Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 10:02
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20241010-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
ee86735f1427e86dcbba39339cecfe15
-
SHA1
cd492443264bdae1f0a5e5f16e57af3d1819a3ec
-
SHA256
655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995
-
SHA512
59309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1
-
SSDEEP
49152:2v9t62XlaSFNWPjljiFa2RoUYI8IRJ6ibR3LoGdeoYtTHHB72eh2NT:2v/62XlaSFNWPjljiFXRoUYI8IRJ6c
Malware Config
Extracted
quasar
1.4.1
Qussa
ggergejhijseih.myvnc.com:47820
5910e19f-3073-4c42-a174-513d316126e7
-
encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
xml
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 13 IoCs
resource yara_rule behavioral1/memory/804-1-0x00000000001E0000-0x0000000000504000-memory.dmp family_quasar behavioral1/files/0x0009000000016ace-6.dat family_quasar behavioral1/memory/2016-9-0x0000000001390000-0x00000000016B4000-memory.dmp family_quasar behavioral1/memory/2652-23-0x00000000002D0000-0x00000000005F4000-memory.dmp family_quasar behavioral1/memory/384-34-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar behavioral1/memory/1068-45-0x00000000011C0000-0x00000000014E4000-memory.dmp family_quasar behavioral1/memory/1592-76-0x0000000000220000-0x0000000000544000-memory.dmp family_quasar behavioral1/memory/868-88-0x0000000001050000-0x0000000001374000-memory.dmp family_quasar behavioral1/memory/1616-99-0x00000000010C0000-0x00000000013E4000-memory.dmp family_quasar behavioral1/memory/1176-110-0x0000000000180000-0x00000000004A4000-memory.dmp family_quasar behavioral1/memory/2028-122-0x0000000001040000-0x0000000001364000-memory.dmp family_quasar behavioral1/memory/1716-133-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar behavioral1/memory/2216-145-0x0000000000F30000-0x0000000001254000-memory.dmp family_quasar -
Executes dropped EXE 13 IoCs
pid Process 2016 Client.exe 2652 Client.exe 384 Client.exe 1068 Client.exe 1164 Client.exe 2580 Client.exe 1592 Client.exe 868 Client.exe 1616 Client.exe 1176 Client.exe 2028 Client.exe 1716 Client.exe 2216 Client.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2704 PING.EXE 2644 PING.EXE 432 PING.EXE 2956 PING.EXE 2844 PING.EXE 1744 PING.EXE 2252 PING.EXE 2408 PING.EXE 2708 PING.EXE 1900 PING.EXE 1688 PING.EXE 864 PING.EXE 3044 PING.EXE -
Runs ping.exe 1 TTPs 13 IoCs
pid Process 432 PING.EXE 2956 PING.EXE 2844 PING.EXE 2704 PING.EXE 2644 PING.EXE 2708 PING.EXE 1900 PING.EXE 1688 PING.EXE 864 PING.EXE 3044 PING.EXE 2252 PING.EXE 1744 PING.EXE 2408 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1668 schtasks.exe 2556 schtasks.exe 2704 schtasks.exe 2192 schtasks.exe 2768 schtasks.exe 1148 schtasks.exe 2548 schtasks.exe 2684 schtasks.exe 2104 schtasks.exe 2508 schtasks.exe 936 schtasks.exe 2660 schtasks.exe 3068 schtasks.exe 1588 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 804 Client-built.exe Token: SeDebugPrivilege 2016 Client.exe Token: SeDebugPrivilege 2652 Client.exe Token: SeDebugPrivilege 384 Client.exe Token: SeDebugPrivilege 1068 Client.exe Token: SeDebugPrivilege 1164 Client.exe Token: SeDebugPrivilege 2580 Client.exe Token: SeDebugPrivilege 1592 Client.exe Token: SeDebugPrivilege 868 Client.exe Token: SeDebugPrivilege 1616 Client.exe Token: SeDebugPrivilege 1176 Client.exe Token: SeDebugPrivilege 2028 Client.exe Token: SeDebugPrivilege 1716 Client.exe Token: SeDebugPrivilege 2216 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 804 wrote to memory of 2556 804 Client-built.exe 31 PID 804 wrote to memory of 2556 804 Client-built.exe 31 PID 804 wrote to memory of 2556 804 Client-built.exe 31 PID 804 wrote to memory of 2016 804 Client-built.exe 33 PID 804 wrote to memory of 2016 804 Client-built.exe 33 PID 804 wrote to memory of 2016 804 Client-built.exe 33 PID 2016 wrote to memory of 2768 2016 Client.exe 34 PID 2016 wrote to memory of 2768 2016 Client.exe 34 PID 2016 wrote to memory of 2768 2016 Client.exe 34 PID 2016 wrote to memory of 2736 2016 Client.exe 36 PID 2016 wrote to memory of 2736 2016 Client.exe 36 PID 2016 wrote to memory of 2736 2016 Client.exe 36 PID 2736 wrote to memory of 3020 2736 cmd.exe 38 PID 2736 wrote to memory of 3020 2736 cmd.exe 38 PID 2736 wrote to memory of 3020 2736 cmd.exe 38 PID 2736 wrote to memory of 2644 2736 cmd.exe 39 PID 2736 wrote to memory of 2644 2736 cmd.exe 39 PID 2736 wrote to memory of 2644 2736 cmd.exe 39 PID 2736 wrote to memory of 2652 2736 cmd.exe 40 PID 2736 wrote to memory of 2652 2736 cmd.exe 40 PID 2736 wrote to memory of 2652 2736 cmd.exe 40 PID 2652 wrote to memory of 2104 2652 Client.exe 41 PID 2652 wrote to memory of 2104 2652 Client.exe 41 PID 2652 wrote to memory of 2104 2652 Client.exe 41 PID 2652 wrote to memory of 1692 2652 Client.exe 43 PID 2652 wrote to memory of 1692 2652 Client.exe 43 PID 2652 wrote to memory of 1692 2652 Client.exe 43 PID 1692 wrote to memory of 3016 1692 cmd.exe 45 PID 1692 wrote to memory of 3016 1692 cmd.exe 45 PID 1692 wrote to memory of 3016 1692 cmd.exe 45 PID 1692 wrote to memory of 2708 1692 cmd.exe 46 PID 1692 wrote to memory of 2708 1692 cmd.exe 46 PID 1692 wrote to memory of 2708 1692 cmd.exe 46 PID 1692 wrote to memory of 384 1692 cmd.exe 47 PID 1692 wrote to memory of 384 1692 cmd.exe 47 PID 1692 wrote to memory of 384 1692 cmd.exe 47 PID 384 wrote to memory of 2508 384 Client.exe 48 PID 384 wrote to memory of 2508 384 Client.exe 48 PID 384 wrote to memory of 2508 384 Client.exe 48 PID 384 wrote to memory of 1884 384 Client.exe 50 PID 384 wrote to memory of 1884 384 Client.exe 50 PID 384 wrote to memory of 1884 384 Client.exe 50 PID 1884 wrote to memory of 1896 1884 cmd.exe 52 PID 1884 wrote to memory of 1896 1884 cmd.exe 52 PID 1884 wrote to memory of 1896 1884 cmd.exe 52 PID 1884 wrote to memory of 1900 1884 cmd.exe 53 PID 1884 wrote to memory of 1900 1884 cmd.exe 53 PID 1884 wrote to memory of 1900 1884 cmd.exe 53 PID 1884 wrote to memory of 1068 1884 cmd.exe 54 PID 1884 wrote to memory of 1068 1884 cmd.exe 54 PID 1884 wrote to memory of 1068 1884 cmd.exe 54 PID 1068 wrote to memory of 936 1068 Client.exe 55 PID 1068 wrote to memory of 936 1068 Client.exe 55 PID 1068 wrote to memory of 936 1068 Client.exe 55 PID 1068 wrote to memory of 1180 1068 Client.exe 57 PID 1068 wrote to memory of 1180 1068 Client.exe 57 PID 1068 wrote to memory of 1180 1068 Client.exe 57 PID 1180 wrote to memory of 1064 1180 cmd.exe 59 PID 1180 wrote to memory of 1064 1180 cmd.exe 59 PID 1180 wrote to memory of 1064 1180 cmd.exe 59 PID 1180 wrote to memory of 432 1180 cmd.exe 60 PID 1180 wrote to memory of 432 1180 cmd.exe 60 PID 1180 wrote to memory of 432 1180 cmd.exe 60 PID 1180 wrote to memory of 1164 1180 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2556
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LrwZE9yysF9w.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2644
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2104
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Qwf9Bm3R5Nm1.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2508
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\U1cO7TgBsYcW.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1900
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:936
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GKuSiLOmPGN2.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:432
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TRxwqxbeSGbv.bat" "11⤵PID:1724
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1688
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WF1KZqeK4d3p.bat" "13⤵PID:1820
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:864
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\g8HCdYpWOwi1.bat" "15⤵PID:2936
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2772
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3044
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OFgfemfohyD2.bat" "17⤵PID:2052
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2956
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2684
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LjR0jmUuFH18.bat" "19⤵PID:2608
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2844
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1176 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2660
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tsSA8zogScQ6.bat" "21⤵PID:1484
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2096
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3068
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ycTS0bxjQ2uv.bat" "23⤵PID:1016
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1744
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1588
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SspW5iAUYz1t.bat" "25⤵PID:1976
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2704
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1668
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\nyFkJReUsmZp.bat" "27⤵PID:1652
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1040
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5f0e0999795ba1dd5b6b83df0f99f54ac
SHA118aeba197f34d74b90223b5a7e81a8f286b2ce86
SHA2564f3ff93d29cfd66754e4e3a5d51f6e11c9587447a9262e23d77b55fe9c6fa3e4
SHA5124a38b45895ee29fe9911711b78b41c7bfadfc99ae086e1ad5ad041364d25c559bb58066c5fdbf987faab9add8a40dae4fa6859a6da4153d5b8512fd47d3e336b
-
Filesize
196B
MD53212075557bd98861c8b7244286df877
SHA112d5a2e3549958fda0c61798285d96619ddaf3c1
SHA256c03968a6575f6b2b7b36b25d1d0ce8e2b8b0ca9ddb829ea40a6ff13c0aae91ab
SHA512ae8659b2b028ae2a7809d3a842c0897b17bcf9bf3be10acee693c4b6989fa448ed9be4a712f11403a14cba90653ba5e039f66fb1233406d23fc2638f86a6b153
-
Filesize
196B
MD5409445da622b6b556ada4721d096b827
SHA1ae16834639d1bcbd31deeb730129c6b91412fdce
SHA256afa0a64e0cb428549b84a16e9585ae4855ef51a4eda1033d259339b217099461
SHA51260a21e19d004665ed2b0c83daf0c79d3d78e9dc736007a31b0afd6baee264c6db833aeb884093040298b1e120617d8b6696a577cc1e362708ddd4aa3a95c2cc6
-
Filesize
196B
MD5e497198a67d35244b52a91d66a67103c
SHA17340b198bad2d4ded39cc0ac4c70bc78c0ed6307
SHA256f64e182b24fd23997ad6cd2a81d1d408a8db03a7cb2594e12f78161cd70fe263
SHA5126aee5d46e87f60d664dd3216f18dd01768ce2a522f03a611323bd666d6f114fb37d4afbc5ce9490a793c135552ff7e0d95e6fc841d4a981a1c0abf306a9d927d
-
Filesize
196B
MD56c25600f6c12983cea03c95ec05a746f
SHA1db360b05462178d250d7321373f416a7d5f14369
SHA2569ca8aaf9e0991c11900fa2897d23f1356ba95c87318bbbdf02d4e48e85426fc9
SHA5126dbea61a1b3fb0946d388caf53da012aa76c5d074c5ffbf89345f7e63f562acf1d8be90d4a8bedc056fe67335ef32da3e6ffb1c8ff05ef9084c89e0136b77a98
-
Filesize
196B
MD5cef38236611b1130471e5b1500ce1632
SHA107df991cad0181b2852fc6ead2a085b361e15591
SHA256f80c121642326c897bd31a725323b177f6a12d96db75deaf407285efe669fcf6
SHA512d7b286fc6ff3bdfd61d04ade91cd29f3b647ea6dea7cad5c11d29da400b3a947436f05aa666b4643ae6f35981ef092eba5df0599ca175a0fd821106ec7b598de
-
Filesize
196B
MD5f126d481467833c60da0b5bd9965b210
SHA13aa16582858d790056edec9c77f332078b71c37a
SHA256776d5d8aa1f70183bd87c0a780136f4797f8740884a4a6701bb19423bd6fc1a9
SHA512b5897e025903e0df43fa22c80b1af28c97ab66e3bc4cfc3c6a8ada2c5ca46f0ca3a0e4313d0c1a8393dc3c3a1eeac1d2c3d9abf4e21c5dacec8a6b2fda8aabb5
-
Filesize
196B
MD5971771ddfecefdd3c11c06b5b4e008c7
SHA163fbd90c08d7e9ba465375f509ab90645c47223a
SHA256ee9baf750ef8a17768a72f64d7a9c6d85fbfbdcdd17565bd64e67f27d8bbd02b
SHA5123e7f2b47c082c7e40fb2bf4e312ad81953055cc2ef6f50846003d103fee0e25609165608b5fcb278b37d29c4e4709692036d7f42060be31165b1ec6aaecde6aa
-
Filesize
196B
MD555c10b3586e9a24e9a4fce4363f56a7b
SHA1a22273d636a425568a3c540e7d79518648c5e13a
SHA256416a2eaecfde578005f11a00457cf7e6f5b43ff31cbb1bb9d143ed94818d84e0
SHA512791add404da96642029d04d0d11c01d0128b655693053b9b6f05abe1a6d0da24ca63791c305e2a73f74ae2e5958a1b70a0e70be0a6042b50cdfacdad41c9b67d
-
Filesize
196B
MD5f917ceed997cbe321734983f0193da34
SHA12b53ed5d0ed27a8f76b9f9444c4f9a4d3009211e
SHA256bfa5b7345a3fb7f5409aceb58c0933259d4fd00fc9972bc1c7e736b2d92fe894
SHA512658f0f62583ffe13afd9bc5a31a80931664e3141e8934e016a04abb2cba49b18342e5665b3ac7c3151468223d8aa7ba83cdb65063865a54deaf1a2f34f3c59e9
-
Filesize
196B
MD590b76b7e4842d2290a7cc5fc303a23a4
SHA109de10d9756073d3dea5f30621859784347d7151
SHA256c97b67e913af8385111bffe3a462a5fb40ca189efb45941a720380a7a06cf6e2
SHA5122ad1fb01fb836c847e3fa1cbb0f8dd9bfc1b16c255aa2392232f820add592064148a7f061aa513a9b5eb50bd4859a0401bd001fa24d59f36e36d958bbff870f5
-
Filesize
196B
MD550a40b468f3a9df4975ac08aff04d93d
SHA1718421f2adea81c6dbb66d91effe90e8da49c0e7
SHA256f7a92a09f94ec07ea21dd75bcefee8b0c18042f9cd17ec4a83a24dd1a780173c
SHA5124ad2b298a9d4fa07e24f2d2195a0e0558fb0265b655d0a64678d52d326e136296a7faa7115c2d8c811462eb1809b7433777ec592a7a30c536339cf0a0c68bb4e
-
Filesize
196B
MD519df1b417a541f9bea6e765e2838ad73
SHA153b1a00f689c531d324547ed059b241f5289ac9a
SHA256ecbdbc8576cd3e7854ff6d4aaf2346c9380f34c7c88f49c31a22451658c7ea00
SHA5127ea937ffbaa4d22ec3c99f80936cce342c3fb1c8aa9b1e00888c607d7e6e08b58906a5cde57a1ffdbf6e54c3fcf4a830e7c42bed50e8e1b11746d4a6d67c74a7
-
Filesize
3.1MB
MD5ee86735f1427e86dcbba39339cecfe15
SHA1cd492443264bdae1f0a5e5f16e57af3d1819a3ec
SHA256655d2103255a0ec7e0aa4b488d75499ce880428fdcc2831bfdc52987b4660995
SHA51259309d24c6df7d66033afe1aac2a7cc734438c3a6dfd02ad8a20299216fee4417dd10931a283366cbf42dea2b83b3e451527817c084bb20aac4c9800c68b82b1