Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:17
Behavioral task
behavioral1
Sample
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Resource
win7-20240903-en
General
-
Target
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
-
Size
3.1MB
-
MD5
4522bc113a6f5b984e9ffac278f9f064
-
SHA1
392ec955d7b5c5da965f7af9f929b89c33409b03
-
SHA256
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
-
SHA512
c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
-
SSDEEP
98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo
Malware Config
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ebef1e3c-805b-4b1a-aa24-bf4dcab44476
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/4468-1-0x0000000000BC0000-0x0000000000EE4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4964 PING.EXE 2040 PING.EXE 2416 PING.EXE 1464 PING.EXE 1532 PING.EXE 3396 PING.EXE 524 PING.EXE 2516 PING.EXE 2836 PING.EXE 4432 PING.EXE 4724 PING.EXE 908 PING.EXE 4904 PING.EXE 3112 PING.EXE 1968 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4964 PING.EXE 4904 PING.EXE 4432 PING.EXE 3112 PING.EXE 1968 PING.EXE 3396 PING.EXE 2516 PING.EXE 2416 PING.EXE 4724 PING.EXE 1464 PING.EXE 524 PING.EXE 2040 PING.EXE 908 PING.EXE 2836 PING.EXE 1532 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4324 schtasks.exe 868 schtasks.exe 1964 schtasks.exe 2832 schtasks.exe 380 schtasks.exe 4968 schtasks.exe 4504 schtasks.exe 2656 schtasks.exe 4488 schtasks.exe 4588 schtasks.exe 4832 schtasks.exe 224 schtasks.exe 3984 schtasks.exe 4280 schtasks.exe 1580 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 4468 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 5024 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2736 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 4008 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2028 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 3824 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 4660 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2896 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2188 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 4940 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 4728 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1404 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1252 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 1328 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe Token: SeDebugPrivilege 2236 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1328 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 224 4468 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 82 PID 4468 wrote to memory of 224 4468 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 82 PID 4468 wrote to memory of 2452 4468 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 84 PID 4468 wrote to memory of 2452 4468 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 84 PID 2452 wrote to memory of 3048 2452 cmd.exe 86 PID 2452 wrote to memory of 3048 2452 cmd.exe 86 PID 2452 wrote to memory of 4964 2452 cmd.exe 87 PID 2452 wrote to memory of 4964 2452 cmd.exe 87 PID 2452 wrote to memory of 5024 2452 cmd.exe 93 PID 2452 wrote to memory of 5024 2452 cmd.exe 93 PID 5024 wrote to memory of 4504 5024 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 94 PID 5024 wrote to memory of 4504 5024 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 94 PID 5024 wrote to memory of 3636 5024 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 96 PID 5024 wrote to memory of 3636 5024 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 96 PID 3636 wrote to memory of 2520 3636 cmd.exe 98 PID 3636 wrote to memory of 2520 3636 cmd.exe 98 PID 3636 wrote to memory of 2040 3636 cmd.exe 99 PID 3636 wrote to memory of 2040 3636 cmd.exe 99 PID 3636 wrote to memory of 2736 3636 cmd.exe 102 PID 3636 wrote to memory of 2736 3636 cmd.exe 102 PID 2736 wrote to memory of 3984 2736 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 103 PID 2736 wrote to memory of 3984 2736 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 103 PID 2736 wrote to memory of 4320 2736 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 105 PID 2736 wrote to memory of 4320 2736 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 105 PID 4320 wrote to memory of 3964 4320 cmd.exe 107 PID 4320 wrote to memory of 3964 4320 cmd.exe 107 PID 4320 wrote to memory of 908 4320 cmd.exe 108 PID 4320 wrote to memory of 908 4320 cmd.exe 108 PID 4320 wrote to memory of 4008 4320 cmd.exe 110 PID 4320 wrote to memory of 4008 4320 cmd.exe 110 PID 4008 wrote to memory of 1964 4008 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 111 PID 4008 wrote to memory of 1964 4008 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 111 PID 4008 wrote to memory of 3988 4008 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 113 PID 4008 wrote to memory of 3988 4008 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 113 PID 3988 wrote to memory of 1360 3988 cmd.exe 116 PID 3988 wrote to memory of 1360 3988 cmd.exe 116 PID 3988 wrote to memory of 2516 3988 cmd.exe 117 PID 3988 wrote to memory of 2516 3988 cmd.exe 117 PID 3988 wrote to memory of 2028 3988 cmd.exe 118 PID 3988 wrote to memory of 2028 3988 cmd.exe 118 PID 2028 wrote to memory of 4280 2028 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 119 PID 2028 wrote to memory of 4280 2028 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 119 PID 2028 wrote to memory of 2780 2028 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 121 PID 2028 wrote to memory of 2780 2028 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 121 PID 2780 wrote to memory of 4140 2780 cmd.exe 123 PID 2780 wrote to memory of 4140 2780 cmd.exe 123 PID 2780 wrote to memory of 2416 2780 cmd.exe 124 PID 2780 wrote to memory of 2416 2780 cmd.exe 124 PID 2780 wrote to memory of 3824 2780 cmd.exe 125 PID 2780 wrote to memory of 3824 2780 cmd.exe 125 PID 3824 wrote to memory of 2832 3824 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 126 PID 3824 wrote to memory of 2832 3824 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 126 PID 3824 wrote to memory of 4560 3824 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 128 PID 3824 wrote to memory of 4560 3824 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 128 PID 4560 wrote to memory of 4292 4560 cmd.exe 130 PID 4560 wrote to memory of 4292 4560 cmd.exe 130 PID 4560 wrote to memory of 4904 4560 cmd.exe 131 PID 4560 wrote to memory of 4904 4560 cmd.exe 131 PID 4560 wrote to memory of 4660 4560 cmd.exe 132 PID 4560 wrote to memory of 4660 4560 cmd.exe 132 PID 4660 wrote to memory of 1580 4660 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 133 PID 4660 wrote to memory of 1580 4660 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 133 PID 4660 wrote to memory of 4016 4660 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 135 PID 4660 wrote to memory of 4016 4660 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0niEKtseB4s0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eo0pNbHoF3sE.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZsGCXWfkmHP.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:3964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v0jxSmRunVvq.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:4280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jtyo3hbw6FYH.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:4140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qdf4EwNSzD0V.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4292
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4s0GEDbdakzu.bat" "14⤵PID:4016
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:5012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jlcpmx2uJ5H4.bat" "16⤵PID:1916
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FVkrhhUDhiLT.bat" "18⤵PID:1004
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L2f7q6HI3axY.bat" "20⤵PID:1456
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:3732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGmM1VklnZrj.bat" "22⤵PID:2028
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:4524
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mVFY5wwmx5cI.bat" "24⤵PID:1064
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:3836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZnlXNqcGTEu.bat" "26⤵PID:5028
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:5012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1328 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lrzNvp7xhyop.bat" "28⤵PID:2076
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3396
-
-
C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2WoD9pXw45TM.bat" "30⤵PID:3136
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:4056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe.log
Filesize2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
261B
MD531b27f1c1ed670f7a2fc33122a88e89b
SHA1d158f2156521ee23d8275f5c647b1a7facab220b
SHA256b469f81c9ac2f51039349783390de5b8ba43c044f3a8d02f889a9fd0244bd47e
SHA51280de61a5ee874a2cde67f3924112c6e170d731549b4c1c028e346fbb550dade786e133696f2ed2d791f42aa96b3fb9eed219d2e0b0943df6714e23164482b8dc
-
Filesize
261B
MD5fffdb517ed82d33328700cf74f905104
SHA1603d57151acab7813b2bd90f34127a5103391c8f
SHA2565fcf8bd352cb9ad5e86cfa38f9bc96f6e768950b94a8ea82e4b9cc5e4f47e2e4
SHA51256a0ca86d0547f926ddcde9f0f370ff2379fb838211ce5d7f89cc3780a919629f83c72e8d3e708faa92a49905615ef2ef6b53437adc8b00974f72ee81a30c503
-
Filesize
261B
MD592b108c731d8aee27dc92667ea138922
SHA18748f3871fc124f3afac3a1c8d7f5b25099da506
SHA2562127ab25304c8e93f8c4002e177e4952c67a1b91718074e9b9cca321b6a57393
SHA5126285dd48a4a554ed62243c948790eef667224bd59d54098506d9eefb1248f57a34221d4b1d1433d57b25fe75efde724a781fd22e94c3ffc77774c77ea8969a7e
-
Filesize
261B
MD5684bde3293e09d7a2ede9d7049448441
SHA1b2f8534d0ebf9507ee7d9e9b83d6185bc7e8623e
SHA2565785cf9d37d185762f42b05659e59a49cd3a72ac4539ea540d10f8f4c60e34a9
SHA5121dbb0504ce89ed87df773882f4bdccc60d6169e8a60a9e1b17f4152b383abbe587d8f5ecd053bbc14dcf2bd4992dc0e094ecedfd993746ef3484251048f22d92
-
Filesize
261B
MD584fc0d79318cb8a6a2934d412a607894
SHA1b48d588e5d3d0c1a2ac3a60158b17e847fe6a8ce
SHA256d6e1d68e214e455051bd60ffd2d3ebf380c185ab0c648a0230479f2e40ebe97e
SHA512a63ae8501272c63874f763cbb40e521cf96ac1fa333ac2bd33123ae4b2a8308b2d0f20da7d4be163ba0bd132b54ed5a3ce8d9efc62a103d916f867e220c28135
-
Filesize
261B
MD59a6a1b7c95f69c3fa439369b5969e17a
SHA114c0bfb39e653e10a3d62810aabe4f5dd5daa981
SHA256ff47c4daa92b542d0f7adfa3adff15edf970952808e2290931c6ef24361e1481
SHA512dd76d115777f41deeff1f5001c66d54d593ec015797530c425bc0c358f83302c158c85cfb1cddd4226d04e0e20374c783e75020cc895982f96590296c073d2be
-
Filesize
261B
MD5b205e7a48eeb2069da4c8ffed2b4b75f
SHA1c30825b63e84253f0331583b1e7b3e30a78f105d
SHA256c603000fca4a3ba5be70d2af69f1f74521d10797ea1c6006bd0d96f6f5d76a0c
SHA512a7159359c85882427624998eba9846a5192eaa8a1e7b7b4e419af1a8fdc332ef77a8e05ff5b1704caa80ce8227527d99b52d46c6561b38105cea57ddc32db980
-
Filesize
261B
MD548e50197ec853df9a67ad799d4472e1c
SHA124959f33794a9fc34d5379da3707584a313af8f5
SHA256d86dc764f2fb1650c55249b89d45276b9b008bbc7a9e1a08c8e745761ecf475a
SHA512b98057cc5d3aff8577ef3647aee39c61edfadf0ef348e8030a35d8e095c8df842327e546c90ae4126feb070528b597ecaf8955dfcac0e3bc34eac3acb28093a2
-
Filesize
261B
MD5f5a69c96cdff7bc9a8f5832b7013803b
SHA1926ea409692747ba5bd80dc141cb02210cae5a95
SHA256cd546b5e9ddcb8ddab158f3e90a5b76f9b7558345de412ea768fd6dd31972a8a
SHA5128fd994e9007d8e06a354494caf999ae9967be9e25a9d5108356421a146eca8772a0cdae2e3df4883cc7856b931a76181cf876cee955e720f896ddc20c323c9e8
-
Filesize
261B
MD53359f0cdd14f16e54667bb3422b78515
SHA1fa5327eb2ba033fa0b43c823ee28d60bff28b124
SHA256bf49b5268ac615899e4493700adb1c139ae3b09f1554fbfdab6cb47f47a4418d
SHA512bd467575edef54d983a9c869f2eb30185dcc94b5e6a9fd8a3fb7428c6d1b5681dbdfad459ac20f28fae4932155fac385636b33c2b7f2cd434e531072dbfc47c7
-
Filesize
261B
MD514d4cb8f5208b033800c67d61bed0d93
SHA127768cc3883bb89025750d707b0035bc1a89aefc
SHA2564b77b95b406efb38beab563e0a136ce956fe3a6ba83e8d988999b8d7f099141a
SHA512ab9021a752495c15cba0f1259b449c8dbb632d2dc441372610f5385217dc6d844f984e6f5c1ea55819b2c28ae42e292dff533f5bd20e446274e52f97c0e0428d
-
Filesize
261B
MD5f6e5a3701fdffbe3a3f0f79eb947a381
SHA15240c6c60de7a4d0cef46b366b529c1d697338a0
SHA25680c11728b9c517cb958bd8ba885f9b00cea1ebb4e3c4a77aebd1b49af2313fa6
SHA5125a569ba2f88685acec747c2f409af1295b5c89e8e4e65c97def4eacfeed988df038d08c1e513521b9fba0f164d18be55759adbf2ae52f977aaf27e04cde49b5f
-
Filesize
261B
MD5a8d19d88c6ef60838e0a83be7ed8ad7d
SHA1835a67d9aa6f924de8191244099429c170de8d4f
SHA25656ff73c2ff95219e871aeaf159865deb530cabd61bd2170e6af314bd6291e0df
SHA512718fd651c0350732cace5f966d400ebbc9477acfaf7c720cccb2438d0beb0fc270956cd99f1562a4b00566a36da7e92791a3b136f918e0e67e44d8d6d84a89ff
-
Filesize
261B
MD5c63495a28f00b0d909d9263ade716ad8
SHA157dabd751000cba6d7391cf5a3b022c0115cf075
SHA2567d7eed5cbf371c423547eb5a8dabc58b5e4972906d22f44f8d0805af2706c20c
SHA512a7119cf5dc51ed1a34313c347dbebefa6caff0516f652479ec4d4db440a806eed0e6aef54bcb3954bed33115355d13398f0b2b5edc59d8a1b90ce5f49bd4f3b7
-
Filesize
261B
MD536c26598b08e146ab49c8931f8cef273
SHA11882676b86c7887a9f92529d1a6e723a68894b8d
SHA25604c5c6f0432e87b2518dc231b6ef5a9a4fa5980f1d74951684dd22ab3517405b
SHA51275c5bacfc5feaf88611ace74b371f6c4d1c4a37b1ea0050901ef1a9ab74c7f606ca74831f0a95acca1dabf9311199090ad838a3cb1be79156f31b2c97f473247