Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:26
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
82222cff36f2c338159b23a7f18a4815
-
SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2
-
SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
-
SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
-
SSDEEP
49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus
Malware Config
Extracted
quasar
1.4.1
rat1
unitedrat.ddns.net:4782
5100ab61-a5a5-407f-af55-9e7766b9d637
-
encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
-
install_name
System32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
System32
Signatures
-
Quasar family
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/memory/2552-1-0x00000000001F0000-0x0000000000514000-memory.dmp family_quasar behavioral1/files/0x0008000000015cd0-5.dat family_quasar behavioral1/memory/2412-8-0x00000000010A0000-0x00000000013C4000-memory.dmp family_quasar behavioral1/memory/2856-32-0x0000000001320000-0x0000000001644000-memory.dmp family_quasar behavioral1/memory/1432-53-0x00000000002F0000-0x0000000000614000-memory.dmp family_quasar behavioral1/memory/352-64-0x0000000001340000-0x0000000001664000-memory.dmp family_quasar behavioral1/memory/2248-105-0x0000000000290000-0x00000000005B4000-memory.dmp family_quasar behavioral1/memory/2852-116-0x0000000000BE0000-0x0000000000F04000-memory.dmp family_quasar behavioral1/memory/1076-127-0x00000000011D0000-0x00000000014F4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2412 System32.exe 2640 System32.exe 2856 System32.exe 296 System32.exe 1432 System32.exe 352 System32.exe 1232 System32.exe 2980 System32.exe 2664 System32.exe 2248 System32.exe 2852 System32.exe 1076 System32.exe 944 System32.exe 2284 System32.exe 2056 System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1528 PING.EXE 740 PING.EXE 2776 PING.EXE 1340 PING.EXE 2260 PING.EXE 2416 PING.EXE 2744 PING.EXE 2112 PING.EXE 2116 PING.EXE 1688 PING.EXE 1796 PING.EXE 2352 PING.EXE 2532 PING.EXE 2676 PING.EXE 1876 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2532 PING.EXE 1528 PING.EXE 2352 PING.EXE 2416 PING.EXE 1796 PING.EXE 2776 PING.EXE 2116 PING.EXE 1340 PING.EXE 2260 PING.EXE 1688 PING.EXE 2744 PING.EXE 2676 PING.EXE 740 PING.EXE 1876 PING.EXE 2112 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1716 schtasks.exe 1992 schtasks.exe 2980 schtasks.exe 2104 schtasks.exe 2764 schtasks.exe 2740 schtasks.exe 2348 schtasks.exe 1820 schtasks.exe 2316 schtasks.exe 1388 schtasks.exe 3052 schtasks.exe 2664 schtasks.exe 600 schtasks.exe 1684 schtasks.exe 2944 schtasks.exe 2464 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2552 Client-built.exe Token: SeDebugPrivilege 2412 System32.exe Token: SeDebugPrivilege 2640 System32.exe Token: SeDebugPrivilege 2856 System32.exe Token: SeDebugPrivilege 296 System32.exe Token: SeDebugPrivilege 1432 System32.exe Token: SeDebugPrivilege 352 System32.exe Token: SeDebugPrivilege 1232 System32.exe Token: SeDebugPrivilege 2980 System32.exe Token: SeDebugPrivilege 2664 System32.exe Token: SeDebugPrivilege 2248 System32.exe Token: SeDebugPrivilege 2852 System32.exe Token: SeDebugPrivilege 1076 System32.exe Token: SeDebugPrivilege 944 System32.exe Token: SeDebugPrivilege 2284 System32.exe Token: SeDebugPrivilege 2056 System32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2412 System32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 1992 2552 Client-built.exe 30 PID 2552 wrote to memory of 1992 2552 Client-built.exe 30 PID 2552 wrote to memory of 1992 2552 Client-built.exe 30 PID 2552 wrote to memory of 2412 2552 Client-built.exe 32 PID 2552 wrote to memory of 2412 2552 Client-built.exe 32 PID 2552 wrote to memory of 2412 2552 Client-built.exe 32 PID 2412 wrote to memory of 2980 2412 System32.exe 33 PID 2412 wrote to memory of 2980 2412 System32.exe 33 PID 2412 wrote to memory of 2980 2412 System32.exe 33 PID 2412 wrote to memory of 2816 2412 System32.exe 35 PID 2412 wrote to memory of 2816 2412 System32.exe 35 PID 2412 wrote to memory of 2816 2412 System32.exe 35 PID 2816 wrote to memory of 2820 2816 cmd.exe 37 PID 2816 wrote to memory of 2820 2816 cmd.exe 37 PID 2816 wrote to memory of 2820 2816 cmd.exe 37 PID 2816 wrote to memory of 2776 2816 cmd.exe 38 PID 2816 wrote to memory of 2776 2816 cmd.exe 38 PID 2816 wrote to memory of 2776 2816 cmd.exe 38 PID 2816 wrote to memory of 2640 2816 cmd.exe 40 PID 2816 wrote to memory of 2640 2816 cmd.exe 40 PID 2816 wrote to memory of 2640 2816 cmd.exe 40 PID 2640 wrote to memory of 2664 2640 System32.exe 41 PID 2640 wrote to memory of 2664 2640 System32.exe 41 PID 2640 wrote to memory of 2664 2640 System32.exe 41 PID 2640 wrote to memory of 2012 2640 System32.exe 43 PID 2640 wrote to memory of 2012 2640 System32.exe 43 PID 2640 wrote to memory of 2012 2640 System32.exe 43 PID 2012 wrote to memory of 2180 2012 cmd.exe 45 PID 2012 wrote to memory of 2180 2012 cmd.exe 45 PID 2012 wrote to memory of 2180 2012 cmd.exe 45 PID 2012 wrote to memory of 2116 2012 cmd.exe 46 PID 2012 wrote to memory of 2116 2012 cmd.exe 46 PID 2012 wrote to memory of 2116 2012 cmd.exe 46 PID 2012 wrote to memory of 2856 2012 cmd.exe 47 PID 2012 wrote to memory of 2856 2012 cmd.exe 47 PID 2012 wrote to memory of 2856 2012 cmd.exe 47 PID 2856 wrote to memory of 1820 2856 System32.exe 48 PID 2856 wrote to memory of 1820 2856 System32.exe 48 PID 2856 wrote to memory of 1820 2856 System32.exe 48 PID 2856 wrote to memory of 1864 2856 System32.exe 50 PID 2856 wrote to memory of 1864 2856 System32.exe 50 PID 2856 wrote to memory of 1864 2856 System32.exe 50 PID 1864 wrote to memory of 2604 1864 cmd.exe 52 PID 1864 wrote to memory of 2604 1864 cmd.exe 52 PID 1864 wrote to memory of 2604 1864 cmd.exe 52 PID 1864 wrote to memory of 1528 1864 cmd.exe 53 PID 1864 wrote to memory of 1528 1864 cmd.exe 53 PID 1864 wrote to memory of 1528 1864 cmd.exe 53 PID 1864 wrote to memory of 296 1864 cmd.exe 54 PID 1864 wrote to memory of 296 1864 cmd.exe 54 PID 1864 wrote to memory of 296 1864 cmd.exe 54 PID 296 wrote to memory of 2944 296 System32.exe 55 PID 296 wrote to memory of 2944 296 System32.exe 55 PID 296 wrote to memory of 2944 296 System32.exe 55 PID 296 wrote to memory of 2576 296 System32.exe 57 PID 296 wrote to memory of 2576 296 System32.exe 57 PID 296 wrote to memory of 2576 296 System32.exe 57 PID 2576 wrote to memory of 2144 2576 cmd.exe 59 PID 2576 wrote to memory of 2144 2576 cmd.exe 59 PID 2576 wrote to memory of 2144 2576 cmd.exe 59 PID 2576 wrote to memory of 2352 2576 cmd.exe 60 PID 2576 wrote to memory of 2352 2576 cmd.exe 60 PID 2576 wrote to memory of 2352 2576 cmd.exe 60 PID 2576 wrote to memory of 1432 2576 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1992
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2980
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YngeC6M8zuBM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2776
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uTPfyOY7KhUF.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2116
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1820
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RdQmq8rhthnu.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1528
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YcIe5n4l7r8b.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2144
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UxHC5YH4VnAK.bat" "11⤵PID:1592
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:600
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3SBCa7pRVzje.bat" "13⤵PID:2280
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2100
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2260
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2104
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6Qyd2vavqcDG.bat" "15⤵PID:2128
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ia1zh1flH4YN.bat" "17⤵PID:2772
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2744
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AwVB0wFnyKT2.bat" "19⤵PID:2884
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2532
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1684
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bk9fr6KfhzQT.bat" "21⤵PID:1708
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2676
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2348
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bHiJJw8UV0or.bat" "23⤵PID:296
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1688
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1388
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\avYKw9doFOw1.bat" "25⤵PID:1200
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:740
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2464
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8BTF8sAr30sN.bat" "27⤵PID:1044
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1716
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\U9DGM6fccbcq.bat" "29⤵PID:1992
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2468
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1876
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3052
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VUCyArFsvExi.bat" "31⤵PID:3004
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD5436673def55b655b64c421e9fe7b66b1
SHA17f4114484c7025b8da3f94b040c3c944c98b9e8e
SHA25645a86560956f29f126f689243b5251be74f43225675a2ecbcd0a924347f82cba
SHA512561cf44069b509085151ea9923ccc3dd9cf04742864d1d2733c315968a77dc94516baad6d0e5096875cbe8e774783f01c396f31faf268d1034394b18056ddfc0
-
Filesize
211B
MD587a0664273b66ddcf6d131e32aae4235
SHA1b7f93f34c766d193ebb499fbe2ef88483d5ef03a
SHA2560b752b1b2552d8675ee8413a23c57a7faf09e3a019d5e3b397ec780ad076fdb9
SHA512e9948739e23b089ecc2c0fd4b1a60b10fc6b8b640fed96285329f7ebd4e1743b44bea5d4793980b5931be01077b55d83e3db95c87cf313ff81a5b5952d6eeb33
-
Filesize
211B
MD594ae55e9f9cdfbdc3e381964440e312b
SHA126f6957b7e2b35364a2227017e9078d177d3c8ae
SHA256c223f9145ffe9a333b0388a56153bb16c1506932e8148cc1fc967bd1611c6e71
SHA512949fc3ce0ec96142c5f36437c4a00d117296d6cbf3651cf09828c4dda06ade483bc6c8d5055aa72d66adfb716c49aea002d20c01575a1c628f85b42ca7cec770
-
Filesize
211B
MD5bf11f785a86c8d7dd58053310be76f1c
SHA1a0becdba3f41c94ea2d189d4a8d0662025e29fc7
SHA2561a9f4f3c30e73d38607d0f6e61de8907e2f3022f6fa0c75b235f828c6ab90566
SHA512f4477fce3f3fee6f608fa50d5da1a07eed4905149f8eced7d98e7fcb253c205e615b7ff769ce4c0e908de624d4e35c13c5b49ecedbfa9ae49cafa091f9b9adfb
-
Filesize
211B
MD527b60a1231450c7c36a8c9344e82dfec
SHA1f0a6099551eebc827d51b9f99aa867eed82eb77b
SHA25670dce2318125011210f573f3a64c76a0e8e4f5ef76b14f9da531ff95bf08bb7d
SHA512691d2392cd16c3db9fd99c2c3f31f90f6ea09d88156d33c0e978a9fa87af54677480f7d670f900fcc358a19b4bf9f9ba58cd8e7ff2cdf7a1fd57db9119cad046
-
Filesize
211B
MD5582d0dc0ca2497febdc84b6c70cdeff4
SHA193d1d81e1f55fe61addbbfadca163e1043a721cf
SHA256b8b0b49a007b3fd4c811eaa80225a9cee0b9ebbb4b651202be45081260330ba1
SHA512ff61c28693be1151eb6e4b68bd6126f23d1a7ddc7da6492aa9705b947b0024d70b84dfc72af5d7c69420f2a6537e099967168b6efcb3a5a10fa4ec092d1b997e
-
Filesize
211B
MD5ce52fde8463bcb39113d6e838ef23403
SHA108bdcb4c8a0143353e9373abe11265a2c9f187aa
SHA256548533ecbabb8fb908feebfb5653ba7793880a75b1224a7b96a9b7a73753bed3
SHA512b363a72046fe1d905429409d7b8f23f47239d532138d02b7ad06a3e1d458a52795f2d9f4705053558cedf60563b75f9049c70c6b5773f3044e0277b37bd4531c
-
Filesize
211B
MD5710198521cecb9ed491b4514f9166caf
SHA1493948c13fdfba40ae06687daac2e786ef07799c
SHA25688d85a6e658c81af95dcd74d7a3f29b8333e4ae47aec7ba9ce1e4e0c4dc1f3a1
SHA512b444a28f073192677377e9dcb1429da619fed5a2a125d0c114a418a2bcd05ae9dcf33275e58c147714c484b86670047749601d2a3e1f8635d5f311be547a5e5f
-
Filesize
211B
MD535b573b253722fa56277d29bbe1a659c
SHA1d0bbd433afedb622a9b37eacf0d486e2276838fd
SHA256bdbeb3a945df060c49c6a92185731aa30cc2b70a95b15d5ac6b25fc49118a023
SHA512174405ca8b3ae9ede5de5a6a689bca513dbd6676a3f743760dd8ea2ac7d865171bf060bb1e7ac8959c2c8ed352e18311ee50c8fa0281d97a24e543b49111460f
-
Filesize
211B
MD5882c90216679c35ea5b628cab2c2d0af
SHA1960773726a6b43f369fcd9fb3a6750e4ebde197f
SHA256f532e4ef3f1409e3b8795164c78773e67677eee984e9c398d4cea33f7ff831cf
SHA512176cfa79f38e02a9d7c10292b5b1fd344545badbf950cc4379a4000e68543bea851803c6921bc94992d386972fea67454b67c0a734ddd7a5557e6f6088b7dbc3
-
Filesize
211B
MD5d7d06d6d501adac8df2bca3c80b0465a
SHA1e29ef3cdf91db3276c98005eb642cdb6c2fd3534
SHA2562737b901a3cdce5cc95112f2b3d9d6d2fb1fb7399f4ae0aa2a28741363a0ef91
SHA512128fc2fea3dc7644b36593cc1aef7b5d6793f4ee4cc96d58f21760d211abbceab35fd8ba7dcacb569263ccae0763d293534db7205d6c9621d8062831b8edacdb
-
Filesize
211B
MD5215f9fc8469c074e7d2abea806d2e393
SHA19edccb40ca8d99e665938de64b04fd9a6761b905
SHA2568aa4fe07a49d8cfb67bb0fcfd479db91bb13d93a5ecf2aa6e95264debdf71b06
SHA512432d0a66da2f7e566b8e4e77717213caaca01f7198e40b2104b2c15d82f70649878a4d3f67003837fd7af50033055c05261c4a424b7d8f2b0518575edbc73d7a
-
Filesize
211B
MD537bdb6259fb66cebf9384d880170245b
SHA1d872fe923c398822611bc1fce8753278ec6b8a1d
SHA256aa2c6b38db0ebe5b6290cd12c7ad4aef9f039fbc47b447dd6acf53ac0f8b90a1
SHA51228eb6dbfab9fd0ab4aadf75f55c3ea2857c340822c3692bc0a6012592c84223f372dbe09fc7023eb02a68c6fe45bfabe2bc62b4bb2e39712cd2ea4d155fb063d
-
Filesize
211B
MD5a669649337142b6ffa60f3e3dd1dcc35
SHA1c5fc0e9fe7bc768cb35f97e0b7677747fa10ce97
SHA25600c7d9c86460cfc7012d704a42b153ab1d9d5991228d489e9a3131b9bf8c2a59
SHA51222d47cb6205a8098e2940fb39e7c504193db22b6fae24cec6797b0e4239ea8253af812465bcd83be208cb17848fd0372d4d4be6bccd3d3f36d942e3933c8e36c
-
Filesize
211B
MD5303b1dddc9392092ebedb0b5801b7067
SHA1b734fc7e01f26dad18cc80bdefecc9f5c7719cf4
SHA256f49c9a1bba2297d614e6274c27ec37fe5f4e5ffda776051e45d8daddb07e01c4
SHA51217318d8166ab778d869b2e41fc671383a2481ab38a63cb1a46b9b7a74063b44f66cf3fcc69f6f50c31ec31730c88a8a30810cf1f6b1377a3b33a4a0e3b7c5354
-
Filesize
3.1MB
MD582222cff36f2c338159b23a7f18a4815
SHA18beccbb99e38248a080d5de1de8d87617ca428c2
SHA256033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55