Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:55
Behavioral task
behavioral1
Sample
841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe
Resource
win7-20240903-en
General
-
Target
841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe
-
Size
3.1MB
-
MD5
1d5b1579c6cf546964a067edf15d75e6
-
SHA1
1d3e8bb39c7ad10f864efe0adfe8c4028a6fa332
-
SHA256
841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164
-
SHA512
6e9d6228928775787a4d25c1a82d36b68bb082c04cb08afb2abe93aff4d54fb25d0e216a5eb7bc11f260bfe3191259f61261556620895b5fc96e76438e354f02
-
SSDEEP
49152:6v+I22SsaNYfdPBldt698dBcjH7OmumzRfoGdRTHHB72eh2NT:6vz22SsaNYfdPBldt6+dBcjH7Oml
Malware Config
Extracted
quasar
1.4.1
Office04
suport24.ddns.net:4782
b4ad83f8-b608-477d-8395-2274bcaab6d1
-
encryption_key
62EF51244AF3535A6A9C77206CD89D5BFECD7E4E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3432-1-0x0000000000F80000-0x00000000012A4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cbe-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 2968 Client.exe 4100 Client.exe 2436 Client.exe 408 Client.exe 1292 Client.exe 2756 Client.exe 4076 Client.exe 4460 Client.exe 4820 Client.exe 264 Client.exe 4276 Client.exe 1768 Client.exe 3364 Client.exe 2136 Client.exe 4528 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1944 PING.EXE 1884 PING.EXE 4016 PING.EXE 2220 PING.EXE 1104 PING.EXE 3492 PING.EXE 4564 PING.EXE 3192 PING.EXE 2132 PING.EXE 4748 PING.EXE 4004 PING.EXE 4080 PING.EXE 4176 PING.EXE 2312 PING.EXE 3940 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2312 PING.EXE 3492 PING.EXE 4564 PING.EXE 4016 PING.EXE 1884 PING.EXE 4080 PING.EXE 3192 PING.EXE 4176 PING.EXE 1944 PING.EXE 4004 PING.EXE 3940 PING.EXE 2220 PING.EXE 1104 PING.EXE 4748 PING.EXE 2132 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3432 841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe Token: SeDebugPrivilege 2968 Client.exe Token: SeDebugPrivilege 4100 Client.exe Token: SeDebugPrivilege 2436 Client.exe Token: SeDebugPrivilege 408 Client.exe Token: SeDebugPrivilege 1292 Client.exe Token: SeDebugPrivilege 2756 Client.exe Token: SeDebugPrivilege 4076 Client.exe Token: SeDebugPrivilege 4460 Client.exe Token: SeDebugPrivilege 4820 Client.exe Token: SeDebugPrivilege 264 Client.exe Token: SeDebugPrivilege 4276 Client.exe Token: SeDebugPrivilege 1768 Client.exe Token: SeDebugPrivilege 3364 Client.exe Token: SeDebugPrivilege 2136 Client.exe Token: SeDebugPrivilege 4528 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2968 Client.exe 4100 Client.exe 2436 Client.exe 408 Client.exe 1292 Client.exe 2756 Client.exe 4076 Client.exe 4460 Client.exe 4820 Client.exe 264 Client.exe 4276 Client.exe 1768 Client.exe 3364 Client.exe 2136 Client.exe 4528 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2968 Client.exe 4100 Client.exe 2436 Client.exe 408 Client.exe 1292 Client.exe 2756 Client.exe 4076 Client.exe 4460 Client.exe 4820 Client.exe 264 Client.exe 4276 Client.exe 1768 Client.exe 3364 Client.exe 2136 Client.exe 4528 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3432 wrote to memory of 2968 3432 841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe 83 PID 3432 wrote to memory of 2968 3432 841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe 83 PID 2968 wrote to memory of 4232 2968 Client.exe 84 PID 2968 wrote to memory of 4232 2968 Client.exe 84 PID 4232 wrote to memory of 64 4232 cmd.exe 86 PID 4232 wrote to memory of 64 4232 cmd.exe 86 PID 4232 wrote to memory of 4080 4232 cmd.exe 87 PID 4232 wrote to memory of 4080 4232 cmd.exe 87 PID 4232 wrote to memory of 4100 4232 cmd.exe 96 PID 4232 wrote to memory of 4100 4232 cmd.exe 96 PID 4100 wrote to memory of 1232 4100 Client.exe 98 PID 4100 wrote to memory of 1232 4100 Client.exe 98 PID 1232 wrote to memory of 228 1232 cmd.exe 100 PID 1232 wrote to memory of 228 1232 cmd.exe 100 PID 1232 wrote to memory of 2220 1232 cmd.exe 101 PID 1232 wrote to memory of 2220 1232 cmd.exe 101 PID 1232 wrote to memory of 2436 1232 cmd.exe 109 PID 1232 wrote to memory of 2436 1232 cmd.exe 109 PID 2436 wrote to memory of 4892 2436 Client.exe 111 PID 2436 wrote to memory of 4892 2436 Client.exe 111 PID 4892 wrote to memory of 3800 4892 cmd.exe 113 PID 4892 wrote to memory of 3800 4892 cmd.exe 113 PID 4892 wrote to memory of 2312 4892 cmd.exe 114 PID 4892 wrote to memory of 2312 4892 cmd.exe 114 PID 4892 wrote to memory of 408 4892 cmd.exe 118 PID 4892 wrote to memory of 408 4892 cmd.exe 118 PID 408 wrote to memory of 4384 408 Client.exe 120 PID 408 wrote to memory of 4384 408 Client.exe 120 PID 4384 wrote to memory of 4400 4384 cmd.exe 122 PID 4384 wrote to memory of 4400 4384 cmd.exe 122 PID 4384 wrote to memory of 3192 4384 cmd.exe 123 PID 4384 wrote to memory of 3192 4384 cmd.exe 123 PID 4384 wrote to memory of 1292 4384 cmd.exe 125 PID 4384 wrote to memory of 1292 4384 cmd.exe 125 PID 1292 wrote to memory of 2772 1292 Client.exe 126 PID 1292 wrote to memory of 2772 1292 Client.exe 126 PID 2772 wrote to memory of 4116 2772 cmd.exe 129 PID 2772 wrote to memory of 4116 2772 cmd.exe 129 PID 2772 wrote to memory of 1104 2772 cmd.exe 130 PID 2772 wrote to memory of 1104 2772 cmd.exe 130 PID 2772 wrote to memory of 2756 2772 cmd.exe 131 PID 2772 wrote to memory of 2756 2772 cmd.exe 131 PID 2756 wrote to memory of 4984 2756 Client.exe 133 PID 2756 wrote to memory of 4984 2756 Client.exe 133 PID 4984 wrote to memory of 1308 4984 cmd.exe 135 PID 4984 wrote to memory of 1308 4984 cmd.exe 135 PID 4984 wrote to memory of 4176 4984 cmd.exe 136 PID 4984 wrote to memory of 4176 4984 cmd.exe 136 PID 4984 wrote to memory of 4076 4984 cmd.exe 138 PID 4984 wrote to memory of 4076 4984 cmd.exe 138 PID 4076 wrote to memory of 3512 4076 Client.exe 139 PID 4076 wrote to memory of 3512 4076 Client.exe 139 PID 3512 wrote to memory of 2572 3512 cmd.exe 142 PID 3512 wrote to memory of 2572 3512 cmd.exe 142 PID 3512 wrote to memory of 4748 3512 cmd.exe 143 PID 3512 wrote to memory of 4748 3512 cmd.exe 143 PID 3512 wrote to memory of 4460 3512 cmd.exe 145 PID 3512 wrote to memory of 4460 3512 cmd.exe 145 PID 4460 wrote to memory of 2576 4460 Client.exe 147 PID 4460 wrote to memory of 2576 4460 Client.exe 147 PID 2576 wrote to memory of 3800 2576 cmd.exe 149 PID 2576 wrote to memory of 3800 2576 cmd.exe 149 PID 2576 wrote to memory of 2132 2576 cmd.exe 150 PID 2576 wrote to memory of 2132 2576 cmd.exe 150
Processes
-
C:\Users\Admin\AppData\Local\Temp\841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe"C:\Users\Admin\AppData\Local\Temp\841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\56sH018jlbda.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:64
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4080
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9oykk03qrlgM.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2220
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OHQ059vkkMvu.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2312
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOGAwDo8iAq0.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3192
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4NBKETVqN58j.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4116
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1104
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiKooHseX32P.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4176
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HP8gln7w6DXi.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4748
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zr5p2tuZFeUU.bat" "17⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RJHDMTmBDl3e.bat" "19⤵PID:4632
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkiBHHSqxinP.bat" "21⤵PID:3192
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3492
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1e3klin9lIY6.bat" "23⤵PID:2772
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2396
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4564
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZbMYmHE2ReyM.bat" "25⤵PID:3096
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3940
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\79n2k4IylTFd.bat" "27⤵PID:1016
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4004
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W9l3IpyTx52j.bat" "29⤵PID:2788
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1884
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4528 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G5nPRRZ9SuaH.bat" "31⤵PID:1548
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5023e7dfacb79b97e5b6b683c7dcc2d63
SHA1744e09a4b2ac8cc3ba0e9df46ed34d941d4e8ed5
SHA2564c7aa7a7ca02ffdcf658d81590dc8b847e80fa2f323ecd6a867915873d1c542b
SHA51200de04fecfdba221b4ec0e2bbaeb4607196392393d21dc437cbcefc25672c8c841738608d8ba2bf4eb17f935853bf64608e9dbfc14d6e71a367cca280bab4484
-
Filesize
207B
MD529d5f94f38653b1c37da4824ddd5f93f
SHA14c2e2bb1efb32032b9af6ae4ae45b5676d6e49eb
SHA256326b352c76bd631fba3f518b89cdbc837c693d05084ea45a6e989dd5ca01df4d
SHA5129c27ebe567ec2d5242b6cacf0b70a0b35877cff5e06570ee6180c2e331f2b079b63f538a2cca307aad335b28d3cb406abb88257dd2219c92b8f54d2b63b3d28f
-
Filesize
207B
MD51a60c95d9a015e8790dff0760ddc4692
SHA146d1aae5f5e9dcc32c755af1210fb32ee3e51120
SHA2567436d374a00877fffd07cae79536a13215bf397c75581636bda85a64a49c42eb
SHA512a8c9045ca39b6020ba076e366d3fd0580e8dfecf1c954beb3d95bbc3badd8650e18858ce3b2aeb4aeda2d0cd7680063cf10e4a1bb1219ab94d0633cce7a8c36b
-
Filesize
207B
MD5cd565ab3020adaeda6dfbb043b9d6720
SHA13d14203efcb3d3fb0670f585d9ac13604692754d
SHA25626fee0ad4b2b6db2deb5c60ad3a9024ba15a26d7b29a45c4e5ea15b382b30c20
SHA512b3dd86ac5e9906e7d98fadd0c19875a12ea6b3972aae73e06657733852ad5347a92c94f6911a292c4d12c35f0f039f5d2a21bd428662cf4b841d74912a2fbb2c
-
Filesize
207B
MD5077925eebedd20630f9764a407aa14fd
SHA1ea958de7c98a1335aa83853bddcac6d133da3447
SHA25675ac8564f095bfece66ac86c91365369a737aff14f0444a33f6f72cdfb7ab2bc
SHA5129f7bcbb4de0dfd5759cc4df24c37512f627ecee813ffb8eb805997ddfd25a3c5bec316020e51cf38142616af68a10120c10ee90f98afe2265ecdff75a98c501f
-
Filesize
207B
MD5414eefad6743034c2324db67612e8d0a
SHA1b827457c0cb59cf13c49c238a8fc8cba5f603322
SHA256d1d6fc50376419c51828e0d55f87bf3809989b5a5165f4b218a135a6f4bc7fc9
SHA51281b1473aee1dd11faa25ce005492a10c58e14e12e61f0911ec1312a0ac2239d33276cd35d763781d6907476ad1aea46b3bc6cd597ed9bed065b69ceb10117cbf
-
Filesize
207B
MD52530524f5ce8953fac84cf6246862b68
SHA139e7729aa38e546b009fd1bb9338f65c1693695e
SHA256997d267665c3d443ea6a862af63dc55d387ae711e0ae2ecbccd983bdbee874a7
SHA512b473f2e6e88ee6da1eafccceb10f98195b6329be949d19c31ee8d864baeb94ea7f7c6aa032d93ba5f84b4ccf6d48756c6d62950980feb85606219f2b5ecc9cd4
-
Filesize
207B
MD517b7329ab4d8dcb0022a3f0952789112
SHA16616fd58fb63f55c026d1a52a226f6cf48b32729
SHA256c9d117bda239bed089fa0acb23f428b21729d227195564ba507ed8479bc06ea8
SHA512eb05bd555488c830a00a136319c2e6aa0ea32fcce0673ecbaccd23e995451fa0a442f0c7c56278bcd7be6278c9bec514ff82ba8a67b939b90cdaf002b4c9347b
-
Filesize
207B
MD5b83b1ff9be4d1e339a878e479a30300f
SHA11389aa06903543577e8d1b51687e11e81312b749
SHA256dc18d8a5a22ef395a9389b5c687593a616ae5730c55ebb282a4bda35b75b6deb
SHA512f57b1d4003f514b527db1432a4704f93027b8cded89651e48ba470735cd9797deae459b84dfe59cba2bfd8b205bc5343390a854177ff45ff1d8522fc5a3f65f2
-
Filesize
207B
MD5c7ece86891b007e7cd70bd22e292d80e
SHA19d1001c24b5cbd3f812e44c60052020ded202cdb
SHA256dba81c11f6b43d787d66357a964fd6bf23fac8b7cccb88dc2f3fc915414f8b97
SHA512f8de84a08678aef0b7bde30a21df0c7d243ae1deb9f80fa8d108b95d6cd85afe494515b54dcc839ca22d27395cb484e7da2959dfb75de7f22043e8eec3951871
-
Filesize
207B
MD52ee2a4d07c355d27349ba45d0429b82c
SHA12ba66304286949054c2c3440b4f093c01755330c
SHA256c918180429983845a1d1a03eea49003356c966a4bef813a311bc2e6c969215a2
SHA5124b607dac84647842c3425352e3eb5476516e58b7b522ea049c4af832133d895edce4736a14f620f965a35a25ef868b60001e64c22b07306d9e0efbc5d60f7af6
-
Filesize
207B
MD5602af7e9b2146c796abeb17b25dc16e3
SHA1d7e2153bb1f1778aa02ad39170cd10d41ead81ea
SHA2566b64161e9beab1ad1a9647c2914c2e37143e8df91183ccacf052facb590e61e5
SHA512a3f9c90faf1a1f69e1d1e5b085e7c23f72f9b796d3fa0f1e863173a6afbb6cfd21d5877b0de153d965a8edd836fc956b6a5b7451b864e41cc6a64dc8afaa474e
-
Filesize
207B
MD552bc3a9358ced5c695030ff9fc293c20
SHA116d56ab43e4764c17bf905343df99e20af6d3d95
SHA2566a797b5878503ec8a2b353d82460e88708ddd3a0645bb66835f517a2fedb5003
SHA5129a9f101eb2e943f88d59f0ad9fe9511774df17f15e23d8f63013245ec77cbd39081bfcd32b29f482235c70ccd5fd38a765c2f98ed42ca0e18c18e594ae4eb232
-
Filesize
207B
MD5b28506ab3ae4d2d2df545f665da59f0a
SHA1a3bd4a7f10bc0f335015b4e24a32d55f78b06db4
SHA25603c0dbdcaedc9ffe9e2fe502aef0c7984be7d57a9989baa8a8a8c03359b149bd
SHA512cfa55a0db487e3d1a0f0ec7218989262aa26ceb8f8f33ef52312719f217e0f2f6c07a1dd24bd4a628dcdbc9e1cdfdc4d5f05cb3101121326ed6471f20871ab81
-
Filesize
207B
MD55a3109f3a97bfa6511efeb5f3033da7e
SHA1cdd5e4bbeb33b8388114f6a51755d13b5fc5b543
SHA256f147d15567eb6c410227f370302c6f1f1f773011b3a0d3a50c9d9dae3c9d3a7a
SHA5123ccdb5fa8f3e47b1b62d3beea943c83a7a2be6d0d1691e828ab502ec70db18b0eb1072990360019f06ab3fc0bbcc7737819a2917fd825eb564559494918eadf5
-
Filesize
3.1MB
MD51d5b1579c6cf546964a067edf15d75e6
SHA11d3e8bb39c7ad10f864efe0adfe8c4028a6fa332
SHA256841f178c15802a89ad903f05c5148bca7ef49efd9113d636cad35067be4a4164
SHA5126e9d6228928775787a4d25c1a82d36b68bb082c04cb08afb2abe93aff4d54fb25d0e216a5eb7bc11f260bfe3191259f61261556620895b5fc96e76438e354f02