Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:26
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
82222cff36f2c338159b23a7f18a4815
-
SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2
-
SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
-
SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
-
SSDEEP
49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus
Malware Config
Extracted
quasar
1.4.1
rat1
unitedrat.ddns.net:4782
5100ab61-a5a5-407f-af55-9e7766b9d637
-
encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
-
install_name
System32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
System32
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2412-1-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral2/files/0x0009000000023c36-4.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation System32.exe -
Executes dropped EXE 15 IoCs
pid Process 2444 System32.exe 4132 System32.exe 2776 System32.exe 648 System32.exe 2044 System32.exe 5036 System32.exe 1272 System32.exe 2708 System32.exe 4700 System32.exe 2572 System32.exe 1360 System32.exe 1988 System32.exe 4332 System32.exe 3100 System32.exe 932 System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3224 PING.EXE 2092 PING.EXE 2416 PING.EXE 440 PING.EXE 1592 PING.EXE 4260 PING.EXE 3224 PING.EXE 4796 PING.EXE 3808 PING.EXE 3692 PING.EXE 4764 PING.EXE 1784 PING.EXE 1428 PING.EXE 932 PING.EXE 2696 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1784 PING.EXE 1592 PING.EXE 3224 PING.EXE 4260 PING.EXE 4796 PING.EXE 440 PING.EXE 2092 PING.EXE 2696 PING.EXE 1428 PING.EXE 932 PING.EXE 3224 PING.EXE 4764 PING.EXE 3808 PING.EXE 3692 PING.EXE 2416 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2280 schtasks.exe 4312 schtasks.exe 3148 schtasks.exe 4932 schtasks.exe 2072 schtasks.exe 4112 schtasks.exe 3184 schtasks.exe 1164 schtasks.exe 1816 schtasks.exe 4936 schtasks.exe 2604 schtasks.exe 3992 schtasks.exe 2976 schtasks.exe 4888 schtasks.exe 380 schtasks.exe 936 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2412 Client-built.exe Token: SeDebugPrivilege 2444 System32.exe Token: SeDebugPrivilege 4132 System32.exe Token: SeDebugPrivilege 2776 System32.exe Token: SeDebugPrivilege 648 System32.exe Token: SeDebugPrivilege 2044 System32.exe Token: SeDebugPrivilege 5036 System32.exe Token: SeDebugPrivilege 1272 System32.exe Token: SeDebugPrivilege 2708 System32.exe Token: SeDebugPrivilege 4700 System32.exe Token: SeDebugPrivilege 2572 System32.exe Token: SeDebugPrivilege 1360 System32.exe Token: SeDebugPrivilege 1988 System32.exe Token: SeDebugPrivilege 4332 System32.exe Token: SeDebugPrivilege 3100 System32.exe Token: SeDebugPrivilege 932 System32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2072 2412 Client-built.exe 84 PID 2412 wrote to memory of 2072 2412 Client-built.exe 84 PID 2412 wrote to memory of 2444 2412 Client-built.exe 86 PID 2412 wrote to memory of 2444 2412 Client-built.exe 86 PID 2444 wrote to memory of 4936 2444 System32.exe 87 PID 2444 wrote to memory of 4936 2444 System32.exe 87 PID 2444 wrote to memory of 2264 2444 System32.exe 89 PID 2444 wrote to memory of 2264 2444 System32.exe 89 PID 2264 wrote to memory of 4024 2264 cmd.exe 91 PID 2264 wrote to memory of 4024 2264 cmd.exe 91 PID 2264 wrote to memory of 4260 2264 cmd.exe 92 PID 2264 wrote to memory of 4260 2264 cmd.exe 92 PID 2264 wrote to memory of 4132 2264 cmd.exe 93 PID 2264 wrote to memory of 4132 2264 cmd.exe 93 PID 4132 wrote to memory of 2604 4132 System32.exe 94 PID 4132 wrote to memory of 2604 4132 System32.exe 94 PID 4132 wrote to memory of 2560 4132 System32.exe 96 PID 4132 wrote to memory of 2560 4132 System32.exe 96 PID 2560 wrote to memory of 2980 2560 cmd.exe 99 PID 2560 wrote to memory of 2980 2560 cmd.exe 99 PID 2560 wrote to memory of 1784 2560 cmd.exe 100 PID 2560 wrote to memory of 1784 2560 cmd.exe 100 PID 2560 wrote to memory of 2776 2560 cmd.exe 101 PID 2560 wrote to memory of 2776 2560 cmd.exe 101 PID 2776 wrote to memory of 3992 2776 System32.exe 102 PID 2776 wrote to memory of 3992 2776 System32.exe 102 PID 2776 wrote to memory of 4552 2776 System32.exe 105 PID 2776 wrote to memory of 4552 2776 System32.exe 105 PID 4552 wrote to memory of 3720 4552 cmd.exe 107 PID 4552 wrote to memory of 3720 4552 cmd.exe 107 PID 4552 wrote to memory of 1428 4552 cmd.exe 108 PID 4552 wrote to memory of 1428 4552 cmd.exe 108 PID 4552 wrote to memory of 648 4552 cmd.exe 120 PID 4552 wrote to memory of 648 4552 cmd.exe 120 PID 648 wrote to memory of 2280 648 System32.exe 121 PID 648 wrote to memory of 2280 648 System32.exe 121 PID 648 wrote to memory of 1756 648 System32.exe 124 PID 648 wrote to memory of 1756 648 System32.exe 124 PID 1756 wrote to memory of 4304 1756 cmd.exe 126 PID 1756 wrote to memory of 4304 1756 cmd.exe 126 PID 1756 wrote to memory of 932 1756 cmd.exe 127 PID 1756 wrote to memory of 932 1756 cmd.exe 127 PID 1756 wrote to memory of 2044 1756 cmd.exe 133 PID 1756 wrote to memory of 2044 1756 cmd.exe 133 PID 2044 wrote to memory of 1816 2044 System32.exe 134 PID 2044 wrote to memory of 1816 2044 System32.exe 134 PID 2044 wrote to memory of 1200 2044 System32.exe 137 PID 2044 wrote to memory of 1200 2044 System32.exe 137 PID 1200 wrote to memory of 2224 1200 cmd.exe 139 PID 1200 wrote to memory of 2224 1200 cmd.exe 139 PID 1200 wrote to memory of 3224 1200 cmd.exe 140 PID 1200 wrote to memory of 3224 1200 cmd.exe 140 PID 1200 wrote to memory of 5036 1200 cmd.exe 141 PID 1200 wrote to memory of 5036 1200 cmd.exe 141 PID 5036 wrote to memory of 4312 5036 System32.exe 142 PID 5036 wrote to memory of 4312 5036 System32.exe 142 PID 5036 wrote to memory of 3340 5036 System32.exe 144 PID 5036 wrote to memory of 3340 5036 System32.exe 144 PID 3340 wrote to memory of 2560 3340 cmd.exe 147 PID 3340 wrote to memory of 2560 3340 cmd.exe 147 PID 3340 wrote to memory of 4796 3340 cmd.exe 148 PID 3340 wrote to memory of 4796 3340 cmd.exe 148 PID 3340 wrote to memory of 1272 3340 cmd.exe 151 PID 3340 wrote to memory of 1272 3340 cmd.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zy4pKbhTRSzQ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4260
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ldtdoD8qL3LD.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2980
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1784
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zW14Byt3UdNz.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1428
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LzBt6UzQLir6.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:932
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j8bFDUfNXMKy.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2224
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3224
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AZ5OJy0lw3lr.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4796
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1sfXZYUGYpTV.bat" "15⤵PID:1616
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3808
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RX4t4rHQpqZF.bat" "17⤵PID:1636
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:220
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3692
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCbUqVUceXTK.bat" "19⤵PID:4164
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:440
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXB2rZwpVJpa.bat" "21⤵PID:1256
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mB0qztbj82lF.bat" "23⤵PID:1372
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3188
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2092
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ETPgR0mPaHck.bat" "25⤵PID:1588
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3648
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YT2GSyxERTxw.bat" "27⤵PID:1768
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4764
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aO7OR6cDDAod.bat" "29⤵PID:2916
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2696
-
-
C:\Users\Admin\AppData\Roaming\System32\System32.exe"C:\Users\Admin\AppData\Roaming\System32\System32.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hd1OD9WEECWN.bat" "31⤵PID:4248
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3464
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
211B
MD56f3cc4c8ab2b5631320f3b230d42d275
SHA1c9b4e94319fed3d80f5e4769bf70b98bbb99b2a3
SHA2563c39e2006b40f5f5e22838f899fcaa8f7f7e5c19fa1272982e8ed1b86233daf6
SHA512095e3616ae99c8beb54f8c53e2d84cf3843bb3b73f385a2131d2eeb1d44165b5cb7dcd8b045be3564581fa35c54b9d6cba932dda15fa463c77f6f878c4d8bfb3
-
Filesize
211B
MD5216b83a7fe674f483b453921429d7bc2
SHA14e003c1bb91fe23bb9cdd341ee989623e6ba1899
SHA256665de5179ffa3650b97d83c3c9755578e9aa168a72244c8acb79acf600b0670f
SHA5123b4eac69ca9b74fb445e8efa6b6de35d205ececeab881b62289e53a2ae07c99948cf63183e4dae7221b28726da92d9c97cc133d4d0c524bf98ef0db875d8da3f
-
Filesize
211B
MD5926c3b5229923d14747aa6bb9eaf2c2d
SHA1254ae281416cf4531c363899a2b3b461c9f4cd5f
SHA25650fab62201828fc91aa5031f983b8fd36bb53155a5700c25b2b9dbfcaad0ae42
SHA5120e1848ee00e282816b5d45377f06f3dc4d70eeb988f2d75885fb67a289b5b697ad2aa60afa611d2ad23f4339e8b43b41ad0b18dae4af1f40a07c2ddc8b6547d6
-
Filesize
211B
MD59d355db28ce93301b49453eed7a80edb
SHA1336085b0c2f1da4ac13f899adb303117953baf24
SHA256c168cef886f37b6e5b06fda74da3eb27186549df089fdc22649d95a7b17f3d54
SHA512f1139d1f9fae83cc173e3149633829f67732ebaa5cfcb385c07910dcdc90bf52527c9730b8927abbeebf38924b89453fb62641ad1ad5e321466886b43ef50405
-
Filesize
211B
MD5157d67415ab92cf0c71329048901f444
SHA17b8521ce8e55f187c132183f2296366a7865b722
SHA256c011c57849e25112b232017c65112f4d30d66cb5ed6efe13dd233c175472bccd
SHA51248f17f63e49889688c56de1ef42c408cf167c6a58d9cac02b40805eba060704db235b70d640e368b2d52ed9dd417d2f9f808375aa644c4b44b2c667dad822113
-
Filesize
211B
MD5e6667d5fe8908309a4e82075193ea8b2
SHA126b8ebba571bc8af55d0da76a47026ea8cee114a
SHA2562691783016c904bd9811b328d4f82d1c29227aaecbd8e99fe9673c44227d4b14
SHA512695182ac2ae4b6f2e5e51cac8e25f4ea1f19cdbe9b660628290eae4c1852da2698ec0108a7c1ee5eab9ee9fc5aa1224f537d3d9ba057c2a7e293ca182a49b7c1
-
Filesize
211B
MD53b0477c47c22b8426435e5e9da7c84b4
SHA11950fb4d7ca93a6dcedef71b4ca15a9a80e3b276
SHA256ac9d5244f0bfa4009ebc1b5a384428c03fd9a0e396652b1b4a74de68ab33ca31
SHA512015e91093df01aba1689b960520fe420bed5e5e25d132d7d95a80c88955f266554b5d7b8e2091d0f4425896c09eee7c7a93acdaa24b9faee7fff136b73dafaf4
-
Filesize
211B
MD5ab7045459d0ccda6305fd1cc27b29cc3
SHA1088c8ba0c2503894da5111fe01eb367e9d9b1659
SHA256fe87479f2007097a17534868b89d7748a7f55a26647adf751675629f68f7b2d9
SHA51272e08c62da02a97645aa57d12593669212d6f96009b53d983a625a0f182a270ef9433945fc233dea2573e8b8b0377c5f8ab260945bd55b2b403ceb341b99d21e
-
Filesize
211B
MD57fc46a39509dcfe6d20a88937b91ecf6
SHA16d0fa522d951641a2d0a14305ab4c23a7166a082
SHA256209d0bf7de854d193f2381b3265c260e407c012b9c185b4ef550af9f87bb8987
SHA51231a85af5573b87348f152dd3ab36ddff0f46be17a123587e4e44680b7a086ec39d0ad63d5fe26f413d2b4d4b98c67948d4c67c92862695cb3b959c7753147f03
-
Filesize
211B
MD5b5458a01dcabb8859783b1ec7edad99a
SHA101438d66dedfd207c779efd9f96314eaaacffe2b
SHA2564263bda8c503e7fffe4627aa802f576169fc5032457c753e74e6889c6472767c
SHA51272b06bd38ea550c3d205e3e84d0bfc8796e44d615e780abc3398e1c9a025d3ca96e0cbed17f866f2d6e45c89d7698d29da5e77096aebf299db14ea9580419dd8
-
Filesize
211B
MD56737e68b9233594df2c39b3f0956465c
SHA146f5562b4d8afa430c55e79fe1b99ccf605134d8
SHA2565be808b0ceca51f8bb18658e516841d3d49b8920ba504bc68681a63a88e15188
SHA51228b33443294d8a54b8bae13bdac0375c27c95a26755b17701952dd605f1911e4135df72e7ee88beae4dd3cc4172aa8bf760fc9e36bcfe84996caa5e513c74ce0
-
Filesize
211B
MD5749550ef12cf35ec5dda05f1ae9f3e1c
SHA174b2b1a9a1142bf04e64a1f0c4913dc76567c071
SHA25623a9a3cddba9bf69a4abf1cc9d405651f439c54d3174824b29871ac78057179f
SHA512ab52107fc602befcf0d75e5b574d78178f629ec8952e88626ad4804cfd1aae7c6cf85f262b24701cfbdd1464b81f6dd17c86eefb8c1ab3a4c1620b09f2be5f2c
-
Filesize
211B
MD5d9d5254d3a34364f5a4327e81b79a09a
SHA1e7c7970135577ea99d458488ce7a388b9ab0a497
SHA256fa108db8742dba034190e90c35b49d9b8e4493ab53492e0e6b4757f5f25e1627
SHA512ff81f77b74f98dbda0aadd30c5f2ff716769cdd6debb8a597be36a94c91e2e5de7c6fd8519981250a2c9dbdd59ca7e2321eeb34fc4b9b097c96e6eef0160bd67
-
Filesize
211B
MD59f7def17649a631337f90b0171a3efc8
SHA17cf795de9fb0d6d65a6611ee427ed5946ee005ff
SHA25613d6d0937cb6d9893b7f3ddf077f6849d4eb300f0b720a9c84933e1171ae6f91
SHA51295f907779fa233497b2522c38db33f6496320155bb3c5b0821d39bc4c5b677e8bba6ff9a18a9106250ed13943a401bd8b6366faeab3c34c5e688e904c28973a5
-
Filesize
211B
MD5e315a18d1f80b8d418485eaf3ff18785
SHA18ea3ad52661375bfe7c552a2721a712331aaa7df
SHA256dee0cbfa0564e0a301ef03e6695e4052eb69f6886dee971167c10233ed22191a
SHA51221353e95b2f338e7ea5feb951b822f94eb370a19f177d023f07baf6d998bde945e86cfd329330514c7213c537cf43918b121dd9d72fc740a21d79f1f915c5a6b
-
Filesize
3.1MB
MD582222cff36f2c338159b23a7f18a4815
SHA18beccbb99e38248a080d5de1de8d87617ca428c2
SHA256033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55