Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 12:28
Behavioral task
behavioral1
Sample
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Resource
win7-20240903-en
General
-
Target
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
-
Size
3.1MB
-
MD5
4522bc113a6f5b984e9ffac278f9f064
-
SHA1
392ec955d7b5c5da965f7af9f929b89c33409b03
-
SHA256
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
-
SHA512
c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
-
SSDEEP
98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo
Malware Config
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ebef1e3c-805b-4b1a-aa24-bf4dcab44476
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/memory/2068-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar behavioral1/memory/2888-13-0x0000000001310000-0x0000000001634000-memory.dmp family_quasar behavioral1/memory/1388-32-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar behavioral1/memory/2128-43-0x0000000000380000-0x00000000006A4000-memory.dmp family_quasar behavioral1/memory/2084-53-0x0000000000060000-0x0000000000384000-memory.dmp family_quasar behavioral1/memory/556-63-0x0000000000DE0000-0x0000000001104000-memory.dmp family_quasar behavioral1/memory/2612-83-0x0000000001360000-0x0000000001684000-memory.dmp family_quasar behavioral1/memory/1556-102-0x00000000003B0000-0x00000000006D4000-memory.dmp family_quasar behavioral1/memory/1428-112-0x00000000013B0000-0x00000000016D4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2180 PING.EXE 2868 PING.EXE 2964 PING.EXE 2348 PING.EXE 2860 PING.EXE 1064 PING.EXE 1512 PING.EXE 1728 PING.EXE 2972 PING.EXE 1684 PING.EXE 1352 PING.EXE 2780 PING.EXE 1644 PING.EXE 1172 PING.EXE 2212 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2180 PING.EXE 2964 PING.EXE 1064 PING.EXE 2868 PING.EXE 1728 PING.EXE 1352 PING.EXE 2860 PING.EXE 1172 PING.EXE 1512 PING.EXE 1684 PING.EXE 2348 PING.EXE 2780 PING.EXE 1644 PING.EXE 2212 PING.EXE 2972 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 924 schtasks.exe 2284 schtasks.exe 2580 schtasks.exe 1672 schtasks.exe 1968 schtasks.exe 1900 schtasks.exe 680 schtasks.exe 1768 schtasks.exe 1920 schtasks.exe 2184 schtasks.exe 2828 schtasks.exe 1284 schtasks.exe 2836 schtasks.exe 1704 schtasks.exe 2424 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2128 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2084 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 556 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2516 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2612 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2488 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1556 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1428 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 564 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1572 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2272 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 680 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 31 PID 2068 wrote to memory of 680 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 31 PID 2068 wrote to memory of 680 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 31 PID 2068 wrote to memory of 2320 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 33 PID 2068 wrote to memory of 2320 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 33 PID 2068 wrote to memory of 2320 2068 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 33 PID 2320 wrote to memory of 2728 2320 cmd.exe 35 PID 2320 wrote to memory of 2728 2320 cmd.exe 35 PID 2320 wrote to memory of 2728 2320 cmd.exe 35 PID 2320 wrote to memory of 2780 2320 cmd.exe 36 PID 2320 wrote to memory of 2780 2320 cmd.exe 36 PID 2320 wrote to memory of 2780 2320 cmd.exe 36 PID 2320 wrote to memory of 2888 2320 cmd.exe 37 PID 2320 wrote to memory of 2888 2320 cmd.exe 37 PID 2320 wrote to memory of 2888 2320 cmd.exe 37 PID 2888 wrote to memory of 2836 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 38 PID 2888 wrote to memory of 2836 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 38 PID 2888 wrote to memory of 2836 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 38 PID 2888 wrote to memory of 2596 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 40 PID 2888 wrote to memory of 2596 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 40 PID 2888 wrote to memory of 2596 2888 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 40 PID 2596 wrote to memory of 1860 2596 cmd.exe 42 PID 2596 wrote to memory of 1860 2596 cmd.exe 42 PID 2596 wrote to memory of 1860 2596 cmd.exe 42 PID 2596 wrote to memory of 1644 2596 cmd.exe 43 PID 2596 wrote to memory of 1644 2596 cmd.exe 43 PID 2596 wrote to memory of 1644 2596 cmd.exe 43 PID 2596 wrote to memory of 2108 2596 cmd.exe 44 PID 2596 wrote to memory of 2108 2596 cmd.exe 44 PID 2596 wrote to memory of 2108 2596 cmd.exe 44 PID 2108 wrote to memory of 1768 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 45 PID 2108 wrote to memory of 1768 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 45 PID 2108 wrote to memory of 1768 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 45 PID 2108 wrote to memory of 2016 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 47 PID 2108 wrote to memory of 2016 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 47 PID 2108 wrote to memory of 2016 2108 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 47 PID 2016 wrote to memory of 1912 2016 cmd.exe 49 PID 2016 wrote to memory of 1912 2016 cmd.exe 49 PID 2016 wrote to memory of 1912 2016 cmd.exe 49 PID 2016 wrote to memory of 2860 2016 cmd.exe 50 PID 2016 wrote to memory of 2860 2016 cmd.exe 50 PID 2016 wrote to memory of 2860 2016 cmd.exe 50 PID 2016 wrote to memory of 1388 2016 cmd.exe 51 PID 2016 wrote to memory of 1388 2016 cmd.exe 51 PID 2016 wrote to memory of 1388 2016 cmd.exe 51 PID 1388 wrote to memory of 1920 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 52 PID 1388 wrote to memory of 1920 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 52 PID 1388 wrote to memory of 1920 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 52 PID 1388 wrote to memory of 2276 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 54 PID 1388 wrote to memory of 2276 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 54 PID 1388 wrote to memory of 2276 1388 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 54 PID 2276 wrote to memory of 2988 2276 cmd.exe 56 PID 2276 wrote to memory of 2988 2276 cmd.exe 56 PID 2276 wrote to memory of 2988 2276 cmd.exe 56 PID 2276 wrote to memory of 2180 2276 cmd.exe 57 PID 2276 wrote to memory of 2180 2276 cmd.exe 57 PID 2276 wrote to memory of 2180 2276 cmd.exe 57 PID 2276 wrote to memory of 2128 2276 cmd.exe 58 PID 2276 wrote to memory of 2128 2276 cmd.exe 58 PID 2276 wrote to memory of 2128 2276 cmd.exe 58 PID 2128 wrote to memory of 2184 2128 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 59 PID 2128 wrote to memory of 2184 2128 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 59 PID 2128 wrote to memory of 2184 2128 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 59 PID 2128 wrote to memory of 2972 2128 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:680
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OarQ3kjN2dFT.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QArAkkk1ROCX.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1768
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vLK05eDdIOlz.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1920
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Sceun0RNZNlb.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QvqJCihpiK4O.bat" "10⤵PID:2972
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:668
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dbaItLudBSud.bat" "12⤵PID:768
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:924
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AMT9xecWUWQO.bat" "14⤵PID:1040
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1508
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2284
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IxbKbi8DEgDe.bat" "16⤵PID:1928
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2580
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DAOiltv9XEvr.bat" "18⤵PID:2636
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:1480
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1704
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zytOZ4naEbpf.bat" "20⤵PID:1720
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\78hYeGYCKuud.bat" "22⤵PID:2192
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:1968
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uWaakv4QaBVf.bat" "24⤵PID:1896
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:1900
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hirzg7LTYWKq.bat" "26⤵PID:2840
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:1284
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AAvwvtvhp4oh.bat" "28⤵PID:920
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2672
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mmMS602jZPR6.bat" "30⤵PID:2824
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:2376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD562ee6b63bef2e127ffc2c5ec486ff846
SHA147b29e46c966cfae566cc834329c97f8ba5b666d
SHA2569e1b2f6db7f71fd4d69e300e20c2ca7111ac6c181ce442bb4ef66e339dce928f
SHA51234b9eb22ff5e10541a3dfc0448684885bf716e1411a438b374bf66aac8067873c640389b9a4ee5a4beb7110411fc05dcf3fed8bb0f5bfa21e6d35436738c27e9
-
Filesize
261B
MD5573a58587f6c2eca7332fd3b66160a42
SHA11cc3ed9d3c5cf61595fd3890f9d477d1d630a574
SHA2565c35fec1dbc885632182940c3715f5a18b283220000512c0855cd40bc8737137
SHA512c2e2611c07c4fb02eca7b4b163ff686ea5fb37f708b38e86e681c26dfcaece780870119961871004ec0221a3fb77175170abbe1a4d7638a217f4e77684503082
-
Filesize
261B
MD5b5f231453654176801755de50f8ef556
SHA18aba8a8bd69e4881a8e658101c208a4a399236e8
SHA256e1b6ced3c4d41c84bd48737694d5830340de0bc3592966fb1224e50918839a05
SHA5128ca3e9e6d65424a0edc1a7566f9f9b6edf2b2fdda3821e670227f7441aab7450e8806489f1a2ed1d973fcfff3b27376c8cc69a00c79c6e5bea3b3227857ae476
-
Filesize
261B
MD5674056ad377527ae22366976c59c868f
SHA1c961bf8ea186e4494bd6d2bb538cab595788a058
SHA256229906c70ef5d2eefab0dde05ea5a5e68232f2d8529e259b57802bc9ce5456f0
SHA512f40c516913a514829ca915ae76f238d48655be2e115baeea1a9089de51254344385378a09827e7686f3a33051d5807ca5e9cd75afcc93eea60e18dcf10851d41
-
Filesize
261B
MD556e1552193cf3d9a2d172e81071fb979
SHA18304959373a6f083ad3f2fa88033fce5d67354e1
SHA256f1b421eaf0bcf258ea74d3b1fe4660e670337a46e294970ef99b17faaed41f60
SHA512f23882d4b1cef03dba4027956fa6c44ad98518b08aba9d616a37e360c06245ec82ae02903d0d6a9fff1deb1da4e32a36aa19e16b3c142fa214060879677fbe7f
-
Filesize
261B
MD599917a483ab25c334b725b1eeaa467a3
SHA1e3c813cd72589409552eaa1d61318143896605b7
SHA256f5a28b6e8023c7273a06192ea8af70c7ac3babe7c04217425e6953d9dedd0c9c
SHA5126f9c18edd855c0f76f5db2bfe464c95753f702aaa5c8f9a8ed97d27ac73a938cd70cffc8b3985c1d1bf4f553491c32e0737829eae59dab45c959830dce37725f
-
Filesize
261B
MD5476b463bc000579399dc73cf55545d9a
SHA10195a47d27020749048625e6c7eb0068e5c8b0fe
SHA25634ec80084057f462e63a9915e38d67082ca1dab2d3ba11bf0a4afab0ae49a177
SHA51267c9b0b2d7c766fdf11989e2a6cc804964d234017f265bf0dc471ee86489b2869c86ad8a91c2e8825f9e9f07dab80667261e77c734f306d0746795e3215f6a67
-
Filesize
261B
MD52f04b59140839051c993895f99b45548
SHA1bf29939ab41fc6cb15c8f847d455346f703d765f
SHA256c256be22adf942a5085bd2d32da42ba2debe27e88b27f5069ccf2ce8b911c6e9
SHA5121d6e75afc06b849c936a057938ba2777099cb281f552730b80f46f3dc3c6cc1fd5ff723c88379447f5140e486a93d2edfd3fc7f73a9203e17b16495edfdbab3a
-
Filesize
261B
MD5183cdf5ea4424d8516a60ad3f52a575e
SHA11dfd8c1f298fdd9453e8608d99ff95fd062062cb
SHA256f01d5f9176f56ae838ea52d4157a16c0dcd9f803e853dbd4d5bd7d2f858f93b0
SHA512a49b45c515938bcf471aaf66f4640886099e6b61af2670aa8b5c438b8b980efcac291be887d639c3dd0a4876011b9a2fe13f751b0fe56eefe91af03442e16e60
-
Filesize
261B
MD58c20d5fe831b8cb2f9b0be27e193b7d3
SHA1620095538f5b2419d44b018eec455775a42b6c2c
SHA2569fa2aee9e449551018c94b04ce19db78b88595b847c5030bc8364e577f857555
SHA51287191d873102da8d953195004c97bf46cc55a28c41bbccfde47ee47bd910dddee2c640211a0d9ec655d025186a9447a0e38b1ac88f0884561227e7685937a0ac
-
Filesize
261B
MD5a229696a7f5641236a1bd790a4cec40d
SHA11037fe1e257375161e3113da7417fc669c8c148e
SHA256fd9657857beacf68d130cd30448edcd5314d43c3faee05e23cb632640648b92b
SHA512ae85f3ad66b86eb94a3cb71fc631dca974d41febe4e993249b897bf0cf0bf7a79aed90b7a47d8c485df8f469a1034efba6010b356243449fc89eb1fdcea53cd4
-
Filesize
261B
MD508625b4bff232c3d712aa7602c59058e
SHA18c9327a79ca6ae053461ae75268c2cd031717bac
SHA256f56a7861fd43065dc3b2a1ecdeaaec2ed364a8b487ab52cd5ad97d0c24643114
SHA512a51bc1e174d2fc73715dcfc43d2c088a669edc5908e0f17400929e77d1255626c5172abd3ce678717a8bd82141e38e034d178a12164eb17b5538475cc06adb55
-
Filesize
261B
MD56f33350ee51824549e4c73270c8cdc20
SHA17fdb490bf7f53f019d387cea030b8a43b70a1bf1
SHA256759eac505e0b80348c73fe47ca12570bcd8ad6c01b1fb0c8564291fddc739a46
SHA512dc2dab5e38ad0b8770fce6fd5be574f701ecaec93a0a3f5147c25d35d5e18115e5be8fd2ad8b71e222f6caf20777070ebd71cd40b733609e4e568afc869c897c
-
Filesize
261B
MD592572e24d2b78c125947ca1f5970b878
SHA1841a193470fe6de8e6f4e397210024bb67d93edd
SHA256f3be4e82804f94ab35af87aa30846a1c93197daa7e3b97007458c73094ac02f6
SHA512493b8f5d7601d636e3b18edb37bbd1923dffd1e2a226a3b76cd88587886854a6ea22e36c98fcdca2a90429e9287956f1382f5e0bf0184785baea3c599127fbd9
-
Filesize
261B
MD5df08179cf3e802eef2c5b52dc8ac3815
SHA1bc3069e9cf9d4a42b7c40e3456fcd57592b6bf02
SHA2562a9f6229ddbc1c4d8f333891e8400e397d9162a91261d39f6d4f25419ab56f35
SHA512abc14cc01c62834989768978d6f07357cc75653a5b999bd97ab60fa18d5b656a64bcf7473bc317657adb9905425ce4c37596fd58cbbf29d6f1a3cd525d9e05d4