Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 15:05
Behavioral task
behavioral1
Sample
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
Resource
win7-20240903-en
General
-
Target
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
-
Size
3.1MB
-
MD5
f4da021b8bc9d8ef1ff9ce30b0ab3b79
-
SHA1
998a833c28617bf3e215fe7a8c3552972da36851
-
SHA256
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
-
SHA512
77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c
-
SSDEEP
98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I
Malware Config
Extracted
quasar
1.4.1
Nigga
yzs-42879.portmap.host:42879
57d72303-b5e9-46aa-8cc4-9690809c1a9e
-
encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
Temp
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5088-1-0x0000000000700000-0x0000000000A24000-memory.dmp family_quasar behavioral2/files/0x0008000000023cb1-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 15 IoCs
pid Process 3084 RuntimeBroker.exe 5100 RuntimeBroker.exe 1436 RuntimeBroker.exe 736 RuntimeBroker.exe 1768 RuntimeBroker.exe 3264 RuntimeBroker.exe 2684 RuntimeBroker.exe 2260 RuntimeBroker.exe 3740 RuntimeBroker.exe 3908 RuntimeBroker.exe 1216 RuntimeBroker.exe 3552 RuntimeBroker.exe 3468 RuntimeBroker.exe 3140 RuntimeBroker.exe 2984 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2132 PING.EXE 996 PING.EXE 4936 PING.EXE 1048 PING.EXE 2068 PING.EXE 1920 PING.EXE 4316 PING.EXE 4016 PING.EXE 2808 PING.EXE 428 PING.EXE 4952 PING.EXE 4424 PING.EXE 2752 PING.EXE 4132 PING.EXE 4284 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 428 PING.EXE 4936 PING.EXE 1048 PING.EXE 4316 PING.EXE 2132 PING.EXE 4284 PING.EXE 4952 PING.EXE 2068 PING.EXE 4424 PING.EXE 2752 PING.EXE 2808 PING.EXE 4016 PING.EXE 996 PING.EXE 1920 PING.EXE 4132 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 5088 b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe Token: SeDebugPrivilege 3084 RuntimeBroker.exe Token: SeDebugPrivilege 5100 RuntimeBroker.exe Token: SeDebugPrivilege 1436 RuntimeBroker.exe Token: SeDebugPrivilege 736 RuntimeBroker.exe Token: SeDebugPrivilege 1768 RuntimeBroker.exe Token: SeDebugPrivilege 3264 RuntimeBroker.exe Token: SeDebugPrivilege 2684 RuntimeBroker.exe Token: SeDebugPrivilege 2260 RuntimeBroker.exe Token: SeDebugPrivilege 3740 RuntimeBroker.exe Token: SeDebugPrivilege 3908 RuntimeBroker.exe Token: SeDebugPrivilege 1216 RuntimeBroker.exe Token: SeDebugPrivilege 3552 RuntimeBroker.exe Token: SeDebugPrivilege 3468 RuntimeBroker.exe Token: SeDebugPrivilege 3140 RuntimeBroker.exe Token: SeDebugPrivilege 2984 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 3084 5088 b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe 83 PID 5088 wrote to memory of 3084 5088 b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe 83 PID 3084 wrote to memory of 4700 3084 RuntimeBroker.exe 84 PID 3084 wrote to memory of 4700 3084 RuntimeBroker.exe 84 PID 4700 wrote to memory of 3948 4700 cmd.exe 86 PID 4700 wrote to memory of 3948 4700 cmd.exe 86 PID 4700 wrote to memory of 4016 4700 cmd.exe 87 PID 4700 wrote to memory of 4016 4700 cmd.exe 87 PID 4700 wrote to memory of 5100 4700 cmd.exe 95 PID 4700 wrote to memory of 5100 4700 cmd.exe 95 PID 5100 wrote to memory of 3468 5100 RuntimeBroker.exe 99 PID 5100 wrote to memory of 3468 5100 RuntimeBroker.exe 99 PID 3468 wrote to memory of 2936 3468 cmd.exe 101 PID 3468 wrote to memory of 2936 3468 cmd.exe 101 PID 3468 wrote to memory of 2132 3468 cmd.exe 102 PID 3468 wrote to memory of 2132 3468 cmd.exe 102 PID 3468 wrote to memory of 1436 3468 cmd.exe 108 PID 3468 wrote to memory of 1436 3468 cmd.exe 108 PID 1436 wrote to memory of 2800 1436 RuntimeBroker.exe 110 PID 1436 wrote to memory of 2800 1436 RuntimeBroker.exe 110 PID 2800 wrote to memory of 2176 2800 cmd.exe 112 PID 2800 wrote to memory of 2176 2800 cmd.exe 112 PID 2800 wrote to memory of 4284 2800 cmd.exe 113 PID 2800 wrote to memory of 4284 2800 cmd.exe 113 PID 2800 wrote to memory of 736 2800 cmd.exe 118 PID 2800 wrote to memory of 736 2800 cmd.exe 118 PID 736 wrote to memory of 2028 736 RuntimeBroker.exe 120 PID 736 wrote to memory of 2028 736 RuntimeBroker.exe 120 PID 2028 wrote to memory of 392 2028 cmd.exe 122 PID 2028 wrote to memory of 392 2028 cmd.exe 122 PID 2028 wrote to memory of 428 2028 cmd.exe 123 PID 2028 wrote to memory of 428 2028 cmd.exe 123 PID 2028 wrote to memory of 1768 2028 cmd.exe 125 PID 2028 wrote to memory of 1768 2028 cmd.exe 125 PID 1768 wrote to memory of 2524 1768 RuntimeBroker.exe 127 PID 1768 wrote to memory of 2524 1768 RuntimeBroker.exe 127 PID 2524 wrote to memory of 4812 2524 cmd.exe 129 PID 2524 wrote to memory of 4812 2524 cmd.exe 129 PID 2524 wrote to memory of 4952 2524 cmd.exe 130 PID 2524 wrote to memory of 4952 2524 cmd.exe 130 PID 2524 wrote to memory of 3264 2524 cmd.exe 132 PID 2524 wrote to memory of 3264 2524 cmd.exe 132 PID 3264 wrote to memory of 3124 3264 RuntimeBroker.exe 134 PID 3264 wrote to memory of 3124 3264 RuntimeBroker.exe 134 PID 3124 wrote to memory of 720 3124 cmd.exe 136 PID 3124 wrote to memory of 720 3124 cmd.exe 136 PID 3124 wrote to memory of 996 3124 cmd.exe 137 PID 3124 wrote to memory of 996 3124 cmd.exe 137 PID 3124 wrote to memory of 2684 3124 cmd.exe 139 PID 3124 wrote to memory of 2684 3124 cmd.exe 139 PID 2684 wrote to memory of 1756 2684 RuntimeBroker.exe 141 PID 2684 wrote to memory of 1756 2684 RuntimeBroker.exe 141 PID 1756 wrote to memory of 1128 1756 cmd.exe 143 PID 1756 wrote to memory of 1128 1756 cmd.exe 143 PID 1756 wrote to memory of 4936 1756 cmd.exe 144 PID 1756 wrote to memory of 4936 1756 cmd.exe 144 PID 1756 wrote to memory of 2260 1756 cmd.exe 146 PID 1756 wrote to memory of 2260 1756 cmd.exe 146 PID 2260 wrote to memory of 2008 2260 RuntimeBroker.exe 148 PID 2260 wrote to memory of 2008 2260 RuntimeBroker.exe 148 PID 2008 wrote to memory of 1976 2008 cmd.exe 150 PID 2008 wrote to memory of 1976 2008 cmd.exe 150 PID 2008 wrote to memory of 1048 2008 cmd.exe 151 PID 2008 wrote to memory of 1048 2008 cmd.exe 151
Processes
-
C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe"C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E47ylHnvxGU.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3948
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4016
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ky2HRqxHZ60B.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2936
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewLEDAyR5tmF.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4284
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aG2hqhxBIXfH.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:392
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:428
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsJSMBS5h8oz.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4952
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lyskz5vqrYOp.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:996
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H4A2DFPSe0RP.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1128
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4936
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pnK2nIE8Gqis.bat" "17⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j8YQEAvAm1Hf.bat" "19⤵PID:4264
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4424
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Wn5kRB39C2u.bat" "21⤵PID:3824
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2068
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CscGGZW2gxn1.bat" "23⤵PID:2524
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3788
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAnfNSNflwYt.bat" "25⤵PID:4776
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1920
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a6KSXwVKkZRV.bat" "27⤵PID:3232
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4132
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7etPDXnjzWc.bat" "29⤵PID:2908
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2808
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R9cH0iSPDBmr.bat" "31⤵PID:1416
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
212B
MD56b061f2703f43b3710bd037f464fa50d
SHA148c97017d2a1d8b39f4eb3ad446722b562133fd4
SHA2568c0c7d95c9e0dc634ee9d12ff8d199bd1603e9e5354f466d1ac633904943d1cd
SHA51239ea6a481508d39c8b0d2406877c0a1f8b76a07872347adecc8a37aec5764417b9f52ab2c42160bc7cba524d442724c2d868501ddfa5b32f37a1aeafd6667795
-
Filesize
212B
MD5a0839e4c7b7280e96f44b16622766f8f
SHA1c3c2f620d21a9ffb643fcbad72e26474895ae820
SHA256e4203c4ed5a4df7158ff9f1c21ee4935972e58aefde1425e124434252f779664
SHA512aaf364643471369bc880c8e69d2ec82b9a72e80095bfcab628a3611d3682a319bc5fb58378c6929b6c45a5c6b0b28837b7cb98ec924bd8beeb8a40cfdf2d0e12
-
Filesize
212B
MD53014c68ecd991bdb4d7acf645035bb14
SHA1aefd690a41b8901b6d38eb51d3aa45e1cc576a2c
SHA256df3a8829a7cedac445f5e06c665dd7d09b8f67daf521752081d5b3dd72fd225a
SHA512649895dcda4a6d7ce8d0079483a671a8479ecc6f4f355dff69d693062e8a431d2dbbd49b36306a8e8a643fb33837d910009f935ff2e08816bfe422bd2e087d02
-
Filesize
212B
MD549561271ab70291b97d9a5ce24d67db8
SHA17ca9c54c3777e5ef0ded9626291d097acf682241
SHA256ad085ea2c9c70dc20f075cb61d964b74075c5b9d2c7ebecdcb05fb3c538d5854
SHA512a88bef9b558ed13cc1fdce39837fbe23489e470d31353767f026daf92f124fcc5c4f9825a68050d234bf51f239d46a802a2266e3e98669fbb8a41a9e31cdf6f9
-
Filesize
212B
MD5c252e1a57e60ff4c3d217d562cb0ac75
SHA14f0059662b6fe29cd5926a517aabfb6c47d79434
SHA25609d3859bd4ddd8506e07cbef116795b19545d4b00733caee5d52ee829c42695a
SHA512ed20a1d204cc3e26cf7263378bc99b9be84d1276f6ea895e87835e8f25857750fb2c097e6ab36c3beaac2bcfc1f09c4de3deccb24a529dd5aa21b670f242fda4
-
Filesize
212B
MD549021ee2c8e0f30142db72ce2b45b857
SHA1b484eb2d0f45b8f45fb7d09c54c9acc1748f536a
SHA256f8de053f1ff24af61133202c1664bb907e14cd129c8b37a4d5ee245ab25a7011
SHA51241161ea53d5d9143bc2f2a0a87f36749eb34732b2462a7e50dc4bd04b6bae3aed62fa750132a30c68a34e93063a46fe69a1d761bd49467e76119ae224e3b53f7
-
Filesize
212B
MD5fd5a34c3d5c6d3cac7ecf4b9d5ba39ad
SHA16d64ce130e6e09425c6e0c149202573a1d199e7e
SHA256ab1e95c3b0495f382861ba48224b625e7d2183595d13946bcd20015afcce21e4
SHA512df911373f0482dbf6f39e3d45a6124f405d3805ebaec8759a7bd1c894e7582586564d9e6031e7e9558dfe7946e29626613943645d76e9507d8d9694b96a47751
-
Filesize
212B
MD52089ccfac3d800614692b209c891cfbb
SHA19d33e270dcb186a21f7b0acd78039e6165e1774e
SHA256cab4ee9c0f750a7d96f14a7294e6c7a8a36b958eabfecb49a7aa8d078bad18e3
SHA512cb5f0073e5e69ecd23aadc27f0aebcde17b6eb54d22bcd81046fdb0c48d9e42f4cd86393ff0aa6bfbd35de2215087dab5bb1dc81e2f4232ea5651d6b892376ba
-
Filesize
212B
MD550d0a1af5d480d2ba96a8d85dd05a5cc
SHA1975126c71898c090432c38e997ec5fb25d56fa1b
SHA2566cfc77aadd27d7e6537347bfd4de39e8f544139c08d222c9a393b269ab790f3a
SHA5128604e2ece90e70bbaff8c8552aa56eab3a58df5a62e5b69399c0a40d7cf6e0e0221b9712c4ce4d3f63c35d52f149ce47d5f1b747effcb7defb2c99c69e85f54d
-
Filesize
212B
MD56c64bf91cc49aeb28d7b666ddedb2ebf
SHA1d62fac87a7cd6d8e21809a0e4793faae6d26e484
SHA256d2e06a7f6af66f0663b93198337d7e69f6b1fe04b461f21914041f70043451bc
SHA5129ead1ee83a4a92dc018c898e881773c98e92c66f0ffb6e87b6f326afd78bace3bcb5d0bdfc4255fd79ebdb32db7388bc47685b22665826b34b6c03fc9f840917
-
Filesize
212B
MD5e7f98fd9035498f80144283b13dae76d
SHA1caa29736877c9db916c5c23d86fac9b5cb2b0adf
SHA256bd1b816ad374b113375ba4e5e29a8bab9c9eb2ed1adc2f3ec457123e09b8d2fd
SHA512d199c46903ff2fb311c9e05507be48866a70cf6ebd0dbe3d7c1d5385c6cb9a5e276b60583956593a50041496991f607adce74b36726bc6a3cb2ae584d4c68ecb
-
Filesize
212B
MD565a618d4cf070a503386c0e12688328f
SHA1d0a3173fd587b5bd9cf8359370d1754dfdb89157
SHA25683dfa87bb2cbe88a8e830486676672ef9616ebaedae23e7176a918b4f2bf6b98
SHA512e5ac085438056fa392901de20107d7c8db43ce0c18f0b17965d96f3a0692e6b54327ef48b4b829b6fb93a39d588a65f594cc0e1c774eecf6b05a1baf8430ccc2
-
Filesize
212B
MD5418f651bec6a848c70c11dfd23e0d4dc
SHA171f40ead2bbdb6158b36ea86c7157caa8663b237
SHA256a407ac02cdf17d0531209d03c19db5decaf22c59e23b3588647248595aa21465
SHA5124d071caa54333521fd526ebc955b8e6de94b5c1c98c85ce131abd3f90e1b92e419148a8c3e0eb6b973f45bc3b18777800182947cdf82285450d357bf3a60f84c
-
Filesize
212B
MD5a80921e13e105d2f02df1352379dbf3b
SHA17293dd1bd022b5b3b5dc5fbf7272c4bf2c66e3a6
SHA256d6fd8a540f5d12d8a0b1759e49c937de6fc7857894c348e60c402cfaf43b6444
SHA5126544f67ed3789fcec7cdd293d452dae767b290fbb38bc3e5a79b63ffe3f41dc34d23d3dea0918e64060f9154f1223374c40a55b30dce9b6dca0f6db42485f6a5
-
Filesize
212B
MD5527243a2838615793d0e0e5f4532c0f1
SHA1c34b872b31a19f0c6ae162ccded4b9b772555b52
SHA256a71a30b4f15b4fd0048dd6a401afd33d3efcf829fa18e5260d9dc984380a3a99
SHA5120dc5a9e2c935ebfb31cb6b5dfdb17acbf2439818cc8fd3faebd696e1d4cd999a79a4147fafc5787552b8c2769ee01aa0cf4ce90bd19d6920fde1a832885c8a70
-
Filesize
3.1MB
MD5f4da021b8bc9d8ef1ff9ce30b0ab3b79
SHA1998a833c28617bf3e215fe7a8c3552972da36851
SHA256b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
SHA51277e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c