Analysis
-
max time kernel
148s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 11:47
Behavioral task
behavioral1
Sample
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Resource
win7-20241010-en
General
-
Target
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
-
Size
3.1MB
-
MD5
239c5f964b458a0a935a4b42d74bcbda
-
SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce
-
SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
-
SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
-
SSDEEP
98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG
Malware Config
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ad21b115-2c1b-40cb-adba-a50736b76c21
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 7 IoCs
resource yara_rule behavioral1/memory/2536-1-0x0000000000EC0000-0x00000000011E4000-memory.dmp family_quasar behavioral1/memory/2764-13-0x0000000000110000-0x0000000000434000-memory.dmp family_quasar behavioral1/memory/1748-23-0x0000000001390000-0x00000000016B4000-memory.dmp family_quasar behavioral1/memory/1188-88-0x0000000000060000-0x0000000000384000-memory.dmp family_quasar behavioral1/memory/2932-98-0x0000000000200000-0x0000000000524000-memory.dmp family_quasar behavioral1/memory/2464-108-0x0000000000990000-0x0000000000CB4000-memory.dmp family_quasar behavioral1/memory/2692-119-0x0000000000D20000-0x0000000001044000-memory.dmp family_quasar -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3048 PING.EXE 2100 PING.EXE 2300 PING.EXE 2660 PING.EXE 1852 PING.EXE 1476 PING.EXE 2128 PING.EXE 1596 PING.EXE 2104 PING.EXE 3028 PING.EXE 540 PING.EXE 2940 PING.EXE 948 PING.EXE 1800 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 3028 PING.EXE 2128 PING.EXE 1800 PING.EXE 1596 PING.EXE 2104 PING.EXE 948 PING.EXE 3048 PING.EXE 540 PING.EXE 2660 PING.EXE 2100 PING.EXE 1476 PING.EXE 2300 PING.EXE 1852 PING.EXE 2940 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2116 schtasks.exe 2528 schtasks.exe 2460 schtasks.exe 2548 schtasks.exe 1028 schtasks.exe 1504 schtasks.exe 2200 schtasks.exe 2532 schtasks.exe 2712 schtasks.exe 2816 schtasks.exe 2224 schtasks.exe 1732 schtasks.exe 2340 schtasks.exe 1308 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2084 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 1728 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 1936 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 544 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2828 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 1188 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2932 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2464 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2692 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 540 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2460 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 29 PID 2536 wrote to memory of 2460 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 29 PID 2536 wrote to memory of 2460 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 29 PID 2536 wrote to memory of 2844 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 31 PID 2536 wrote to memory of 2844 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 31 PID 2536 wrote to memory of 2844 2536 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 31 PID 2844 wrote to memory of 2136 2844 cmd.exe 33 PID 2844 wrote to memory of 2136 2844 cmd.exe 33 PID 2844 wrote to memory of 2136 2844 cmd.exe 33 PID 2844 wrote to memory of 3028 2844 cmd.exe 34 PID 2844 wrote to memory of 3028 2844 cmd.exe 34 PID 2844 wrote to memory of 3028 2844 cmd.exe 34 PID 2844 wrote to memory of 2764 2844 cmd.exe 35 PID 2844 wrote to memory of 2764 2844 cmd.exe 35 PID 2844 wrote to memory of 2764 2844 cmd.exe 35 PID 2764 wrote to memory of 2712 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 36 PID 2764 wrote to memory of 2712 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 36 PID 2764 wrote to memory of 2712 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 36 PID 2764 wrote to memory of 2248 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 38 PID 2764 wrote to memory of 2248 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 38 PID 2764 wrote to memory of 2248 2764 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 38 PID 2248 wrote to memory of 2928 2248 cmd.exe 40 PID 2248 wrote to memory of 2928 2248 cmd.exe 40 PID 2248 wrote to memory of 2928 2248 cmd.exe 40 PID 2248 wrote to memory of 3048 2248 cmd.exe 41 PID 2248 wrote to memory of 3048 2248 cmd.exe 41 PID 2248 wrote to memory of 3048 2248 cmd.exe 41 PID 2248 wrote to memory of 1748 2248 cmd.exe 42 PID 2248 wrote to memory of 1748 2248 cmd.exe 42 PID 2248 wrote to memory of 1748 2248 cmd.exe 42 PID 1748 wrote to memory of 2816 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 43 PID 1748 wrote to memory of 2816 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 43 PID 1748 wrote to memory of 2816 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 43 PID 1748 wrote to memory of 2932 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 45 PID 1748 wrote to memory of 2932 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 45 PID 1748 wrote to memory of 2932 1748 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 45 PID 2932 wrote to memory of 2892 2932 cmd.exe 47 PID 2932 wrote to memory of 2892 2932 cmd.exe 47 PID 2932 wrote to memory of 2892 2932 cmd.exe 47 PID 2932 wrote to memory of 2300 2932 cmd.exe 48 PID 2932 wrote to memory of 2300 2932 cmd.exe 48 PID 2932 wrote to memory of 2300 2932 cmd.exe 48 PID 2932 wrote to memory of 2676 2932 cmd.exe 49 PID 2932 wrote to memory of 2676 2932 cmd.exe 49 PID 2932 wrote to memory of 2676 2932 cmd.exe 49 PID 2676 wrote to memory of 2224 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 50 PID 2676 wrote to memory of 2224 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 50 PID 2676 wrote to memory of 2224 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 50 PID 2676 wrote to memory of 2464 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 52 PID 2676 wrote to memory of 2464 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 52 PID 2676 wrote to memory of 2464 2676 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 52 PID 2464 wrote to memory of 468 2464 cmd.exe 54 PID 2464 wrote to memory of 468 2464 cmd.exe 54 PID 2464 wrote to memory of 468 2464 cmd.exe 54 PID 2464 wrote to memory of 2128 2464 cmd.exe 55 PID 2464 wrote to memory of 2128 2464 cmd.exe 55 PID 2464 wrote to memory of 2128 2464 cmd.exe 55 PID 2464 wrote to memory of 2084 2464 cmd.exe 56 PID 2464 wrote to memory of 2084 2464 cmd.exe 56 PID 2464 wrote to memory of 2084 2464 cmd.exe 56 PID 2084 wrote to memory of 1732 2084 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 57 PID 2084 wrote to memory of 1732 2084 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 57 PID 2084 wrote to memory of 1732 2084 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 57 PID 2084 wrote to memory of 808 2084 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2460
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Roy8nbAMUM4x.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2712
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3LugiHqmR1Se.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Mue6FYX7I8KB.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2892
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2224
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dY2rgYg3lVzA.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:468
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1732
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KsouTMlMxrVE.bat" "10⤵PID:808
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0tXMCCsKPNtf.bat" "12⤵PID:1652
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2340
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fqrNSujUtuyH.bat" "14⤵PID:2260
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:2380
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2116
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PsdsUcsPRf5F.bat" "16⤵PID:3008
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1308
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CSzZZeX2zVE0.bat" "18⤵PID:2764
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2532
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4QKCar5IGt3Z.bat" "20⤵PID:2960
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1028
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E8LWhUXKY5J5.bat" "22⤵PID:1920
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2944
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2200
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wX9yiPMuisPI.bat" "24⤵PID:268
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:2528
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kmqu6WmCST7S.bat" "26⤵PID:1556
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:1504
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\B6OalxcYdR2u.bat" "28⤵PID:1676
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD5b1289629542996fcf7a4c18ad92d6958
SHA1e8179a91108776c65f93d5474806234c27d3b435
SHA2565bd4ddfda95084bd45c2b6c0a5203a7519cc57daecb317667aa2bc221a06af3f
SHA512547b22a57fb3d37be022bec0f27c28fa361810904f949e84d669873e791b174f608ed62d4b85f0b484ff10e7247a2499848271f1015cb7e6721e9d91b4f4ddd9
-
Filesize
261B
MD58bfeb521981416bc1c1049b1bbfed0aa
SHA1e7d590c85d29064e71e5ba43e69d8caf79adb744
SHA2562c2db679f3a3ac6eaf81ff29ff9b1a736e8a1e337cca0717ef28e40430a696ea
SHA5121451d947b148fd5cd22f5a862f90144d614276bb979f1c5a18ad9b3b0104766c7fbaf40af5cee5c3042220b2fdfb8c4173386ec30b02710f8c0e213e73a98011
-
Filesize
261B
MD54087d99e8e733d19da4eb392cb8cdfd2
SHA197b6cc7d747706d3a7dbbf3cd939b91980a71ee8
SHA25699f7d2a35e3891928ef58d19357318b1e762f710dfc58437397af9169a89ebe0
SHA512bbb0881d45a4074c7fd017b749673d86607569db004d5d12f5ba76c97da3b9f8ddb1f79a2e5620d6171a0bc1d911441e91c2de174c01f36505a98b13ef275aee
-
Filesize
261B
MD568e53593f1dc9243b4883031ed93de68
SHA13548a1b49875284085c0ad1ac236719ba1a1517b
SHA256cf93f51c173d45d79ba9b760a3dac3b6a0c174025383317751a91d7524ee6b57
SHA5121d2c008c9d0874a14ae10e80fe922093052b1444ecccb962fe4af499a9edbfa9b78e1e3d62ec6becef877b2241fd289fdc6bd775c795efc36c0f10b3bae9d7c7
-
Filesize
261B
MD53c36c1c548c40d19e15313d2ac4cae7f
SHA1fad2ca5f4e7c0350d477853f3aecb0de9d91ddb8
SHA256a7f34779cfdc07c121c782901dcfe24d8b30495583aa414d81a0dfd12c8293c2
SHA5125b48b24f50431fb8e05a7c0fc5b6842de16f9453510ee1684877e83af35a8f8e7c8ea453ea898f4e3d1b7c98526435f408ed8209924a6593a8d2fe9eaa286f45
-
Filesize
261B
MD5aca7ed91072725d1c66c30c4c3d7a95a
SHA137e179a49498f7a2836e3f204b13db773ba7434e
SHA2560425f9a3d937a8ba6435045e198493f2221e06a10db90ed55ae50dc17d8bc5a6
SHA5124a4bff6281ebe21b875f22a3aab59d8d3f60465418b160b289836dada50669c42743e4f1b4ad592d22fb3a63cae4b4a9b2058c03d5de43469fb0590f692c73c7
-
Filesize
261B
MD5cffda2241105cc756e74bc7309790e35
SHA179f3e4e2a874eb542a5a83d6c4b83b9e8c9ecd53
SHA2567e7a7a19fc2545bb4c79e01b9ac73e3de19010a86bb8cdf4f63d1d1f5b88a583
SHA5120081f346ceb4d94164329e3d240f8c7955777f71020e8f05d2dd76364f5491dfc5dc23ad00dc20b41cf833fe60b2594e6964158726544738eaf396f548d4bc8d
-
Filesize
261B
MD590fd056e96cdccf41739140d19b76beb
SHA1193f699429d92d0a7279b9492cd0e1d0d3b4791b
SHA25647abb5036e604ab0508811e90d282fd09fd3449837608648927fb804a750040b
SHA51264667ae867f097391c09d08a636d2b3b7c1dbe4465869264099b4f1ed0873e200bdf63a190571fc149b5ab6a89a0e0f47f5c89a45a645af2f852d7a2fa9bc56c
-
Filesize
261B
MD5715a91d4c8d3cb1d0eb7d9eb27069675
SHA199382f55410958dd39c821f8b4cefbeb7e0b9d64
SHA2569bfed2e26e493d7f70e68a38c0a9ffa61af54f18f8b0305ecf9ee202b79eb0f1
SHA512ab37297f3b1f9c4bd52dd574934efae72a175f182989c8239919c1e960098d78bd31c2f3ec5d034969670bc25659cdb4fec9fb39b8ca06b934b86db0e3189b8e
-
Filesize
261B
MD53a67a9f1f507dcd9f5668f052b7af237
SHA160752e7227e31eda9fe7a5efda1fca301a15f00d
SHA256c5bcd8272f6d8d283dc6b4a77313e0c5757888029fde1db927485178dc0f7f60
SHA51289498b0da4d73e605847418a4df84f17ec2f595e2f3fcd75d645abe3ebe6ecd3c828e0adcdd7320c6d48133800023b0d38e3253281f0c1f54bfdaae6a8c27cf4
-
Filesize
261B
MD5840f044e2ecb2bbb3140b39a337954a2
SHA190e484f47db8cfe175415721a818b93cb718f19e
SHA2567d7984fa5d45375459a525c9a8c6b8fa96dfc125398dd47aaa812efdc02ff1d5
SHA512feaf571dc36cca1cddcdc2fc56de7374c26d13fe25969dd3e075bb5ac1ad9f0fd785d92e1ba95cb910fbcf57b3c387aa34616cc208890b91c1139768552daabb
-
Filesize
261B
MD54b65e6abe5de5a2ba179bc4206c94403
SHA1539ab5f1c0c7d5c368efb23e5cd8df7e2b0b123c
SHA256c25c3a091cf724015dcbdac74127200fc4e6689e9185e9f9bc47d47a500f1e63
SHA512dee600f33d6e0ede558a11225c6d846551ed11a8cadbc489aa3b3efd18ac775d449ecf7d9b4936a709a2232a3521bf8e256d7093924aa4a59e24a4d978c44477
-
Filesize
261B
MD5e33f1f59b5407d1ff346eabe04537017
SHA1be96b27fa8174a26cac8a5a73cec555096258311
SHA256070179425b4f82fead0a2f9a73c5e41bc95779b164b98a4609bd6601222f8620
SHA51284b81637056fdef75ee6a4ca3543664008e172f8b4c2b5ffa1f6bfa4a826f29dbbaf7ee6157c5b14cae6764b1822144a12a8d376d57258d65fff2c8bf504d3d2
-
Filesize
261B
MD553efcb24a942995b38f383bd0a973c3a
SHA12ba57e772f8e4bda12fa1d2b02a25833a06e375b
SHA256d24c5e510a2b1190cda91faf0dffa5b6c9a7256e596f89aba9398d3e89deaf26
SHA51236c01958e1e898eec3b8cb2d24711adab04321b6daa63262b8c91384d75d9d33bbb140d50f66e9a014b8a68da29a35d56744db8d6b635a0ebcc9ab431af35cd6