Analysis
-
max time kernel
922s -
max time network
849s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-12-2024 21:29
General
-
Target
liberium executor.exe
-
Size
3.1MB
-
MD5
a83c74ddda692ff3e4279ef4d1e1ab6b
-
SHA1
f807912389ed16a9d7ac3e3e7b73282658c6ecf0
-
SHA256
46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6
-
SHA512
70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b
-
SSDEEP
49152:Svdt62XlaSFNWPjljiFa2RoUYIsSDsKdpvVoGdqTHHB72eh2NT:Svf62XlaSFNWPjljiFXRoUYIsCsE
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
192.0.0.0.1:4782
Mutex
92adbb05-a27e-42e8-b9a2-c260d01e742b
Attributes
-
encryption_key
46B4B3697EBEA35C7930856CF4E60FB52D50DE37
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
executor
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\liberium executor.exe"C:\Users\Admin\AppData\Local\Temp\liberium executor.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqZsAAIjaG43.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f5⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2MNFUnZxL8Mc.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lTnp6K60TrZl.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0rvuHqCZPsHI.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vw1G8XCL9gXv.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f13⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebBymdyOwvax.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f15⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TchHSeHvxbCf.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f17⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmMpgfZxLFfB.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqNVQMjpwSaJ.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SXzE6imRchzi.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6MHAjiXyxqAS.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiHo3L2aeUKN.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f27⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gHCDcwWq1Jao.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0WO9l7qOp6y2.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3fYGzNZAhU93.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OtnTadpAtsHo.bat" "33⤵
-
C:\Windows\system32\chcp.comchcp 6500134⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f35⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n29g1IibaJQG.bat" "35⤵
-
C:\Windows\system32\chcp.comchcp 6500136⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"36⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zT3K4mrhL3DI.bat" "37⤵
-
C:\Windows\system32\chcp.comchcp 6500138⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"38⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cC8iUWbUrWQm.bat" "39⤵
-
C:\Windows\system32\chcp.comchcp 6500140⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIUHtUfdQcLJ.bat" "41⤵
-
C:\Windows\system32\chcp.comchcp 6500142⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f43⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEzxrTutMYyB.bat" "43⤵
-
C:\Windows\system32\chcp.comchcp 6500144⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikUZiQ4XisGM.bat" "45⤵
-
C:\Windows\system32\chcp.comchcp 6500146⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f47⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCoLjtAZvlAa.bat" "47⤵
-
C:\Windows\system32\chcp.comchcp 6500148⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f49⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RdM43kcFQ3rZ.bat" "49⤵
-
C:\Windows\system32\chcp.comchcp 6500150⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"50⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f51⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DsEi7W75yLo.bat" "51⤵
-
C:\Windows\system32\chcp.comchcp 6500152⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f53⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6VVzEzIuVtY.bat" "53⤵
-
C:\Windows\system32\chcp.comchcp 6500154⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost54⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f55⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAv551RGKiNK.bat" "55⤵
-
C:\Windows\system32\chcp.comchcp 6500156⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"56⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f57⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q25wKvcKIHPq.bat" "57⤵
-
C:\Windows\system32\chcp.comchcp 6500158⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f59⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wo8ks4LxIWQz.bat" "59⤵
-
C:\Windows\system32\chcp.comchcp 6500160⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost60⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"60⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f61⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ctkyNbgN7O2h.bat" "61⤵
-
C:\Windows\system32\chcp.comchcp 6500162⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost62⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f63⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCtUV9nTZqZ4.bat" "63⤵
-
C:\Windows\system32\chcp.comchcp 6500164⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost64⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f65⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4899UZxnZyX0.bat" "65⤵
-
C:\Windows\system32\chcp.comchcp 6500166⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost66⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"66⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f67⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSqtTvlF7Dj0.bat" "67⤵
-
C:\Windows\system32\chcp.comchcp 6500168⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost68⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"68⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f69⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X0bF0OLphoIw.bat" "69⤵
-
C:\Windows\system32\chcp.comchcp 6500170⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost70⤵
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"70⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f71⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pnh4OL1pUJxl.bat" "71⤵
-
C:\Windows\system32\chcp.comchcp 6500172⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost72⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"72⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f73⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dNmaj1egvDN.bat" "73⤵
-
C:\Windows\system32\chcp.comchcp 6500174⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost74⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"74⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f75⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHGuG6vb9FTL.bat" "75⤵
-
C:\Windows\system32\chcp.comchcp 6500176⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost76⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"76⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f77⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w0Ww7OH79OQT.bat" "77⤵
-
C:\Windows\system32\chcp.comchcp 6500178⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost78⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"78⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f79⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EpL0jVASX9aQ.bat" "79⤵
-
C:\Windows\system32\chcp.comchcp 6500180⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost80⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"80⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f81⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqYiKPiR4tDA.bat" "81⤵
-
C:\Windows\system32\chcp.comchcp 6500182⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost82⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"82⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f83⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\761HKn3Z83W2.bat" "83⤵
-
C:\Windows\system32\chcp.comchcp 6500184⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost84⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"84⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f85⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7SzUEdTGNy8U.bat" "85⤵
-
C:\Windows\system32\chcp.comchcp 6500186⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost86⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"86⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f87⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwsC0zjdrcMU.bat" "87⤵
-
C:\Windows\system32\chcp.comchcp 6500188⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost88⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"88⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f89⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UVqsaudaBl5f.bat" "89⤵
-
C:\Windows\system32\chcp.comchcp 6500190⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost90⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"90⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f91⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kzTK5IZH9zNz.bat" "91⤵
-
C:\Windows\system32\chcp.comchcp 6500192⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost92⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"92⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f93⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dWIGto04Crx.bat" "93⤵
-
C:\Windows\system32\chcp.comchcp 6500194⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost94⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"94⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f95⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hi1RIkTOZRT3.bat" "95⤵
-
C:\Windows\system32\chcp.comchcp 6500196⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost96⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"96⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f97⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDzJjFPrna65.bat" "97⤵
-
C:\Windows\system32\chcp.comchcp 6500198⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost98⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"98⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f99⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQvZrwIurU8b.bat" "99⤵
-
C:\Windows\system32\chcp.comchcp 65001100⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost100⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"100⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f101⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yRtpiYkRkVvb.bat" "101⤵
-
C:\Windows\system32\chcp.comchcp 65001102⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost102⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"102⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f103⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ti9iXbVicjvC.bat" "103⤵
-
C:\Windows\system32\chcp.comchcp 65001104⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost104⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"104⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f105⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4TqQq8n7Pwb.bat" "105⤵
-
C:\Windows\system32\chcp.comchcp 65001106⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost106⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"106⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f107⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uzZ9hM6HfweG.bat" "107⤵
-
C:\Windows\system32\chcp.comchcp 65001108⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost108⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"108⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f109⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vpZQJ5Tt5ufX.bat" "109⤵
-
C:\Windows\system32\chcp.comchcp 65001110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost110⤵
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"110⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f111⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MY5v5Xa1wJn7.bat" "111⤵
-
C:\Windows\system32\chcp.comchcp 65001112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"112⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f113⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88e7qjIYJ9FQ.bat" "113⤵
-
C:\Windows\system32\chcp.comchcp 65001114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost114⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"114⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f115⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BnI1iqU9xkU5.bat" "115⤵
-
C:\Windows\system32\chcp.comchcp 65001116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost116⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"116⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f117⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LB4t4AVfIoVo.bat" "117⤵
-
C:\Windows\system32\chcp.comchcp 65001118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost118⤵
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"118⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f119⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fvscXKyFFW2n.bat" "119⤵
-
C:\Windows\system32\chcp.comchcp 65001120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost120⤵
- Runs ping.exe
-
-
C:\Program Files\SubDir\Client.exe"C:\Program Files\SubDir\Client.exe"120⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f121⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-