Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:49
Behavioral task
behavioral1
Sample
841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe
Resource
win7-20240903-en
General
-
Target
841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe
-
Size
3.1MB
-
MD5
1d5b1579c6cf546964a067edf15d75e6
-
SHA1
1d3e8bb39c7ad10f864efe0adfe8c4028a6fa332
-
SHA256
841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164
-
SHA512
6e9d6228928775787a4d25c1a82d36b68bb082c04cb08afb2abe93aff4d54fb25d0e216a5eb7bc11f260bfe3191259f61261556620895b5fc96e76438e354f02
-
SSDEEP
49152:6v+I22SsaNYfdPBldt698dBcjH7OmumzRfoGdRTHHB72eh2NT:6vz22SsaNYfdPBldt6+dBcjH7Oml
Malware Config
Extracted
quasar
1.4.1
Office04
suport24.ddns.net:4782
b4ad83f8-b608-477d-8395-2274bcaab6d1
-
encryption_key
62EF51244AF3535A6A9C77206CD89D5BFECD7E4E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1744-1-0x0000000000720000-0x0000000000A44000-memory.dmp family_quasar behavioral2/files/0x000a000000023b7a-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 4468 Client.exe 1960 Client.exe 2840 Client.exe 1920 Client.exe 4880 Client.exe 3340 Client.exe 3388 Client.exe 1796 Client.exe 3684 Client.exe 2984 Client.exe 2256 Client.exe 2636 Client.exe 3284 Client.exe 3084 Client.exe 2460 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3852 PING.EXE 1036 PING.EXE 3928 PING.EXE 2712 PING.EXE 4676 PING.EXE 3424 PING.EXE 560 PING.EXE 916 PING.EXE 3360 PING.EXE 752 PING.EXE 4228 PING.EXE 2336 PING.EXE 4480 PING.EXE 3104 PING.EXE 2028 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4228 PING.EXE 2712 PING.EXE 3424 PING.EXE 3852 PING.EXE 752 PING.EXE 2336 PING.EXE 3104 PING.EXE 3928 PING.EXE 2028 PING.EXE 3360 PING.EXE 4676 PING.EXE 560 PING.EXE 916 PING.EXE 1036 PING.EXE 4480 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1744 841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe Token: SeDebugPrivilege 4468 Client.exe Token: SeDebugPrivilege 1960 Client.exe Token: SeDebugPrivilege 2840 Client.exe Token: SeDebugPrivilege 1920 Client.exe Token: SeDebugPrivilege 4880 Client.exe Token: SeDebugPrivilege 3340 Client.exe Token: SeDebugPrivilege 3388 Client.exe Token: SeDebugPrivilege 1796 Client.exe Token: SeDebugPrivilege 3684 Client.exe Token: SeDebugPrivilege 2984 Client.exe Token: SeDebugPrivilege 2256 Client.exe Token: SeDebugPrivilege 2636 Client.exe Token: SeDebugPrivilege 3284 Client.exe Token: SeDebugPrivilege 3084 Client.exe Token: SeDebugPrivilege 2460 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 4468 Client.exe 1960 Client.exe 2840 Client.exe 1920 Client.exe 4880 Client.exe 3340 Client.exe 3388 Client.exe 1796 Client.exe 3684 Client.exe 2984 Client.exe 2256 Client.exe 2636 Client.exe 3284 Client.exe 3084 Client.exe 2460 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4468 Client.exe 1960 Client.exe 2840 Client.exe 1920 Client.exe 4880 Client.exe 3340 Client.exe 3388 Client.exe 1796 Client.exe 3684 Client.exe 2984 Client.exe 2256 Client.exe 2636 Client.exe 3284 Client.exe 3084 Client.exe 2460 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 4468 1744 841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe 83 PID 1744 wrote to memory of 4468 1744 841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe 83 PID 4468 wrote to memory of 4220 4468 Client.exe 84 PID 4468 wrote to memory of 4220 4468 Client.exe 84 PID 4220 wrote to memory of 2576 4220 cmd.exe 86 PID 4220 wrote to memory of 2576 4220 cmd.exe 86 PID 4220 wrote to memory of 4228 4220 cmd.exe 87 PID 4220 wrote to memory of 4228 4220 cmd.exe 87 PID 4220 wrote to memory of 1960 4220 cmd.exe 95 PID 4220 wrote to memory of 1960 4220 cmd.exe 95 PID 1960 wrote to memory of 1824 1960 Client.exe 97 PID 1960 wrote to memory of 1824 1960 Client.exe 97 PID 1824 wrote to memory of 4924 1824 cmd.exe 100 PID 1824 wrote to memory of 4924 1824 cmd.exe 100 PID 1824 wrote to memory of 2712 1824 cmd.exe 101 PID 1824 wrote to memory of 2712 1824 cmd.exe 101 PID 1824 wrote to memory of 2840 1824 cmd.exe 107 PID 1824 wrote to memory of 2840 1824 cmd.exe 107 PID 2840 wrote to memory of 4696 2840 Client.exe 109 PID 2840 wrote to memory of 4696 2840 Client.exe 109 PID 4696 wrote to memory of 3052 4696 cmd.exe 111 PID 4696 wrote to memory of 3052 4696 cmd.exe 111 PID 4696 wrote to memory of 4676 4696 cmd.exe 112 PID 4696 wrote to memory of 4676 4696 cmd.exe 112 PID 4696 wrote to memory of 1920 4696 cmd.exe 116 PID 4696 wrote to memory of 1920 4696 cmd.exe 116 PID 1920 wrote to memory of 4588 1920 Client.exe 118 PID 1920 wrote to memory of 4588 1920 Client.exe 118 PID 4588 wrote to memory of 4968 4588 cmd.exe 120 PID 4588 wrote to memory of 4968 4588 cmd.exe 120 PID 4588 wrote to memory of 3928 4588 cmd.exe 121 PID 4588 wrote to memory of 3928 4588 cmd.exe 121 PID 4588 wrote to memory of 4880 4588 cmd.exe 123 PID 4588 wrote to memory of 4880 4588 cmd.exe 123 PID 4880 wrote to memory of 3396 4880 Client.exe 125 PID 4880 wrote to memory of 3396 4880 Client.exe 125 PID 3396 wrote to memory of 1600 3396 cmd.exe 127 PID 3396 wrote to memory of 1600 3396 cmd.exe 127 PID 3396 wrote to memory of 3424 3396 cmd.exe 128 PID 3396 wrote to memory of 3424 3396 cmd.exe 128 PID 3396 wrote to memory of 3340 3396 cmd.exe 130 PID 3396 wrote to memory of 3340 3396 cmd.exe 130 PID 3340 wrote to memory of 3596 3340 Client.exe 131 PID 3340 wrote to memory of 3596 3340 Client.exe 131 PID 3596 wrote to memory of 2636 3596 cmd.exe 134 PID 3596 wrote to memory of 2636 3596 cmd.exe 134 PID 3596 wrote to memory of 560 3596 cmd.exe 135 PID 3596 wrote to memory of 560 3596 cmd.exe 135 PID 3596 wrote to memory of 3388 3596 cmd.exe 137 PID 3596 wrote to memory of 3388 3596 cmd.exe 137 PID 3388 wrote to memory of 2120 3388 Client.exe 139 PID 3388 wrote to memory of 2120 3388 Client.exe 139 PID 2120 wrote to memory of 4344 2120 cmd.exe 141 PID 2120 wrote to memory of 4344 2120 cmd.exe 141 PID 2120 wrote to memory of 2028 2120 cmd.exe 142 PID 2120 wrote to memory of 2028 2120 cmd.exe 142 PID 2120 wrote to memory of 1796 2120 cmd.exe 143 PID 2120 wrote to memory of 1796 2120 cmd.exe 143 PID 1796 wrote to memory of 2432 1796 Client.exe 145 PID 1796 wrote to memory of 2432 1796 Client.exe 145 PID 2432 wrote to memory of 2908 2432 cmd.exe 147 PID 2432 wrote to memory of 2908 2432 cmd.exe 147 PID 2432 wrote to memory of 3852 2432 cmd.exe 148 PID 2432 wrote to memory of 3852 2432 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe"C:\Users\Admin\AppData\Local\Temp\841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5hx78oCX29J1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4228
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QZaLmasdcoiS.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4924
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2712
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vY7aYNqQGpFz.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4676
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUoXmXMwBeuX.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3928
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgMYDBnqD3d4.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3424
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1NvwTHIFtM9i.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:560
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWQVhIFrxIfu.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4344
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2028
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3tXupG0hSZxy.bat" "17⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3852
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gae396GpKSrt.bat" "19⤵PID:3848
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4276
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:916
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7HrJ1AK9pcsu.bat" "21⤵PID:3940
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:64
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3360
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsHczg3yrDk4.bat" "23⤵PID:4960
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1036
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U2HGfVYRUrhC.bat" "25⤵PID:3900
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:752
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cazhKKfNaU5U.bat" "27⤵PID:940
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2120
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4480
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgQZtL3REN4M.bat" "29⤵PID:1588
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2336
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y2BDk7rqzcNm.bat" "31⤵PID:116
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5f8ed01d3427c5a62786a0fc49d4dde27
SHA16eb8e3a214facb2b3ffd291cd21831b459653af9
SHA2565667e9df8567b9066c410900f6e3c20ee67601f377d79a74350357aee0aa5d25
SHA5121c7579d8efe4c0ddc8348d12d64a5843b64e5aa0bf3296b7b29aef5890e20063a1dda77604e028259116b31d8d534a96e5c0f90cfb1be2be47bd1f938301aec6
-
Filesize
207B
MD52d36bfd1670cced7ab5a36981dc14504
SHA138701bc3004162b685510a954245467fb2b7251a
SHA256366bae3b7c63826480c8859935d65e25232139db6856856e99576f6d03b5e499
SHA5126c40311ba44bdda23d2f5b7990f48ae63ba6a2871902acfa87129f353f82cdf6e5e795b99ec07bb3e1ea7ac03cc7d491b348cb28597b07ab3969a6629c796774
-
Filesize
207B
MD5b62f6da76d2434f66f21a3afb4678064
SHA144dacdf1bd52fe74160dc2cd7e4256fc5543b0cf
SHA25674cbc9a56cc2d78de2d16c3eea651be876bcf3fc90542d3a7cd98e552183ca52
SHA51286f7f25b60f85d3e83a16c24613cf0980add24a2dc575fcd43b81d6bcea98e236ca69f0a217bfb3401450b9f5d37e3f69885a043ded7d9ceb69d7e74277583a4
-
Filesize
207B
MD5b488dfe35de286be06520a0d789225be
SHA1aad07e2094ce6ff0aefa7e42f3033593b48218f8
SHA256db3361fe7af83b8d9326b602301b6d3f682851b13525e3f7ca3c5b359776b6c9
SHA512862f1934c7c576982867588de942754f59af9422c0cf0d9fd04777dcc9fb3902dbe1d6466362dc45bef950d564e33b4337ae76c13faefe758d2dbd3ed7dcc943
-
Filesize
207B
MD52efec1d3d55701311f87970323381bdc
SHA1b259dd2b59f981424b6bce401e4b9b08c5a1292b
SHA256529648518916bc1cea611cda77a0c4fdfdc854a52203b6dfc3df3770ab6e296f
SHA512eba3e3cd497b5b550f246c3d2c07f0e0f0f42d7c53b522b9a72aa23e94032a24d4d56bb8041c9640e184ba8dcb6256999459d84f07e66029a820c6bb43c6d656
-
Filesize
207B
MD53d995f5528e6f927fe39fc61a82eb921
SHA180ba2e00203d61bb055336e874fea4dba0116c93
SHA256373f29650c70fe8637da60cc626e8419b9250c9dcd493e7dec590b72757d725b
SHA512b4b876347b07f75cfbb33032e15e2b18b99d16b4536ddafadd93c49164c0f4d68ea02337f9ced413ed633f62303074e439329b921e26cdda604286bb55f34d45
-
Filesize
207B
MD5255fdaf7eec2214dd8fb7f8776d142bc
SHA1450f5118e8f6d0fbad4555b2fbae0963f4caca64
SHA25644e8b0c96e1544400b659c40a8bfc90656ea5173401fe650bfcb36b508efbd38
SHA512c557e87733a35cb0ccc6cba0f43961884f09f8eb669edb3b1431c871e6bf2ac459b176b424b96b489fe602443dd60eba6af21493dfccb852c59d761ff712f1fb
-
Filesize
207B
MD5f61c50ced149556fce761e77d4afe19f
SHA16305f48acf15ae503d66219fbccc52fc0edf7d33
SHA256c3c30b96f374dda89b9f644e6ac23d13388a3f6e3317979f542d16c6035ab897
SHA5120fa86b159ad374b747d6079d13ddb29cc0472458d20a066f315781e6cc71a864ae460876e11cb814d45ec42a2a51e1fcbbdcee15eca8333091e47d6e74e291ef
-
Filesize
207B
MD5bf2f0e626eb495568995b11adcac0fd8
SHA1f37eb3ba1a519e6b2e78752ca40f9269fb74624e
SHA256e690ce9f13596bd5aaffa929122acd3af43258ee7f08f94a302e6f03e6f3984e
SHA512e0609360a69b2a4b3490a3ab826864fed519acb5adb80691bbda93cfa4ef3175ecccf6e84f795143e46ba6eb975530ac3ff15115adb76a0901c1073f49476950
-
Filesize
207B
MD5fc8821aaae1d1c6f5ce6108b9e043fc6
SHA17ab11964a1e07c32614397082d1cde4c54d48a3a
SHA2566e5c0f225c733aad7297d61f2f2a02018f16408596c3e640cf3263309eb424e1
SHA51266844ad4449768678e9ff2ffbdd561d42b7887da686a10573fcb4bbfdeef53dce50a8aba47700bfbc85a37b0b8014758374d96481db82e171b71c1baa4a20761
-
Filesize
207B
MD5f45030db9ca72687e7640d60fd21d651
SHA17aa7bd88ad419848b975dd5f4580dabc338f2db3
SHA256d23ba523e49cc2b40cbfb3d0e6b005408456bcb18ebc4913437b05f406253393
SHA5123bc0359c68723bf84ca2f2f8965420a142159341041b283d3b1970342ab14cfb942dc9660bcc2d53b56e99995f0af2b705484e969ef923dad833a3182211e066
-
Filesize
207B
MD54c530ae24942354190965d0c451c2b8b
SHA14a97c2f15910b1659059c1deaa570be950febff4
SHA256c54af4b41556a5af63dc13741ec4e79ecbe44eebec23ff13b4c2d5b37d77bf1c
SHA5128d409da672900b016f124710bde948af008e96d5918685ecab7a22f5eb20d3dbce9ef0a8959bbfd872de7186f05e6d82f52c8c29d0d6e2ef6dd4daeaeff1964f
-
Filesize
207B
MD5233fc869c45c97468ec16d1616e0e4b5
SHA1bb23cb03107ab14937b635f91c20c2294d42811f
SHA2569a6d7f3984aec4055b277dccef206a026f2ba808cb79593e6e6470fd87519a97
SHA512562285f336caf0719f1f7cc6a3137d7cb8f7463b511a2bb6be5f31f586077de7ead5a2fbac88761abbbeb9b55d94ab3dda82a3651ea4c64b2d786cc24c8f7a54
-
Filesize
207B
MD52dd194adcf57adf2855525198cf0282e
SHA1ce89951eb56dcc1ee74a893f3bc2ee87377dc2a9
SHA256f63d772397253b6de592d24db95bcb87c1fc2c86cf17b872818dc1699373ffbd
SHA512705fafb610f010574439d36306944e60738aef77fd2fff29c4424e5e546b47f852208f150ea3b76621338320fde576bd3a154ab714a2a2494ad39ead6832640f
-
Filesize
207B
MD5bec7e11a0fbb724001ce273ccf67d3c0
SHA1635862ff8ca77513e94515b01fcec2fb9e795071
SHA256faf1dc13642e5a44c0847e4f958be595833af139ae0c77164b48f8ca74df0873
SHA5125305cd81d1d0dd903734f66548524bf3bddd3153cbd9f80fad52f08a77266f36ce0e923c71d9a72f4d755537bcacaebeeb86d89b59d3d9acc2d776a0ded199b1
-
Filesize
3.1MB
MD51d5b1579c6cf546964a067edf15d75e6
SHA11d3e8bb39c7ad10f864efe0adfe8c4028a6fa332
SHA256841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164
SHA5126e9d6228928775787a4d25c1a82d36b68bb082c04cb08afb2abe93aff4d54fb25d0e216a5eb7bc11f260bfe3191259f61261556620895b5fc96e76438e354f02