Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 10:58
Behavioral task
behavioral1
Sample
2klz.exe
Resource
win7-20241010-en
General
-
Target
2klz.exe
-
Size
3.1MB
-
MD5
01cb0e497f40e7d02f93255475f175e1
-
SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5
-
SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
-
SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
-
SSDEEP
49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU
Malware Config
Extracted
quasar
1.4.1
Office04
Extazz24535-22930.portmap.host:22930
89f58ee5-7af9-42de-843f-2a331a641e3f
-
encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
-
install_name
2klz.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1048-1-0x0000000000360000-0x0000000000684000-memory.dmp family_quasar behavioral2/files/0x000e000000023bce-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2klz.exe -
Executes dropped EXE 15 IoCs
pid Process 3540 2klz.exe 3800 2klz.exe 4652 2klz.exe 4748 2klz.exe 1516 2klz.exe 3532 2klz.exe 3988 2klz.exe 4616 2klz.exe 3436 2klz.exe 4792 2klz.exe 2072 2klz.exe 4056 2klz.exe 4848 2klz.exe 1004 2klz.exe 2716 2klz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3672 PING.EXE 3120 PING.EXE 1224 PING.EXE 740 PING.EXE 1572 PING.EXE 1324 PING.EXE 1372 PING.EXE 4112 PING.EXE 1260 PING.EXE 4204 PING.EXE 4528 PING.EXE 1032 PING.EXE 2288 PING.EXE 2716 PING.EXE 4648 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4648 PING.EXE 1032 PING.EXE 3120 PING.EXE 4528 PING.EXE 2288 PING.EXE 1260 PING.EXE 4112 PING.EXE 1572 PING.EXE 1224 PING.EXE 4204 PING.EXE 3672 PING.EXE 2716 PING.EXE 740 PING.EXE 1372 PING.EXE 1324 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1048 2klz.exe Token: SeDebugPrivilege 3540 2klz.exe Token: SeDebugPrivilege 3800 2klz.exe Token: SeDebugPrivilege 4652 2klz.exe Token: SeDebugPrivilege 4748 2klz.exe Token: SeDebugPrivilege 1516 2klz.exe Token: SeDebugPrivilege 3532 2klz.exe Token: SeDebugPrivilege 3988 2klz.exe Token: SeDebugPrivilege 4616 2klz.exe Token: SeDebugPrivilege 3436 2klz.exe Token: SeDebugPrivilege 4792 2klz.exe Token: SeDebugPrivilege 2072 2klz.exe Token: SeDebugPrivilege 4056 2klz.exe Token: SeDebugPrivilege 4848 2klz.exe Token: SeDebugPrivilege 1004 2klz.exe Token: SeDebugPrivilege 2716 2klz.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 3540 2klz.exe 3800 2klz.exe 4652 2klz.exe 4748 2klz.exe 1516 2klz.exe 3532 2klz.exe 3988 2klz.exe 4616 2klz.exe 3436 2klz.exe 4792 2klz.exe 2072 2klz.exe 4056 2klz.exe 4848 2klz.exe 1004 2klz.exe 2716 2klz.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 3540 2klz.exe 3800 2klz.exe 4652 2klz.exe 4748 2klz.exe 1516 2klz.exe 3532 2klz.exe 3988 2klz.exe 4616 2klz.exe 3436 2klz.exe 4792 2klz.exe 2072 2klz.exe 4056 2klz.exe 4848 2klz.exe 1004 2klz.exe 2716 2klz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4792 2klz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 3540 1048 2klz.exe 82 PID 1048 wrote to memory of 3540 1048 2klz.exe 82 PID 3540 wrote to memory of 5100 3540 2klz.exe 83 PID 3540 wrote to memory of 5100 3540 2klz.exe 83 PID 5100 wrote to memory of 412 5100 cmd.exe 85 PID 5100 wrote to memory of 412 5100 cmd.exe 85 PID 5100 wrote to memory of 4204 5100 cmd.exe 86 PID 5100 wrote to memory of 4204 5100 cmd.exe 86 PID 5100 wrote to memory of 3800 5100 cmd.exe 91 PID 5100 wrote to memory of 3800 5100 cmd.exe 91 PID 3800 wrote to memory of 3984 3800 2klz.exe 92 PID 3800 wrote to memory of 3984 3800 2klz.exe 92 PID 3984 wrote to memory of 2320 3984 cmd.exe 94 PID 3984 wrote to memory of 2320 3984 cmd.exe 94 PID 3984 wrote to memory of 3120 3984 cmd.exe 95 PID 3984 wrote to memory of 3120 3984 cmd.exe 95 PID 3984 wrote to memory of 4652 3984 cmd.exe 99 PID 3984 wrote to memory of 4652 3984 cmd.exe 99 PID 4652 wrote to memory of 2556 4652 2klz.exe 100 PID 4652 wrote to memory of 2556 4652 2klz.exe 100 PID 2556 wrote to memory of 4996 2556 cmd.exe 102 PID 2556 wrote to memory of 4996 2556 cmd.exe 102 PID 2556 wrote to memory of 4528 2556 cmd.exe 103 PID 2556 wrote to memory of 4528 2556 cmd.exe 103 PID 2556 wrote to memory of 4748 2556 cmd.exe 105 PID 2556 wrote to memory of 4748 2556 cmd.exe 105 PID 4748 wrote to memory of 4056 4748 2klz.exe 106 PID 4748 wrote to memory of 4056 4748 2klz.exe 106 PID 4056 wrote to memory of 4340 4056 cmd.exe 108 PID 4056 wrote to memory of 4340 4056 cmd.exe 108 PID 4056 wrote to memory of 1032 4056 cmd.exe 109 PID 4056 wrote to memory of 1032 4056 cmd.exe 109 PID 4056 wrote to memory of 1516 4056 cmd.exe 111 PID 4056 wrote to memory of 1516 4056 cmd.exe 111 PID 1516 wrote to memory of 764 1516 2klz.exe 112 PID 1516 wrote to memory of 764 1516 2klz.exe 112 PID 764 wrote to memory of 1240 764 cmd.exe 114 PID 764 wrote to memory of 1240 764 cmd.exe 114 PID 764 wrote to memory of 2288 764 cmd.exe 115 PID 764 wrote to memory of 2288 764 cmd.exe 115 PID 764 wrote to memory of 3532 764 cmd.exe 116 PID 764 wrote to memory of 3532 764 cmd.exe 116 PID 3532 wrote to memory of 3392 3532 2klz.exe 117 PID 3532 wrote to memory of 3392 3532 2klz.exe 117 PID 3392 wrote to memory of 4132 3392 cmd.exe 119 PID 3392 wrote to memory of 4132 3392 cmd.exe 119 PID 3392 wrote to memory of 3672 3392 cmd.exe 120 PID 3392 wrote to memory of 3672 3392 cmd.exe 120 PID 3392 wrote to memory of 3988 3392 cmd.exe 121 PID 3392 wrote to memory of 3988 3392 cmd.exe 121 PID 3988 wrote to memory of 3776 3988 2klz.exe 122 PID 3988 wrote to memory of 3776 3988 2klz.exe 122 PID 3776 wrote to memory of 4604 3776 cmd.exe 124 PID 3776 wrote to memory of 4604 3776 cmd.exe 124 PID 3776 wrote to memory of 2716 3776 cmd.exe 125 PID 3776 wrote to memory of 2716 3776 cmd.exe 125 PID 3776 wrote to memory of 4616 3776 cmd.exe 126 PID 3776 wrote to memory of 4616 3776 cmd.exe 126 PID 4616 wrote to memory of 4024 4616 2klz.exe 127 PID 4616 wrote to memory of 4024 4616 2klz.exe 127 PID 4024 wrote to memory of 5088 4024 cmd.exe 129 PID 4024 wrote to memory of 5088 4024 cmd.exe 129 PID 4024 wrote to memory of 740 4024 cmd.exe 130 PID 4024 wrote to memory of 740 4024 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\2klz.exe"C:\Users\Admin\AppData\Local\Temp\2klz.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g87pAU03xwoT.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:412
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4204
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qxsKxvlbphqM.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3120
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmzSgpKHpk12.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4528
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hImAvNc6Yf1P.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1032
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M4V0djVf2fiw.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2288
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgghoKz3RyaW.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4132
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3672
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4hwTBzv3sylT.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2716
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bb9enGKS7N0q.bat" "17⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:5088
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:740
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwgmjxzh39Pv.bat" "19⤵PID:4064
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1372
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4STQcweGkASl.bat" "21⤵PID:4644
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4112
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gZL6XnkGQP65.bat" "23⤵PID:2232
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1572
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v7zayhLiXGx4.bat" "25⤵PID:1480
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1956
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1224
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K7dz2InmZd7q.bat" "27⤵PID:3352
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1260
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8dwpZxdeJyrf.bat" "29⤵PID:4276
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1324
-
-
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9XaKpqPobLoO.bat" "31⤵PID:3256
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:5088
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
205B
MD59edb7fe150edbb8ff859327a1f952161
SHA14a8df073fecaff70c2c65a9186b9ef9126118010
SHA256d3873f0b07be7a534137948761dea75cedc19406de35e884acb0893c6ab829fa
SHA512a120f15e3617fe9a8aecd8a6e59bc6758aecb96cdbc39bb3c46b342cbd4a8ff5d5275aef1ae0894f2797b498aec3d136d7251ffa2658d025f2ac06026e3f7887
-
Filesize
205B
MD5e5c3da51c6493403f1b8f1691f4370cd
SHA14c3cf35a71f909488a48003ebc11fd8409f5253f
SHA2565598f2250ef1f21c69199c576983520804fcbcee6b26f0c4574f12c11a179f34
SHA5126934e01474f1d16a51fe5f7e307d43fdb3874242caf76102643cf0a8a54a89894ffebfab8f56d8cbe7004d22bffc89ce96d44667c35dfcff06e4d37e9323d055
-
Filesize
205B
MD5cc302ccf0090b1567cb4d6c516b6dbc5
SHA11f4177f99e49916ae62a16a58180b66ce0874b27
SHA256b27108c5bc3901e6e541c7cdaa9b6e3ed8a715e6c154fa8423498b87776da700
SHA512c0d31b4e34d6be6fd37d48140666c6ad4cac0d1981e55f5d4cedc5012e33fbf2d4404a6f3773586899f907e764e934ab6902f14c3a80119b056912f98b7ad6a8
-
Filesize
205B
MD5065fd8022c0667f3b57aec255e9b2a20
SHA1c9bb20414313cbcbf3622bedd3c86d712db69ff1
SHA256304173d3a0e1bd8dfe5b4f26d599f014286fa9322f1940ab3b42059d384af808
SHA512b5c1d795d9a5dec675631a4f6caba1e65fd75dad090c6e7611e1259b6baaa1d1dc0abc7d19adcac275a682c83775df31a2f3c5678984214b4b15081e043cc5b6
-
Filesize
205B
MD524ee5a2f2e38627dc5a0896f8d45c956
SHA1fbb253bf572ea8c8f235f75539e476eed369df33
SHA256c0fabdfb0571bf5cb1eb78bf56fe9fff9366cd8a3c8e52af0000a362d7e90e51
SHA512d5fa02a69be377af30a26b7f8f26827a6efd2dfc620661842e3995d474a18524bc244b852b92cd57e5ad12ad4ed383bbcc5ad3852a92fdd65f1b499021c4df7d
-
Filesize
205B
MD5519a64059e2b2467e55892ef3059b2a5
SHA1428ab2dea09698fe33d07c5d78aec5d921a03897
SHA256396156958eced5cd906135a473dd93ca28ec5575bbba1eb57e0f8c4a5d72b28a
SHA5129be92f1c27ef11caf14a22b8d66975267699a823ce0c537d5bd0d0e5e2a522cb1fa37ef5f291bd806373d02924af500aef6d2421c393edcfaf9c124ca9b466b8
-
Filesize
205B
MD5190e8909d0fd5044146dba96715b1749
SHA139d900885dcbea11f3ac916c2673a39e490ff9c4
SHA256b96ed62dc2a04d686cfb0a0f2139cccc8d89d8ddb6c13181d0a73aa9de5ba921
SHA51265c2c404649e13c77e6679d9c07d3ccfa2a8b0638e05f0b5e221e8361b4fdb58ae14e2863777cfe23aa1553738ed127b6c6887ed0f2a57e0612b04ec31b3cedb
-
Filesize
205B
MD5c901fff3847a4ed767d6da642673eebd
SHA17d322bae033d96fd79813b5e6e33ca96f79cdd18
SHA2563404bb939ef9481f8203701f9df72ccb559f514ab8b7952570112cb05e23e0b1
SHA5125c0bf2835c2d79121ae8f572e81423ab1648abe085851d476ecd092f0e739b1ff21ffac807ac050edfd6a847b71a86ff384c58eed18eaa1948d413851e3a7f6c
-
Filesize
205B
MD5e501a7eecf1d36b8f4a00bfd5686f007
SHA1f48445d5cb486257d55d8ce92180316d3c913641
SHA256cf95e75edd9a497c5f73ae1965b86e7bbc359d0fcdcda432abdfa3d2858ab756
SHA512b611416dd8a243b5a476057261f0cd7151deff9e9873f4b51342fb67d8cc396632d6e0848aed6d8cd5a3d88044ac26425f440ff7d589fa13be372772d5a4d046
-
Filesize
205B
MD5f5fbb2107ba10d21149054e144241afe
SHA14c157ff39a363bd2c994d1f10ae3ac236cf9f004
SHA25621cddfaa0d3962731c1fd542a4f29aee05a473bcf363d5df040815cc24ca5b22
SHA5123e20d376de45aea12a79aac72a19d8ff5cae45655d1d02a2e4bad2875eaa098931ecbcc3881dcf2cf8a556f1459a7537c05ee7b0ccdfc6edf8f6cc94cf94f905
-
Filesize
205B
MD51be5b83d26c3fa570bee059a74ecea0c
SHA19d772fe0a661ab27687153b8410901cc8e525a5d
SHA256e99e47e80b4e2828b7dc6749708c2e8fba22f09f8a57a9cbcfecaede0a5bd407
SHA51272644489a63838908b8a8d1fca735aa27447166921e484a7b79034b5e0b8171c70c8b59c85923d521cdc59f9db3813c3419b90e05785595044c222b4043d04d5
-
Filesize
205B
MD543d5d73678f6a0d33e5788510e4a094e
SHA1372584c1d75b1a7b1ee818ace29dca56c93b2be3
SHA256931387cca4cc10c90de758bffd3e1cc227a0f1846dac6bb95172a42de427336a
SHA51270a6f96420d731776d9521cef0fc0248ab92d575fff1442027ba873c265068468928cc6c894b80946dd96d5eec265df801d9074aaa80aafc6209e59766ccbff3
-
Filesize
205B
MD5850a91bbef72f09c1ed4342a603bd6b9
SHA1d66eef76b9e2d38ef26da4a9773c1f1e6d55bca8
SHA2565641adf471a877c53498dcd18c2f1eca469ec2d3082323ab80876bba3f702e89
SHA51247bc1b4b42c514a9412345007f60c2e1eba01de21a4a448c308bd2b7ba1879c3eb8b63160e15606ca3e0a90c56582ee4a0a10f4cfa8c84c7b17d3ff3052d3f62
-
Filesize
205B
MD59be355bcc1dc038c95e4f3fda2b5700a
SHA1d40c477ec260fd9ff2078c55416b6156178e2293
SHA2566c30343cd70b9094a38b82b323dc6ede07164d5b0811b551e40bf27a09242c32
SHA512404131ab94ce01bbd0bdf6b35165c3ba4946883572480fbaebdc9b5adfad0939c91f8cee09fb50c05f18f9f0bfed36e4905866f99d1d80a44efa5f94c935750d
-
Filesize
205B
MD54e533b2db7bdbf3d1d5b8363d0f2770b
SHA10170f0b2ecbc92154284245b21c4286b09a15f12
SHA256293afc908397e05f6013d046a29c0337bdcd94d05fbb346062479323492d7796
SHA512e5cbe8b3a55c82fa5d938d158caf782f9c1566261663e9a2727f44b68951c3fafc6b521b6f6202361c2c3c69d6d1c3d5a2b1cd47c3946e109acf2cb60ad2a3da
-
Filesize
3.1MB
MD501cb0e497f40e7d02f93255475f175e1
SHA198c779497d6514b91cd1410f627a5320f6b3eab5
SHA25615893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9