Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 02:17
Behavioral task
behavioral1
Sample
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Resource
win7-20240903-en
General
-
Target
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
-
Size
3.1MB
-
MD5
4522bc113a6f5b984e9ffac278f9f064
-
SHA1
392ec955d7b5c5da965f7af9f929b89c33409b03
-
SHA256
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
-
SHA512
c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
-
SSDEEP
98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo
Malware Config
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ebef1e3c-805b-4b1a-aa24-bf4dcab44476
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/2356-1-0x0000000000B00000-0x0000000000E24000-memory.dmp family_quasar behavioral1/memory/2716-13-0x0000000000390000-0x00000000006B4000-memory.dmp family_quasar behavioral1/memory/3060-23-0x0000000000ED0000-0x00000000011F4000-memory.dmp family_quasar behavioral1/memory/1944-33-0x0000000000290000-0x00000000005B4000-memory.dmp family_quasar behavioral1/memory/2396-44-0x0000000000D70000-0x0000000001094000-memory.dmp family_quasar behavioral1/memory/940-54-0x0000000000E90000-0x00000000011B4000-memory.dmp family_quasar behavioral1/memory/1752-82-0x0000000000F70000-0x0000000001294000-memory.dmp family_quasar behavioral1/memory/2268-111-0x00000000000C0000-0x00000000003E4000-memory.dmp family_quasar behavioral1/memory/2560-121-0x0000000000E20000-0x0000000001144000-memory.dmp family_quasar behavioral1/memory/2272-132-0x0000000001270000-0x0000000001594000-memory.dmp family_quasar behavioral1/memory/2128-151-0x0000000000180000-0x00000000004A4000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2436 PING.EXE 2700 PING.EXE 1944 PING.EXE 1088 PING.EXE 2488 PING.EXE 1656 PING.EXE 1320 PING.EXE 2944 PING.EXE 2576 PING.EXE 1548 PING.EXE 2932 PING.EXE 376 PING.EXE 1804 PING.EXE 792 PING.EXE 2344 PING.EXE 1208 PING.EXE -
Runs ping.exe 1 TTPs 16 IoCs
pid Process 1804 PING.EXE 792 PING.EXE 2700 PING.EXE 1208 PING.EXE 1548 PING.EXE 2932 PING.EXE 2944 PING.EXE 2576 PING.EXE 376 PING.EXE 1088 PING.EXE 2488 PING.EXE 1320 PING.EXE 1656 PING.EXE 2436 PING.EXE 2344 PING.EXE 1944 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1524 schtasks.exe 2248 schtasks.exe 3028 schtasks.exe 1708 schtasks.exe 884 schtasks.exe 2144 schtasks.exe 2704 schtasks.exe 580 schtasks.exe 1864 schtasks.exe 2996 schtasks.exe 2584 schtasks.exe 2672 schtasks.exe 2432 schtasks.exe 2160 schtasks.exe 1648 schtasks.exe 552 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2396 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 940 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 484 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2504 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1752 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2576 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1948 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2268 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2560 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2272 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 932 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2128 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1524 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 30 PID 2356 wrote to memory of 1524 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 30 PID 2356 wrote to memory of 1524 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 30 PID 2356 wrote to memory of 1752 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 32 PID 2356 wrote to memory of 1752 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 32 PID 2356 wrote to memory of 1752 2356 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 32 PID 1752 wrote to memory of 2760 1752 cmd.exe 34 PID 1752 wrote to memory of 2760 1752 cmd.exe 34 PID 1752 wrote to memory of 2760 1752 cmd.exe 34 PID 1752 wrote to memory of 1656 1752 cmd.exe 35 PID 1752 wrote to memory of 1656 1752 cmd.exe 35 PID 1752 wrote to memory of 1656 1752 cmd.exe 35 PID 1752 wrote to memory of 2716 1752 cmd.exe 37 PID 1752 wrote to memory of 2716 1752 cmd.exe 37 PID 1752 wrote to memory of 2716 1752 cmd.exe 37 PID 2716 wrote to memory of 2704 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 38 PID 2716 wrote to memory of 2704 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 38 PID 2716 wrote to memory of 2704 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 38 PID 2716 wrote to memory of 2708 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 40 PID 2716 wrote to memory of 2708 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 40 PID 2716 wrote to memory of 2708 2716 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 40 PID 2708 wrote to memory of 2632 2708 cmd.exe 42 PID 2708 wrote to memory of 2632 2708 cmd.exe 42 PID 2708 wrote to memory of 2632 2708 cmd.exe 42 PID 2708 wrote to memory of 2576 2708 cmd.exe 43 PID 2708 wrote to memory of 2576 2708 cmd.exe 43 PID 2708 wrote to memory of 2576 2708 cmd.exe 43 PID 2708 wrote to memory of 3060 2708 cmd.exe 44 PID 2708 wrote to memory of 3060 2708 cmd.exe 44 PID 2708 wrote to memory of 3060 2708 cmd.exe 44 PID 3060 wrote to memory of 580 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 45 PID 3060 wrote to memory of 580 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 45 PID 3060 wrote to memory of 580 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 45 PID 3060 wrote to memory of 1244 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 47 PID 3060 wrote to memory of 1244 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 47 PID 3060 wrote to memory of 1244 3060 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 47 PID 1244 wrote to memory of 1552 1244 cmd.exe 49 PID 1244 wrote to memory of 1552 1244 cmd.exe 49 PID 1244 wrote to memory of 1552 1244 cmd.exe 49 PID 1244 wrote to memory of 376 1244 cmd.exe 50 PID 1244 wrote to memory of 376 1244 cmd.exe 50 PID 1244 wrote to memory of 376 1244 cmd.exe 50 PID 1244 wrote to memory of 1944 1244 cmd.exe 51 PID 1244 wrote to memory of 1944 1244 cmd.exe 51 PID 1244 wrote to memory of 1944 1244 cmd.exe 51 PID 1944 wrote to memory of 2160 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 52 PID 1944 wrote to memory of 2160 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 52 PID 1944 wrote to memory of 2160 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 52 PID 1944 wrote to memory of 3048 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 54 PID 1944 wrote to memory of 3048 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 54 PID 1944 wrote to memory of 3048 1944 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 54 PID 3048 wrote to memory of 2884 3048 cmd.exe 56 PID 3048 wrote to memory of 2884 3048 cmd.exe 56 PID 3048 wrote to memory of 2884 3048 cmd.exe 56 PID 3048 wrote to memory of 2436 3048 cmd.exe 57 PID 3048 wrote to memory of 2436 3048 cmd.exe 57 PID 3048 wrote to memory of 2436 3048 cmd.exe 57 PID 3048 wrote to memory of 2396 3048 cmd.exe 58 PID 3048 wrote to memory of 2396 3048 cmd.exe 58 PID 3048 wrote to memory of 2396 3048 cmd.exe 58 PID 2396 wrote to memory of 1864 2396 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 59 PID 2396 wrote to memory of 1864 2396 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 59 PID 2396 wrote to memory of 1864 2396 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 59 PID 2396 wrote to memory of 632 2396 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1524
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uiBd0Gn66lhR.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GF3VRkVReCvf.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:580
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uLlMm0FSvYMz.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:376
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2160
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wQcti4YtZ2qd.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1864
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lHo96DIHh2hU.bat" "10⤵PID:632
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2288
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2432
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\92Zx5I5a5ekL.bat" "12⤵PID:996
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:484 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ANi3XxNo0NTs.bat" "14⤵PID:1512
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:780
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:792
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2996
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GS3fJs2sh2yN.bat" "16⤵PID:2864
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2584
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EXx0XClvmNhJ.bat" "18⤵PID:2604
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:3028
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\48wtayyFiQZy.bat" "20⤵PID:3024
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1648
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ttAw9eBFecnK.bat" "22⤵PID:1388
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\o36AhZiYGKHS.bat" "24⤵PID:2972
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:1708
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SaG0fAA14Arj.bat" "26⤵PID:1268
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:884
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\v4bvnQ1WtZje.bat" "28⤵PID:2308
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:552
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HLWAxVjtYzCy.bat" "30⤵PID:2148
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:1524
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"31⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\l0jZ1ShHJPM9.bat" "32⤵PID:2304
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:2820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD544b20909ed096c3b029dc7cc320d722a
SHA12769ea4f915be52b0c11c7b1ed2ac293880d29ba
SHA2567e5779def370abde5ec5b7697c09952323c2e9b0eaf9419a137c2dc389e0f673
SHA512d143b217312667c6212743e23c92ce58e5f31aa4252f4d32c2398f807b59f964f8f2eddfc5fc76080289e4bb9eb85a2f9cb64e07633c06b27806f606e59b7c6c
-
Filesize
261B
MD54b2708b084d00a5d1d278c76a6895ae2
SHA188ef73c1c796578d73402302047dc5648aa2b29d
SHA256d3e304831a56f58247316b4a64fbf70b50ce5f54fae461a4fdc6eb0495e1a992
SHA512f855430536cb2993869c1964dc1c75352d27cb0aa1ed9a8be6ffc4f64384ce6cdbf32085c896d786321461375be19633ad1898169fd7ff9cffcbbabe3a76f21c
-
Filesize
261B
MD596b8a154295216aff126f794463349e5
SHA1ece45d7c462d25f1fecbb5dfa0ac4d653530e8d9
SHA25666782f88d32062d0d8e941c8465646b12aff9db13f215545a2b0baacf1f48931
SHA5123242a817a5f60801b6cf9fae517ee4449ca5b1121e059059e05de2efc0b848d0cfbb676a165bcfc8e905eb18b65ce2fcb5b68290697a5e0abfc890b5c0d0c3dc
-
Filesize
261B
MD5cab21fe11b63ac36b72d2706b5cfc46e
SHA1043024851abe41d496b49ae6d6f1d774883ab05e
SHA256c681ef095531c50ee9a992904e8c642a367e5c8df6ed1b6c91823b6b4377b958
SHA51273265b6e57286720b89c4d291e7e76f17949bc0b46d74f74fa020f9220acba69538ad8e207a9e45d6395d754be876c1041a1fa2de0b7bb1c25636c4deaa24c84
-
Filesize
261B
MD5322b5e6ba0aeb4e7ffcb3be800d7ba81
SHA1f885da2cc87e17c7bb0f6c7c905f7e29d8aed1a9
SHA256225cf63c76e917190d87b5fe232e7fbbdaeb669e3e700e3e21715dfb7c9d5c3c
SHA512aca62b52f05d49299b850db978f2b6b9b0555461a4b28e8e02864d762c34eb5e9fc0a396b33f267410b2a9c83ef17bd632a1a9fd74f9ec75ea0a3fbcee7c5ecc
-
Filesize
261B
MD54622f36b1561c73fbbbe56e3eb78ce1c
SHA192675c0ea5fffed71ecd9451ba5c296524bcc310
SHA25694e5ff5cc6a9540901ed37570bc974029c5ad9ad5d3eaed06f534cf140d4b06f
SHA5123119fa47cf4409f735d19be1c8480aa50a8cb2ff747cb8501114ced112aadd74aa3173e2a0665289c470d1fcd71714c0b4055c311bbff14073451e4fcceb6b8e
-
Filesize
261B
MD5d7b1bc3ff8c157e4d93fde37d7729d3d
SHA10f6185505927d7a0571f7901d3fc3d90de34b759
SHA2560f43cf834d5a0cf734906723292c6b7fcea34db7edbd31e2162b98c228b3258d
SHA5122cc6bd4d4c7ea24c0c4797b8e0322b298735cacfee115a2bf0a0471eec07b21a7dff63f581c5735ebe70e489e6c7b1f729a8cc9c41b6af0c4a1204ca5568703c
-
Filesize
261B
MD5098bcaea1a9c4b49789b6a37445c137d
SHA1c0b3eff1c887e72a8edd67c9009bfcec1e8e0088
SHA2567d0d8a39857ecfcd510c35fe08ee736d50136270bae5eaac918560ca26191dd6
SHA512409bad2ecfd9321a68594628c6545c20afffb1a8377239c8e77cb1def5aa42e53f56cf4006b8bb216e7c33fb5f880da901b3f5eb2cb2b542f89a84af8ac7d63b
-
Filesize
261B
MD546a87abc8c228a08879354ff08d55f11
SHA1445ba955e17d6c9ac67b2cc020687fd24f238cb4
SHA256288942bbfa1c1fa2db461c657e243c12d3cbf8454b685c37250546eb542dd8a5
SHA512395e91097c1ed1a4f4ab7bc49a95e49f6ffb851aaf538948796db7a577d2ef306df9cfb7318762efd242f9ec0bd56a08f003f73800103c74a386e50fd664c24c
-
Filesize
261B
MD53c438eb387961d6f763b3989f810124c
SHA15151f25d1158e524e550e96b301c2ff53d79d879
SHA256b456838333e953eac64510c10f4fdb9cdeba79e8ba62900380fadc8f266f7960
SHA5122a03439b171a88a16314ac22cbf8e1af58797bb68dd4fbea9d0fa7b87bd84df67047fdb67e788a2b31747e585e2b5d3dd2cb461b8ef09cd7a96df221172236ef
-
Filesize
261B
MD5eba90f952b7ebaab40afe935417d23df
SHA1f014c38637aeb6b25284e0f01ee2f78087fc5a7d
SHA256496645c70a17021c84678a14a1af66eca884fd5d9ab45d9262d704bd79534dd2
SHA51263a6e7771fbc63cccb9a7d885058e90de53a7ddd9ae22a2b8d0739d325da4fa5cb143012556f540e86c73e1256c8fcb72bbd640c5a40a08b5a09eeb399c928a6
-
Filesize
261B
MD540700a53f2596a1b555ac8422ba1e45b
SHA17db8469baf6f0e4dfbe47797709c6359a6e01b5e
SHA2564bacb6b43f9104ef750feb843b6873165c57820196e98f766efda1548c1c8835
SHA5126249cc4797205cbac9443002ee6c4fe59511faed2572e8c1057b56a201e7a93301bb2543edc984df07563f604dde7aee29d2d1ea9c874f4153f2ee3b065fb234
-
Filesize
261B
MD50603c338f42d0e6e91b8edf00a9ef1da
SHA16d01cf94dcd04352b08b7041a904babe0719bcf3
SHA2566cce43ee2b7511f01b8f9929b9a81200d8eb5863609e99657130c1fcbdfc9304
SHA512c8f10cb7942c1819274bf7cef1ce7e8d0ddca939658a846700f6c2cccfa7d47ff6d87d56d839ee52dffa8f10cc4cd862897ad9b15df806fb08bd902cff945b5f
-
Filesize
261B
MD50393c831967ce3f81bb68cbaca8d8482
SHA1b9a1c42663aafb1750811a40397e98a1cbd22725
SHA2567379ad835a7cc0770d9929bbbea37aa905e3111f16bda31e699f45c88b1103e1
SHA512e71034a915d5785703617c46c5e9c6885b5c3897e94de1a6a50a65322c751e0ac6594550abab8bc2d2f8c05b62fba490aab70cb97eca68110c5db55f42381c61
-
Filesize
261B
MD593140ad0e85731f81a29e7a45daf6eb6
SHA1dfc2df0c04637dda2b226882cccd65ddf77460b2
SHA2563f7171ce14de68847bcf53613a268043cc9fb951dfeb40aca4cee76a186a6ef8
SHA512d7ba7d65f1b72505991e2730abee6ea6ed30d7a37d2bb10f8730c1b55e4598c82a1bfe1af0c0ef346930ccfa93d70947a1aa53e30f4bdb24be7bfd8987fce34e
-
Filesize
261B
MD5e89db0135f68c1c3b0c6ff5dd6b1d370
SHA10ee8bb6ba763ad2eb5bf72afb37d488f84dec46d
SHA2562aeaac218f027953f13002d1ea8b9f10124b0645f93ee3c2702be11fe1b31361
SHA5127b5531bdb1faf3a3adb0f3537d83c0fda14210bc73b72dbcc659a24de23e0fb3ff5be92a1b27069a3e2c025cf5553557109c2d99c76cedae0dc73683859c00ff