Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:28
Behavioral task
behavioral1
Sample
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
Resource
win7-20240903-en
General
-
Target
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe
-
Size
3.2MB
-
MD5
23c072bdc1c5fe6c2290df7cd3e9abf8
-
SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902
-
SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
-
SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e
-
SSDEEP
98304:xv642pda6D+/PjlLOlZyQipV2mRJ6Nae:1eOpPU9
Malware Config
Extracted
quasar
1.4.1
Main
tpinauskas-54803.portmap.host:54803
8422dcc2-b8bd-4080-a017-5b62524b6546
-
encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
-
install_name
Win64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Win64
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1584-1-0x00000000008B0000-0x0000000000BF0000-memory.dmp family_quasar behavioral2/files/0x0007000000023c9e-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Win64.exe -
Executes dropped EXE 15 IoCs
pid Process 4132 Win64.exe 2880 Win64.exe 3616 Win64.exe 4540 Win64.exe 4672 Win64.exe 2016 Win64.exe 964 Win64.exe 4848 Win64.exe 4964 Win64.exe 3740 Win64.exe 3972 Win64.exe 2300 Win64.exe 428 Win64.exe 1684 Win64.exe 972 Win64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2888 PING.EXE 5100 PING.EXE 1132 PING.EXE 1252 PING.EXE 3320 PING.EXE 2896 PING.EXE 3384 PING.EXE 3908 PING.EXE 2972 PING.EXE 1796 PING.EXE 4452 PING.EXE 1288 PING.EXE 3788 PING.EXE 1488 PING.EXE 456 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 5100 PING.EXE 2896 PING.EXE 1132 PING.EXE 3788 PING.EXE 3320 PING.EXE 1288 PING.EXE 3384 PING.EXE 2972 PING.EXE 4452 PING.EXE 3908 PING.EXE 1252 PING.EXE 1488 PING.EXE 456 PING.EXE 2888 PING.EXE 1796 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4424 schtasks.exe 4644 schtasks.exe 3832 schtasks.exe 2196 schtasks.exe 3248 schtasks.exe 4808 schtasks.exe 116 schtasks.exe 4724 schtasks.exe 412 schtasks.exe 1032 schtasks.exe 4800 schtasks.exe 224 schtasks.exe 1896 schtasks.exe 1412 schtasks.exe 2360 schtasks.exe 2968 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1584 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe Token: SeDebugPrivilege 4132 Win64.exe Token: SeDebugPrivilege 2880 Win64.exe Token: SeDebugPrivilege 3616 Win64.exe Token: SeDebugPrivilege 4540 Win64.exe Token: SeDebugPrivilege 4672 Win64.exe Token: SeDebugPrivilege 2016 Win64.exe Token: SeDebugPrivilege 964 Win64.exe Token: SeDebugPrivilege 4848 Win64.exe Token: SeDebugPrivilege 4964 Win64.exe Token: SeDebugPrivilege 3740 Win64.exe Token: SeDebugPrivilege 3972 Win64.exe Token: SeDebugPrivilege 2300 Win64.exe Token: SeDebugPrivilege 428 Win64.exe Token: SeDebugPrivilege 1684 Win64.exe Token: SeDebugPrivilege 972 Win64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1584 wrote to memory of 4724 1584 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 83 PID 1584 wrote to memory of 4724 1584 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 83 PID 1584 wrote to memory of 4132 1584 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 85 PID 1584 wrote to memory of 4132 1584 8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe 85 PID 4132 wrote to memory of 4424 4132 Win64.exe 86 PID 4132 wrote to memory of 4424 4132 Win64.exe 86 PID 4132 wrote to memory of 3140 4132 Win64.exe 88 PID 4132 wrote to memory of 3140 4132 Win64.exe 88 PID 3140 wrote to memory of 1112 3140 cmd.exe 90 PID 3140 wrote to memory of 1112 3140 cmd.exe 90 PID 3140 wrote to memory of 5100 3140 cmd.exe 91 PID 3140 wrote to memory of 5100 3140 cmd.exe 91 PID 3140 wrote to memory of 2880 3140 cmd.exe 99 PID 3140 wrote to memory of 2880 3140 cmd.exe 99 PID 2880 wrote to memory of 4644 2880 Win64.exe 100 PID 2880 wrote to memory of 4644 2880 Win64.exe 100 PID 2880 wrote to memory of 2044 2880 Win64.exe 103 PID 2880 wrote to memory of 2044 2880 Win64.exe 103 PID 2044 wrote to memory of 920 2044 cmd.exe 105 PID 2044 wrote to memory of 920 2044 cmd.exe 105 PID 2044 wrote to memory of 1288 2044 cmd.exe 106 PID 2044 wrote to memory of 1288 2044 cmd.exe 106 PID 2044 wrote to memory of 3616 2044 cmd.exe 114 PID 2044 wrote to memory of 3616 2044 cmd.exe 114 PID 3616 wrote to memory of 2196 3616 Win64.exe 115 PID 3616 wrote to memory of 2196 3616 Win64.exe 115 PID 3616 wrote to memory of 4716 3616 Win64.exe 118 PID 3616 wrote to memory of 4716 3616 Win64.exe 118 PID 4716 wrote to memory of 1724 4716 cmd.exe 120 PID 4716 wrote to memory of 1724 4716 cmd.exe 120 PID 4716 wrote to memory of 2896 4716 cmd.exe 121 PID 4716 wrote to memory of 2896 4716 cmd.exe 121 PID 4716 wrote to memory of 4540 4716 cmd.exe 126 PID 4716 wrote to memory of 4540 4716 cmd.exe 126 PID 4540 wrote to memory of 3248 4540 Win64.exe 127 PID 4540 wrote to memory of 3248 4540 Win64.exe 127 PID 4540 wrote to memory of 2756 4540 Win64.exe 130 PID 4540 wrote to memory of 2756 4540 Win64.exe 130 PID 2756 wrote to memory of 3872 2756 cmd.exe 132 PID 2756 wrote to memory of 3872 2756 cmd.exe 132 PID 2756 wrote to memory of 1132 2756 cmd.exe 133 PID 2756 wrote to memory of 1132 2756 cmd.exe 133 PID 2756 wrote to memory of 4672 2756 cmd.exe 135 PID 2756 wrote to memory of 4672 2756 cmd.exe 135 PID 4672 wrote to memory of 4808 4672 Win64.exe 136 PID 4672 wrote to memory of 4808 4672 Win64.exe 136 PID 4672 wrote to memory of 2252 4672 Win64.exe 139 PID 4672 wrote to memory of 2252 4672 Win64.exe 139 PID 2252 wrote to memory of 2000 2252 cmd.exe 141 PID 2252 wrote to memory of 2000 2252 cmd.exe 141 PID 2252 wrote to memory of 3384 2252 cmd.exe 142 PID 2252 wrote to memory of 3384 2252 cmd.exe 142 PID 2252 wrote to memory of 2016 2252 cmd.exe 144 PID 2252 wrote to memory of 2016 2252 cmd.exe 144 PID 2016 wrote to memory of 2968 2016 Win64.exe 145 PID 2016 wrote to memory of 2968 2016 Win64.exe 145 PID 2016 wrote to memory of 4516 2016 Win64.exe 148 PID 2016 wrote to memory of 4516 2016 Win64.exe 148 PID 4516 wrote to memory of 4912 4516 cmd.exe 150 PID 4516 wrote to memory of 4912 4516 cmd.exe 150 PID 4516 wrote to memory of 3908 4516 cmd.exe 151 PID 4516 wrote to memory of 3908 4516 cmd.exe 151 PID 4516 wrote to memory of 964 4516 cmd.exe 154 PID 4516 wrote to memory of 964 4516 cmd.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe"C:\Users\Admin\AppData\Local\Temp\8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\horzJWVH84oR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5100
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ln8xqQdJ7Bzn.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1288
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMpn0nBcGNgA.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1724
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\odveuk2fUWvu.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1132
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1AOXRg5F1ks.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3384
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yeypo2pauogk.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3908
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wpjPx75Pxiav.bat" "15⤵PID:4496
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guiZrpEuaU8X.bat" "17⤵PID:4136
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1752
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3788
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JZvgdgYhxKaU.bat" "19⤵PID:4640
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3172
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1252
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xLZiTG4UeCrB.bat" "21⤵PID:4472
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2972
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2GWXQYfbxRM0.bat" "23⤵PID:688
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1488
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yBvh4AwMhxNK.bat" "25⤵PID:3604
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:428 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJ5jSJVmG50v.bat" "27⤵PID:3312
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2132
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3320
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n0CQMPOjGKqQ.bat" "29⤵PID:2816
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p04ToLuFN329.bat" "31⤵PID:3016
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
206B
MD5b6b208f4146c270692bb37b1593322a4
SHA1c30d2483323754ce91e7b2d18a9340bc9eaaf25e
SHA2566463d3f24cf948af3cd210b574b7ee915ccbe936ac11fd73356fb464767a0c81
SHA5121a6a321fabfe47f72a2a09e54d7e8aa33457cfa15cd1c7a65df1ce53dc4da2179c645fa2e1bf1083dcd093edc9c19a635e933584c56b55a827548ed97d87544e
-
Filesize
206B
MD5b455ff75f54362de8b8e4d019c4120f8
SHA12cb44a86ade831e1f548e43bd95420aa0746d4fb
SHA256cd17bd78cec2834426bfa0d13c2a32fcec389c10b51c40ef78b39a539e344cb7
SHA512431f83123c12eb3bef0987a43647e7c643599f3733c662cb240fa208fd2ae8109aa1d9310e192f97eae78e76b22e145692cadf415e85c8b263e7bf1e5cc36b85
-
Filesize
206B
MD576f03a0d47a5fcf6c540c80fc8920120
SHA1788cb0d4fc6b5449c9c71a02ffda024982691b7c
SHA256daebedf50678b21789dfb2c51485bafee953ef072e93744b1066407edb670750
SHA512c636c0370dc938673f3446d474b6d475914b9c5e8e585417cc6b2586923ba82b5b11946a99cc40de33566741af6ce96a7a10652991587794bc6cf93fcae5a4d9
-
Filesize
206B
MD5c8e53ae02ba5f66959344f47186abe28
SHA12bc9887d812113f8cd0fcc299841f8aa43f8e5ab
SHA2569435d3ef381a073231c9fdfe3a89b3f56ec0257a0d4e70cb6f542a6069a0abca
SHA51225da1b1848311ddfa9afc1767367110e9b8d424d913071cf21b0d0180eb16578c76dd9de2ae6ecb283f88cff9322cfd2c99eb4d0f1c6ef369c60c286b851b32c
-
Filesize
206B
MD5d0cc4e59d2f4934b7a68ea3be883e5f7
SHA1cf6b4719d7ae20713f968956da5f9a02e9ffbd13
SHA256feef799dad026abae89dbe743ac673914062e532dcf15774a82f3b0c82b93182
SHA5126b51a48e08cece17dde3de346085cda9cd5bdb82772ddede5663876f35640da2144d702cbe3056e65404f72622157b91e9bbe13576b5a88eef34fadf71be35f1
-
Filesize
206B
MD50be33fef7533671290d00444b833a215
SHA151dc96be9ca0713a57de3a6b89b9f986c1043e6a
SHA256e7a3cc698788791908668a6f7b7dd22d7fe819c7b52029672ab4b1d6f7be8ece
SHA51257a74a2140bb1ff7e30ab6cb6b21bfa95b11826a74175784f6012a566e5fec38ea001b92254b8ecc56eeaf9942fe87ec5e8436a4776e815c4dc89682d54fdb92
-
Filesize
206B
MD55081668bd708bb87725c8ab158dba0a5
SHA1d8210a1f347e06803636a9b3ec96fbc40fbef9df
SHA256d80bae4d54fd165a872047ba9c0cdf48f6913d91392cecb275d15a37abf1cb02
SHA5120d7215e63bb1dc04a653675a09ea26a8482acd3a7fb68f479f2f8d4fc7d5a5895ca5b596f547fb92626b7d475b929024e78ba8ca9f89a43c63236f36f3bbd657
-
Filesize
206B
MD5b740509bf351eeccd36373d4e0d81216
SHA107d8710f8427f6f9a9fedeb7456fc80c06f6cea9
SHA2561e92ac69d746ccb275f1b1a48012a463b00d1f7848e5f6acb241f60e75ca4dac
SHA51200c3f65ae0f89d7c56b9b29b5e1aa6a354aae6cb3c2961b368118db5435429a79b338bff8719570b6624221b1a429813c660a94d2bafe7e1a457a86df3e9ca49
-
Filesize
206B
MD558d5a0f730d4144b2b710307b451de13
SHA138a7ef91f8b9f79e06c74591cf2b3d91badcdc7e
SHA256ca1d947404f3eb76bb08caf6a9f7287ac2e2517d5a6fdabf594dd2d677b3b36f
SHA5124fb3ed08870897abb20f52d3e1c81a7dae655e85c32879c1e173ce204ddf6b161421641b09c16fe5e66f334915c40acd66bff15e8a40aef491bae1cff698c51f
-
Filesize
206B
MD5e8771d8f4b93f98252067ef4ad55354e
SHA1ad844929b6aaa50704416384af78ac55b12e1d7d
SHA2569a88f88e16e6bfc94ef38e2b28e6504d4af4d2c7f97985e4fda84867dad94d93
SHA51218c77669e21acb27972a121aa48aca05f3faaf61f77c189585803b3f05c1436b6e8febb2b2b9f93ea9c44ce810569e6642c15e6b456805b4d69dd019147a436e
-
Filesize
206B
MD5210f0e634049f488bb23cd25c4a2ccf2
SHA1a8fc6de5bef4ce2e4041f2bc0cc06b1cba753e7e
SHA256ab7257fdf548b213e25b62ab2bc06ac02b0e69e33fe32edf5de6d2247de4f174
SHA5124ec647f98d33118e83254200133ae88596174fb4ceb89f40d39b731db23a315be1b773e8823e0662ad321d450f635134d6022ac6562e0e0eae1922f059db8945
-
Filesize
206B
MD5b72aed6105c9f066050348eeaf9cda58
SHA19835f230b2f7deb9c2d003ec469201fce76c1203
SHA25681cc5e2aa772585cdfec49a43966e1b5cb84161a5fd9cf542ec71d5f582dbdf2
SHA512d9a5344447ecd687ad0db70c1fced4660bdcbcadd874f1e9ee9b59c70c5d83163088bc469db2d544e8eec9fc91912cfa1169f8d80a5823f605073add8eb174dd
-
Filesize
206B
MD59d325a983fcbd21af970f9cd192e92ae
SHA1e7b3f8301d120036a1d5959ea83b610dab820771
SHA25633b38e0d75b77f423ad62d2a26fbbcfe59acb62232ba5220ba169eb09dc4b028
SHA51238898bf54e298d78efdba5874c62278ad5a89d66872643ca61a6093354025207ca0ed7f5a233ffae7d4cf2a1c5284dc764fee46ac1e69249fb0c1d660e533795
-
Filesize
206B
MD5945c594eff6edd97adac791222d2ec3a
SHA17ed8c43c3fdc0fc464dba343f1d356ba02d5bcef
SHA25645a535f1e8020d813e8f58d4b19bd712f1518f81dca93b71581d16e498b6228f
SHA512a084ae32cfb110b893039cfa8bc314e7a8befce81c73dddaf02696e44a8ef2c88f05cee9aca8fed2ad7e21de38d1eb0579db0e67456d6fc63ba7a5848663ecfb
-
Filesize
206B
MD5605fcf6fd52b7da21c10bbef4a144aa3
SHA11ef8eca3c27f33e6669003ad8a6a34731bd9a9df
SHA256eda62245bcc8af804ba0f2934a3831af177b0fd26206f9c142d610ded6b1998d
SHA512044c804329f864b6391ba7e0ad9e470659fa70cd52d2a0c5626e2975cb80b8908495400a36fe76b9b2c5899b242b03ba3c1b4ac60ebd4aa5b464f8824fe63b3d
-
Filesize
3.2MB
MD523c072bdc1c5fe6c2290df7cd3e9abf8
SHA1e10c6f7843e89f787866aac99c0cb7a3b2c7a902
SHA2568c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490
SHA5125e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e