Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:14
Behavioral task
behavioral1
Sample
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Resource
win7-20241010-en
General
-
Target
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
-
Size
286KB
-
MD5
b988c49b9654ec30906a781cac1ebaaf
-
SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626
-
SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
-
SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5
-
SSDEEP
6144:EhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkCrrpo:+xT1tY4Idc1ybkCho
Malware Config
Extracted
quasar
1.4.0.0
FakeCreal
espinyskibidi-40205.portmap.host:40205
CdrjrrWbtRopP1ic7E
-
encryption_key
HXEHSwyN1GHqlZUqunrd
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client
-
subdirectory
Microsoft
Signatures
-
description flow ioc Process 8 ip-api.com Process not Found 53 ip-api.com Process not Found 72 ip-api.com Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/532-1-0x00000000004E0000-0x000000000052E000-memory.dmp family_quasar behavioral2/files/0x0008000000023c98-10.dat family_quasar -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 14 IoCs
pid Process 3060 Client.exe 976 Client.exe 4000 Client.exe 4392 Client.exe 864 Client.exe 976 Client.exe 2332 Client.exe 3928 Client.exe 2312 Client.exe 1284 Client.exe 1996 Client.exe 2332 Client.exe 3452 Client.exe 4192 Client.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com 53 ip-api.com 72 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3860 PING.EXE 3604 PING.EXE 1208 PING.EXE 3684 PING.EXE 3384 PING.EXE 1084 PING.EXE 2280 PING.EXE 832 PING.EXE 532 PING.EXE 2484 PING.EXE 536 PING.EXE 628 PING.EXE 2944 PING.EXE -
Runs ping.exe 1 TTPs 13 IoCs
pid Process 3384 PING.EXE 1084 PING.EXE 3860 PING.EXE 2944 PING.EXE 832 PING.EXE 3604 PING.EXE 536 PING.EXE 2280 PING.EXE 628 PING.EXE 532 PING.EXE 1208 PING.EXE 2484 PING.EXE 3684 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4872 schtasks.exe 2144 schtasks.exe 3568 schtasks.exe 1372 schtasks.exe 4840 schtasks.exe 1980 schtasks.exe 2960 schtasks.exe 2932 schtasks.exe 5088 schtasks.exe 964 schtasks.exe 904 schtasks.exe 2288 schtasks.exe 760 schtasks.exe 1520 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe Token: SeDebugPrivilege 3060 Client.exe Token: SeDebugPrivilege 976 Client.exe Token: SeDebugPrivilege 4000 Client.exe Token: SeDebugPrivilege 4392 Client.exe Token: SeDebugPrivilege 864 Client.exe Token: SeDebugPrivilege 976 Client.exe Token: SeDebugPrivilege 2332 Client.exe Token: SeDebugPrivilege 3928 Client.exe Token: SeDebugPrivilege 2312 Client.exe Token: SeDebugPrivilege 1284 Client.exe Token: SeDebugPrivilege 1996 Client.exe Token: SeDebugPrivilege 2332 Client.exe Token: SeDebugPrivilege 3452 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 532 wrote to memory of 5088 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe 84 PID 532 wrote to memory of 5088 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe 84 PID 532 wrote to memory of 5088 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe 84 PID 532 wrote to memory of 3060 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe 86 PID 532 wrote to memory of 3060 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe 86 PID 532 wrote to memory of 3060 532 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe 86 PID 3060 wrote to memory of 964 3060 Client.exe 89 PID 3060 wrote to memory of 964 3060 Client.exe 89 PID 3060 wrote to memory of 964 3060 Client.exe 89 PID 3060 wrote to memory of 4968 3060 Client.exe 91 PID 3060 wrote to memory of 4968 3060 Client.exe 91 PID 3060 wrote to memory of 4968 3060 Client.exe 91 PID 4968 wrote to memory of 3968 4968 cmd.exe 93 PID 4968 wrote to memory of 3968 4968 cmd.exe 93 PID 4968 wrote to memory of 3968 4968 cmd.exe 93 PID 4968 wrote to memory of 1084 4968 cmd.exe 94 PID 4968 wrote to memory of 1084 4968 cmd.exe 94 PID 4968 wrote to memory of 1084 4968 cmd.exe 94 PID 4968 wrote to memory of 976 4968 cmd.exe 101 PID 4968 wrote to memory of 976 4968 cmd.exe 101 PID 4968 wrote to memory of 976 4968 cmd.exe 101 PID 976 wrote to memory of 904 976 Client.exe 103 PID 976 wrote to memory of 904 976 Client.exe 103 PID 976 wrote to memory of 904 976 Client.exe 103 PID 976 wrote to memory of 2588 976 Client.exe 105 PID 976 wrote to memory of 2588 976 Client.exe 105 PID 976 wrote to memory of 2588 976 Client.exe 105 PID 2588 wrote to memory of 884 2588 cmd.exe 107 PID 2588 wrote to memory of 884 2588 cmd.exe 107 PID 2588 wrote to memory of 884 2588 cmd.exe 107 PID 2588 wrote to memory of 2280 2588 cmd.exe 108 PID 2588 wrote to memory of 2280 2588 cmd.exe 108 PID 2588 wrote to memory of 2280 2588 cmd.exe 108 PID 2588 wrote to memory of 4000 2588 cmd.exe 116 PID 2588 wrote to memory of 4000 2588 cmd.exe 116 PID 2588 wrote to memory of 4000 2588 cmd.exe 116 PID 4000 wrote to memory of 4872 4000 Client.exe 118 PID 4000 wrote to memory of 4872 4000 Client.exe 118 PID 4000 wrote to memory of 4872 4000 Client.exe 118 PID 4000 wrote to memory of 372 4000 Client.exe 120 PID 4000 wrote to memory of 372 4000 Client.exe 120 PID 4000 wrote to memory of 372 4000 Client.exe 120 PID 372 wrote to memory of 3856 372 cmd.exe 122 PID 372 wrote to memory of 3856 372 cmd.exe 122 PID 372 wrote to memory of 3856 372 cmd.exe 122 PID 372 wrote to memory of 3860 372 cmd.exe 123 PID 372 wrote to memory of 3860 372 cmd.exe 123 PID 372 wrote to memory of 3860 372 cmd.exe 123 PID 372 wrote to memory of 4392 372 cmd.exe 128 PID 372 wrote to memory of 4392 372 cmd.exe 128 PID 372 wrote to memory of 4392 372 cmd.exe 128 PID 4392 wrote to memory of 3568 4392 Client.exe 130 PID 4392 wrote to memory of 3568 4392 Client.exe 130 PID 4392 wrote to memory of 3568 4392 Client.exe 130 PID 4392 wrote to memory of 1756 4392 Client.exe 132 PID 4392 wrote to memory of 1756 4392 Client.exe 132 PID 4392 wrote to memory of 1756 4392 Client.exe 132 PID 1756 wrote to memory of 3868 1756 cmd.exe 134 PID 1756 wrote to memory of 3868 1756 cmd.exe 134 PID 1756 wrote to memory of 3868 1756 cmd.exe 134 PID 1756 wrote to memory of 628 1756 cmd.exe 135 PID 1756 wrote to memory of 628 1756 cmd.exe 135 PID 1756 wrote to memory of 628 1756 cmd.exe 135 PID 1756 wrote to memory of 864 1756 cmd.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe"C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe"1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5088
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6kyegaldvQLj.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:3968
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1084
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SLDjQXhBHdmp.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOVadzEgvVq3.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵PID:3856
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3860
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EM7oqLrdjx36.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:628
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CdMMdSVs5JBY.bat" "11⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2944
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:976 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1K57BfqeICMh.bat" "13⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:832
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYap39mmiDcc.bat" "15⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
- System Location Discovery: System Language Discovery
PID:64
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3604
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3928 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f17⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VjM23QM9iKDy.bat" "17⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:532
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f19⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qhm03W9P2a8u.bat" "19⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1208
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1284 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f21⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xR3KI7NbgdsV.bat" "21⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
- System Location Discovery: System Language Discovery
PID:1080
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f23⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAOYQp3zv8RS.bat" "23⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
- System Location Discovery: System Language Discovery
PID:3924
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:536
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f25⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w5HwjYyqoEny.bat" "25⤵
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3684
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P8YnwzVLS7qC.bat" "27⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
- System Location Discovery: System Language Discovery
PID:440
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3384
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
210B
MD560de8b8a3050a1463b14f4a98d7cc3cb
SHA17d0ea40b1aea77eafb82c138cb04e333f4def7fc
SHA256a16e3e8b5a6f929742b20b465e5394b9d37af11e6bbc108b9f219a9f1092389a
SHA512f2762746fcb42ba54bec7631014e246337475baabbb675c1792d1b6d6dffd20de87ae0230a5319b4a8f7ca6899fac10e905cf497dd2e000aac80957abf98984f
-
Filesize
210B
MD5c2b0c11fe65f3b1443ceb7370d1b6d79
SHA14ae097001270c8ad429443cccdc317add6d19043
SHA25616d584160ad046744f5e85ddec1485690c902bcd99a0d38042d580ccbbd18e20
SHA512586d00729170851b4fd45176b2261e65228df7c3a8819f713c1ce5581c54e7b5f2c95495df1298e5411e43fd46f465ce4c46ac644e28745ae4cb6dd0a9ea0a92
-
Filesize
210B
MD588f13da228e14bdb0808fd3106c39910
SHA1755412862d75bc3194645fd07e3ceafcbcb4a08f
SHA256e9bafa0003b8fa90b8c41d59ed127e86fce67b90b59676045addcf3d972590f4
SHA512062c929ca81bd71550b35893ed9f539466699a0a708622e677eaf5197badbf1ca8fb9f98e863157c9a60cc001409d68163770b00d98c8d0e9363d87c2cb1a360
-
Filesize
210B
MD58d8ecdf6d1c24f2a929b08ba9a3bc322
SHA1aa2eb5285fe5c7ec209f48c52f79cd7945422e7b
SHA2561b21b958ace1e6266627c0a10a91a4261962dc1e60547a1f961cd2e09ca17a1c
SHA512521bcedfdf311dd3e924e1fbf852c4712760cb2b5cc3a41446013ac2facf2404e9ba2aa2f9116ad9fa8883fcfa4b0171f87ac34b73b17d13075196572ce2e43d
-
Filesize
210B
MD540963cd306ce3b08efd2ff4b4deb86e5
SHA194c8e42d79da038c5c71bf8c09e4862d8aeb2039
SHA256ed421719877a151b1f9a3bca7f55b3a668901f3e5da21753eed7700e60f1d14f
SHA51287602fb4f6765cbbfa1750c97d18f2366062e5d935687d66a653f812eb94cc7747efab101424e2946b20ccae97241cc7d4f78638fa657fef0141a8c31c6f17db
-
Filesize
210B
MD5746a3d26c586d5f5a0fb450b5253f7ff
SHA1347cc6ad6c5ee431c90732f70e2529de7a93e9d6
SHA25640b771b2ef2c37f0f1de0a807e74c9d9e26b7364bd670be006c5facf3705333e
SHA5129bca058de612995d04421ab8bd569b22be64d394fc89dba7751bdf7c5eea8dc066c6ea77d040df462615a70866b908190c0daedf9aaa86b517f6face9c989ca5
-
Filesize
210B
MD5a5f554d9e43acab258d65329a4e8caa7
SHA1d87d5943b90e222a57fa5c8eb7d2ba59267d6971
SHA2569f18b107cd8fd28186480681e9f51375b42656d9822441f8b535de42dd641276
SHA512ecbb57124a8e99161c7ca662518fe097a569b7124c347b8d3dff277e679bc7929a467bcc5a8cac6d9707c0ed9bda2ab3284abcb174caa7ac491e077e76c1f647
-
Filesize
210B
MD5aa4f4bb90add61daf7c22114470a6794
SHA1618d5146823a2dd988a782d3006ce6ef32681154
SHA256458b9413e9945a87ad302bdfbbf27ab7aa1d436ab4402e3da239cee8d0426eaf
SHA512f3def027369bf791f8de7f335ce7c9551a6e59723e7e956a531bd23016a29bae83201d9045558d49d7bdb0a20056dcc84371599f31488f58759cb2e682e88660
-
Filesize
210B
MD50bbcb8f79d73371177e179496a7a6754
SHA17cb806507b7fecab72cca155cfa4e652ccce0c1f
SHA256a37eaf0fba9b03841afcab57297952f6262fdec632eda0e5e272e2241af0c6a7
SHA512fdc9512547637ee56c7e30c0f01c2dc8fced38b3c05008afab252a9be105b097814e69c2ebb6db52ba937d05db6d79564256a9a43b9f903eab32f384fa465c43
-
Filesize
210B
MD5b46d149831d316d319740d2b6c494991
SHA127f1ba05d6d38d8d7033613eb246c7ff2106085f
SHA256f5f41aee72d3ad064a667d0a24d13fe88083f84078962703ffa16824323dcc1c
SHA51248380557367160cad81c2cb8a3f1f125ff95246bf356259b6b1cda3e1eb3f8251e5b957ab7477d38821df7d873697dff647014896253bb9087cd877fcd66f147
-
Filesize
210B
MD56746a2347aae9257cf5ae114b47424f0
SHA1c25bfb223737c3493687686b56ae2674c52e9017
SHA256604c2e4b977f4d8faa58bf4e2a2032bffaa27173af1b94ce57f98479495afbd9
SHA51214b5de273a53815bb23e89320d8d1443f5213930d47b3192e6e582dd3dac97f415377f8de121455f2bc950e4d67e50d1ec99dbf1a6a26172774288e7cfdd077b
-
Filesize
210B
MD56e673571d429995ca396d5048974a72c
SHA13992605c957eea186e8b57d068b972d558232259
SHA25631f6fc6f8ba41382cb7a600de522753d710d414cb2a71c2ac96f4fc20704fb5f
SHA512cecde44b135251507c86dde4723d875c4763f495b265b0a63a374c73a6bc2856a086d86891d0396763185e8e9e3d0d3c1d9aa3f097151c903ec3cc35e2f3e333
-
Filesize
210B
MD526f94ac96ee6f52dd7ef6036f391fbfb
SHA178a9bbd82deee9757adfde4d7eeac0c407f21119
SHA256776e1d1cafcad55e817daa58f880f023ed9c24acaaea775bc37b556c78ff224c
SHA512deb2cda03790315be9a2d09a2f83285855492dbcb9aeb82bd7a4f405278f64d2b2dd6d9b1ddf893e1f4730aad349595675c8d7faee4c3b8d205ac6addd62f106
-
Filesize
286KB
MD5b988c49b9654ec30906a781cac1ebaaf
SHA185f7f7274e6a134870f309c2b3d06b71807e7626
SHA25626bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
SHA512c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5