 1704 3008 Svchost.exe 141 PID 1704 wrote to memory of 3872 1704 cmd.exe 143 PID 1704 wrote to memory of 3872 1704 cmd.exe 143 PID 1704 wrote to memory of 2268 1704 cmd.exe 144 PID 1704 wrote to memory of 2268 1704 cmd.exe 144 PID 1704 wrote to memory of 456 1704 cmd.exe 145 PID 1704 wrote to memory of 456 1704 cmd.exe 145 PID 456 wrote to memory of 4120 456 Svchost.exe 146 PID 456 wrote to memory of 4120 456 Svchost.exe 146 PID 456 wrote to memory of 2992 456 Svchost.exe 148 PID 456 wrote to memory of 2992 456 Svchost.exe 148 PID 2992 wrote to memory of 1588 2992 cmd.exe 151 PID 2992 wrote to memory of 1588 2992 cmd.exe 151 PID 2992 wrote to memory of 1840 2992 cmd.exe 152 PID 2992 wrote to memory of 1840 2992 cmd.exe 152 PID 2992 wrote to memory of 2640 2992 cmd.exe 153 PID 2992 wrote to memory of 2640 2992 cmd.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3876
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T9O7IIw6BUIn.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:844
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKmGjHW35xWg.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4612
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZy2KBAVPcy2.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3472
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4712
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOc0Ou0KclEN.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4072
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3824
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQkVdwEt6oxS.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5t7BQDFzZ1ZM.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1840
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yFLOXRAzvYDy.bat" "15⤵PID:2404
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3216
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wW75gsVOCF1a.bat" "17⤵PID:4944
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2928
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4168 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9jvcv8NA4f28.bat" "19⤵PID:1540
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4196
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QG7ZRpe6QCfb.bat" "21⤵PID:4260
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4200
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCoiOjrmU5NQ.bat" "23⤵PID:4584
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4284
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4176
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WX6Uk7DBHPO.bat" "25⤵PID:3900
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4312
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4468
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igUiU7VaZ8S1.bat" "27⤵PID:5112
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3460
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4900
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3TYqIVFofDWZ.bat" "29⤵PID:4724
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3276
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xrGXpmKn80ZW.bat" "31⤵PID:5016
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
209B
MD5355385b04b4f0e06a7ac0b251816af5a
SHA1275d3793f7afce25f6324cd6ebb0e3adfe89cf17
SHA25659f11e7143e33f349e88843d8f8a1fb1443a457bb199f240e7dbc189cb4959a0
SHA512aaf95564170450b7db206f98ed974f8d52cdb29720e630c4c7fd43d40b85e9463069eea6a3883b57fdd124b2af2ad3b5ada93e597ed3d242c64b48d044a691b1
-
Filesize
209B
MD53e713812b4f7eaaec1f8a7e26a20ec37
SHA10a870f0771e67346289d56f92556ce5fcea5691b
SHA256109646581e112ae95b45d0ed03d9030590f4c103a6315400f84b980f2d0c43bd
SHA512b9e762fa764647a220b865c76b2b5592202a093ba370d6ef10126ac7a13d0e19d40c1d8901628d8ccbf00910c1180645e7fca94a8a873f461db507116b8641b9
-
Filesize
209B
MD5b1180164ad97957702130e34bf428355
SHA1c3cb867c1e3d8137dc8532e74b07d6cfe28a3b1b
SHA256aef69323d6500eb83420d7d96f3bff848f67b52f6e95dfb56b6cf51b72eb3302
SHA512178536dc2f0d69b686cbf012c3aa62f02720ced94e9a9777db40f2a164038e53c1272e03c85425508709471b4f1a7770859e9bbc89146693de72819948894040
-
Filesize
209B
MD59a36b633f94a68a15804f27514a2befb
SHA1d2cb2bac38c6bdc67c53b5077d23404c2722147b
SHA256cbf4073cbeb848a4ef50b86cf7ffe8afe37c3765bbc42e3d27ecf80d84ad7f69
SHA512295ff6e5e108bd1dcfe161ca082644b366f3c4e7c30d0a646becd21cdbe0553715e8f8d91d24de5af940e3ac5435c203d43c9d2d84d235473e286301bfa232c9
-
Filesize
209B
MD52360d1b4ca8eff1ff8fc9483fc3b68de
SHA1e92f5a144ba0ff502b06fa0d95a572e2b12633fd
SHA25670e1c6530dbd061c537ed50128fd37dca00ee6939bc2ef5b3a2fcc320612bd20
SHA51296633fd7c710281e115930f3d52bc42437d896243f69d54e7c1a3dd5f1a8da6a2ada0488e1240052946b214165cc82ac54cd8727fc1049b4d98b5e1a91d7fcb8
-
Filesize
209B
MD572d6141c73f25a3cfcc8e61f1652a967
SHA125d12a57ccd806b592f58f321bc7df7cffeae517
SHA2568070f771276f5b97b4452d19ded7916d7254159e877a58430adf41e2f051bf99
SHA5120ed19668d27b70706c7deed9b106b960a7f4985581fedbbbf33e66a50281680885c20fcd2696e88f48078b18e6edb70238efdd5c179408098c48209a26e05639
-
Filesize
209B
MD5b6dc2b6a8661070ee8739c2945abce90
SHA1dca846522a202e74921b29c154164a7d7451f188
SHA256aaae4109759ef768938af3fc4899020f98c34c9503ee241818dfd09fe094ba8a
SHA51299cccd17d4bcb757cb7b3324d5ed03f1e7e50953d4ad6aa771aacbeae009d65ba833ea27336f74c95e69a59d0d4c10a23b7e2b2227c20fdfc184bc769efe5830
-
Filesize
209B
MD523fd597081e59c8919c526dd854851c2
SHA17f0ab63ba21f5249232daf8cb6b10774cb15ea5d
SHA256c46e1cb72f34f37cc31985b65ebdc0069c546bb69a8a6fd898ba30d7b9a5d462
SHA5126d694b33a208bda378afea0961500a36d25e413fef653da3405aa3a4e12aa9149b6b8a2eadd171021f9deeae79d5f965141cd3c54fdf9701ff10ec3b9f6f9c6d
-
Filesize
209B
MD5c7983c0618e05f706fccd39036f3c4f8
SHA11717d93e2e0f4f0c0055d62683b6dbee3286b31f
SHA256a851431b63852a2dd667bd98afd2b3c68e9f6f119e25a9788cfe403cb342e12d
SHA512b9904dba7f959be01c6ae0866f6a189ba3cd6885c58a8948c9fb4da3fdf89af02dff7ef89c89ee46e9ff58ee35ae84adbc6b39cb6735e3f43839eed16d856b59
-
Filesize
209B
MD5c88ed6725a4f3b143d11f9a5cf21d3fd
SHA1b47e1fb4f68bb49b3f1053cdd007159d087988f9
SHA2566037bed9e7c63b01b40ba9c0022b9855a12401275d84714683ea19131048c5c9
SHA512ab5d4281cafd4f1e0a54ea72bd7c80026cd675ca9e91e85cb97eb8b1b6f6c0cf40ab621e2621644a510d327196bacf7dc2146846cbb88ff24fb5a1a36b2212fe
-
Filesize
209B
MD55989fce3c06ac4028cc57dad3dbabb59
SHA1cd4f281d1b7039d9c5e86f1226092a439521049e
SHA256372b8c8bc915355c530e91a21df36fecd12dc2bb036943273eab2dca7c72ab51
SHA512ceb954064104157b3d94ace2b251f63e7012c29e21a8f946ad6c2164b45892d0b64c2da682f5d127e5477196d7fcdc76568bdf77de49dc049be75666d2dbd992
-
Filesize
209B
MD510e3f73c6627276cce7d41dd3d7c3c47
SHA1e7a6fd6019e43424330a18467d2c80716e0dfab0
SHA256b7eed80e59c9306a1e8411358bbe8da7563809dbcbf6ab376ba7103e5db34526
SHA512c2e4e17cc9d1b82f8459dd74fcc59ddbef66a35e939248bcb977a0299676662ca41c57c445576e796063d8c730736575ca2f75e04c24823cc1ac5318f74d9c82
-
Filesize
209B
MD55390655b870c6876cb984227e6b8c4b2
SHA1dbbae9bbdc36e0ca7eb1e48a9db8a09ba25da9d1
SHA256d7023ecc2ce717b26307254dec6734151edfee1cd964dd51aaaee54f82d476e8
SHA51288dd3148ec09593229cc477e900e12cdcbffac3361e1756077c6d374b8b1ac6a95e337fee0e73fef9298d10d68e1b74a4d6a4a0532eb80308972f28d8210ceff
-
Filesize
209B
MD5dbe393e4a59de365d7b4224e98472f77
SHA18803c60d03957668c21999b921f7faf72a536679
SHA25619aa7531e679feee9d92e0ad8e4446beb2c47056e6b4892e9b3e9b6f1d91401b
SHA51236f9ddea2bbd307bd1c80c6729b96d61622ad427494f1568111fb62b82e8455cc60e12eecdd5a6c970d6b3645b02f102e1db1188331f40fd010086c59bdb0250
-
Filesize
209B
MD52662de4da2b3188de7e3adab0e400675
SHA1ed48ad544ec634f8c87376830fc66aa098210796
SHA256560c09d0939ac3ea1972e855efc64d1c781ba32fff6ba2b1083407145510a97c
SHA512ef59eaa9acd1a8847a82a66d881936c55cf8ebb87f7f8fafb08f5f73a1d3d6b1b1511fc6fbe9927de48fbdcdbcb365a1f78e55ee0db46e17868df8dc79f31542
-
Filesize
3.1MB
MD5f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1