Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:30
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20241010-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
f67e6aafbd9c86771f11c05ae83ae83e
-
SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0
-
SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
-
SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a
-
SSDEEP
49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4296-1-0x0000000000FC0000-0x00000000012E4000-memory.dmp family_quasar behavioral2/files/0x000a000000023b7b-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 3632 Client.exe 2340 Client.exe 3676 Client.exe 4928 Client.exe 3252 Client.exe 1344 Client.exe 1472 Client.exe 3820 Client.exe 1808 Client.exe 3784 Client.exe 4212 Client.exe 1740 Client.exe 2712 Client.exe 3860 Client.exe 1076 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3352 PING.EXE 2612 PING.EXE 2240 PING.EXE 4248 PING.EXE 1736 PING.EXE 3100 PING.EXE 1072 PING.EXE 636 PING.EXE 2508 PING.EXE 2160 PING.EXE 4772 PING.EXE 3732 PING.EXE 1512 PING.EXE 2532 PING.EXE 3856 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4248 PING.EXE 4772 PING.EXE 1736 PING.EXE 3100 PING.EXE 1072 PING.EXE 636 PING.EXE 2508 PING.EXE 1512 PING.EXE 2612 PING.EXE 2240 PING.EXE 3352 PING.EXE 2532 PING.EXE 3732 PING.EXE 2160 PING.EXE 3856 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4572 schtasks.exe 3052 schtasks.exe 4600 schtasks.exe 1780 schtasks.exe 4792 schtasks.exe 948 schtasks.exe 3688 schtasks.exe 772 schtasks.exe 4908 schtasks.exe 2156 schtasks.exe 3220 schtasks.exe 2512 schtasks.exe 1672 schtasks.exe 4208 schtasks.exe 836 schtasks.exe 4496 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4296 Client-built.exe Token: SeDebugPrivilege 3632 Client.exe Token: SeDebugPrivilege 2340 Client.exe Token: SeDebugPrivilege 3676 Client.exe Token: SeDebugPrivilege 4928 Client.exe Token: SeDebugPrivilege 3252 Client.exe Token: SeDebugPrivilege 1344 Client.exe Token: SeDebugPrivilege 1472 Client.exe Token: SeDebugPrivilege 3820 Client.exe Token: SeDebugPrivilege 1808 Client.exe Token: SeDebugPrivilege 3784 Client.exe Token: SeDebugPrivilege 4212 Client.exe Token: SeDebugPrivilege 1740 Client.exe Token: SeDebugPrivilege 2712 Client.exe Token: SeDebugPrivilege 3860 Client.exe Token: SeDebugPrivilege 1076 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 3632 Client.exe 2340 Client.exe 3676 Client.exe 4928 Client.exe 3252 Client.exe 1344 Client.exe 1472 Client.exe 3820 Client.exe 1808 Client.exe 3784 Client.exe 4212 Client.exe 1740 Client.exe 2712 Client.exe 3860 Client.exe 1076 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 3632 Client.exe 2340 Client.exe 3676 Client.exe 4928 Client.exe 3252 Client.exe 1344 Client.exe 1472 Client.exe 3820 Client.exe 1808 Client.exe 3784 Client.exe 4212 Client.exe 1740 Client.exe 2712 Client.exe 3860 Client.exe 1076 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 1672 4296 Client-built.exe 83 PID 4296 wrote to memory of 1672 4296 Client-built.exe 83 PID 4296 wrote to memory of 3632 4296 Client-built.exe 85 PID 4296 wrote to memory of 3632 4296 Client-built.exe 85 PID 3632 wrote to memory of 4572 3632 Client.exe 86 PID 3632 wrote to memory of 4572 3632 Client.exe 86 PID 3632 wrote to memory of 3728 3632 Client.exe 88 PID 3632 wrote to memory of 3728 3632 Client.exe 88 PID 3728 wrote to memory of 2640 3728 cmd.exe 90 PID 3728 wrote to memory of 2640 3728 cmd.exe 90 PID 3728 wrote to memory of 3352 3728 cmd.exe 91 PID 3728 wrote to memory of 3352 3728 cmd.exe 91 PID 3728 wrote to memory of 2340 3728 cmd.exe 101 PID 3728 wrote to memory of 2340 3728 cmd.exe 101 PID 2340 wrote to memory of 948 2340 Client.exe 102 PID 2340 wrote to memory of 948 2340 Client.exe 102 PID 2340 wrote to memory of 4812 2340 Client.exe 104 PID 2340 wrote to memory of 4812 2340 Client.exe 104 PID 4812 wrote to memory of 4768 4812 cmd.exe 107 PID 4812 wrote to memory of 4768 4812 cmd.exe 107 PID 4812 wrote to memory of 1072 4812 cmd.exe 108 PID 4812 wrote to memory of 1072 4812 cmd.exe 108 PID 4812 wrote to memory of 3676 4812 cmd.exe 114 PID 4812 wrote to memory of 3676 4812 cmd.exe 114 PID 3676 wrote to memory of 3688 3676 Client.exe 115 PID 3676 wrote to memory of 3688 3676 Client.exe 115 PID 3676 wrote to memory of 3692 3676 Client.exe 117 PID 3676 wrote to memory of 3692 3676 Client.exe 117 PID 3692 wrote to memory of 2012 3692 cmd.exe 120 PID 3692 wrote to memory of 2012 3692 cmd.exe 120 PID 3692 wrote to memory of 636 3692 cmd.exe 121 PID 3692 wrote to memory of 636 3692 cmd.exe 121 PID 3692 wrote to memory of 4928 3692 cmd.exe 125 PID 3692 wrote to memory of 4928 3692 cmd.exe 125 PID 4928 wrote to memory of 2156 4928 Client.exe 127 PID 4928 wrote to memory of 2156 4928 Client.exe 127 PID 4928 wrote to memory of 1076 4928 Client.exe 129 PID 4928 wrote to memory of 1076 4928 Client.exe 129 PID 1076 wrote to memory of 5052 1076 cmd.exe 132 PID 1076 wrote to memory of 5052 1076 cmd.exe 132 PID 1076 wrote to memory of 3732 1076 cmd.exe 133 PID 1076 wrote to memory of 3732 1076 cmd.exe 133 PID 1076 wrote to memory of 3252 1076 cmd.exe 135 PID 1076 wrote to memory of 3252 1076 cmd.exe 135 PID 3252 wrote to memory of 4208 3252 Client.exe 136 PID 3252 wrote to memory of 4208 3252 Client.exe 136 PID 3252 wrote to memory of 3544 3252 Client.exe 138 PID 3252 wrote to memory of 3544 3252 Client.exe 138 PID 3544 wrote to memory of 4292 3544 cmd.exe 141 PID 3544 wrote to memory of 4292 3544 cmd.exe 141 PID 3544 wrote to memory of 2508 3544 cmd.exe 142 PID 3544 wrote to memory of 2508 3544 cmd.exe 142 PID 3544 wrote to memory of 1344 3544 cmd.exe 143 PID 3544 wrote to memory of 1344 3544 cmd.exe 143 PID 1344 wrote to memory of 836 1344 Client.exe 144 PID 1344 wrote to memory of 836 1344 Client.exe 144 PID 1344 wrote to memory of 1668 1344 Client.exe 146 PID 1344 wrote to memory of 1668 1344 Client.exe 146 PID 1668 wrote to memory of 904 1668 cmd.exe 149 PID 1668 wrote to memory of 904 1668 cmd.exe 149 PID 1668 wrote to memory of 1512 1668 cmd.exe 150 PID 1668 wrote to memory of 1512 1668 cmd.exe 150 PID 1668 wrote to memory of 1472 1668 cmd.exe 151 PID 1668 wrote to memory of 1472 1668 cmd.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcesOh4O044F.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3352
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hpp53vecSNSM.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1072
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K7Qd0baR3w28.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:636
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u9hGiPl9RsDp.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:5052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3732
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Y9tjmm7iZrH.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4292
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2508
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuH2FmPZvGo1.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgZYP0A66zOq.bat" "15⤵PID:2712
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2160
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3820 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ClEBBFSSQGC5.bat" "17⤵PID:636
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3504
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4248
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bE3bYIXRJdHG.bat" "19⤵PID:4752
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:388
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2532
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3784 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hy6cry1KCeeX.bat" "21⤵PID:3184
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3856
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ctuc81WnujCk.bat" "23⤵PID:4172
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1512
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1WCULAwvFALB.bat" "25⤵PID:2328
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2612
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ERKDwEeX0aFB.bat" "27⤵PID:4572
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2408
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYwbbf8DeRJ7.bat" "29⤵PID:4880
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2424
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2240
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQf8R0RpgdaB.bat" "31⤵PID:2660
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD59f29ee89f1ec4425ee2480380a0d5896
SHA173fb6bfd456a38c5c43c653c9a69ac86d1041fdf
SHA256b0388a5692a5720fb348cadeff3d62889650fea46315fe335f34ff1c7d46fa24
SHA5126b2d768e29ed8276377636ae7cac21cb96846b9c59e48a5c916014cd1f765d72964ff53cd71a8c510537a0db9bc292a127657acb1a636b137b0f207c00cd1199
-
Filesize
207B
MD5b7b7dc9c9ee6eef2b2abe0d6cf72d491
SHA15db7fe28b1657ebe701c5ae1ce9fbbf40311aba9
SHA2561a66bb428ff9d71444d5ba0fc2d6adfcb78e37f4ef53247f4470a7d2c86a5df5
SHA51225ea43d008675c8afd40a1f019756473d5956aba03b68f6ac25bec93b8569d67961654ecb056f92006ea44e1963852e3f60a5bb6ae6d5da98bb19cfc1f6caab6
-
Filesize
207B
MD574298e95f5ab7fe7f88a81c1f336f5ab
SHA1887e7e637281007151f545dc17848c9d0e5adbc0
SHA2567f9d50ef46afc76ace367ebc1c9c6c63bda35a93ed53edad32d5e352672b7e4b
SHA512561ce80aec7c5af7202cbf6b95ba602007f223c840b0ed6451be1abf2d149db0cf1379397be97c1193fdea198e988af6a4c56e08dd4c2ac8a4576c25cd8f477c
-
Filesize
207B
MD53e61cc3d55a74a4b022461fd743cfff9
SHA1ba6210a8f52c3c71e5f1afd0eb94de075db489b0
SHA256978c71cead3fb46eeddb43d0b2ce69b75a5ce24297727771aafe5d152c7c85c6
SHA51214142b69c9480c7019922afd69df8bd4cbee6ee02c433305ff77c729bd12a0e8e758e3a2083a3713b27c035b49999eb35898fa728361383bb1cd334dce912b4b
-
Filesize
207B
MD5aa773ba62cc06a76fed7e3028d790405
SHA169658904a64056d8ac270c96e185b2953d13663a
SHA256d87758170ca5e7aa4bcddd6f256a0b9b3607ae740832d33750c47ba945c36a5c
SHA51262c93a403a7951f73a361252d819da289dca99587179df9472decf89bfb2a6bab3102d9422e2646fa16ab8563b7c7da975a2cc19ca6f7e2882b63fa134cde477
-
Filesize
207B
MD58d9a439e92803ee32a7d68f64a729f12
SHA1ef0b44147f430ed1ec882b289658f7df3b165fb6
SHA2560b26afb6796f749f6a36b3e02e76f97dbc805ad6248b266082ab6dc35fc48015
SHA512f9f33a4c2a6d017c27e9d596403c86430a7c134de5ac3c9f6ae71f8f26016460f7f98fed1a805ce78ac151b7f45b584635ab601fd293d289f56ee36c17efb770
-
Filesize
207B
MD55abbfd469295b72aef685e483924d55e
SHA135e7aeba8bd0dc843652f7a463ea24c08da115f7
SHA2569bd6d88c00846d5907bc7669e42ea8e9ace4c44213fe77055c08ebcada8ecafd
SHA512288a5ad2e8d3da5fda7b00857e024cc33aadad0925b6070167b9188cbedd7e8d9d8bc0ecb0b2bb5d072c2ae4e9db988ac841f533a8530f15e6f8b97e45fc1576
-
Filesize
207B
MD5196537f1e37899f4c04da80c669e7e18
SHA144e5c001a8552b468087942bf229a9d3d85cef27
SHA25622d5f5c48209bd01fa5e3371b5078d3ae2840c756a5b72ecd04392783df9cf23
SHA51296c7994141cbfdc903666c28cb190eae9423825aec73ae8589d53c8bd5e3965b654fa02de7db7a60f9eb664413270605d065b9ac11dfa82bda4f5126425808e7
-
Filesize
207B
MD5d63a040e9d0a8b43f0642a2b94195c0a
SHA1f6fda5886975103ae4b311d637fc5213c00db156
SHA2563baf6a7fb9b16e6c0127d2780b8de338cab85bdb81a4ab2eae00acfac8efd6ed
SHA51255e80a5185befe494afc79b803a6d62f1ae10e2da45d244b8655984c4eff7b52c182e62b5fc4a52652dd0f5c696d629cc5cef60ee84f4292308e092582009830
-
Filesize
207B
MD54e926a37c8ad43325a67deeaf2706fa9
SHA1eae3aeeca18c9aeb4877603c1b3053e61ff91209
SHA256115184872da2502f8f92effafbb1f378bb102896476dd53e25a0f42fcdf35f25
SHA5121c5f11cbbe1341299660b4267f3aea8862d24320b8d57aee3a5de4488fb3b16bb304ae48dfaef478264995c6d8b1cc8d783aad1b3ce264fcd6affb97e2a98fa0
-
Filesize
207B
MD574e41af0cac08ce7339e75b8c5fe7037
SHA1f8667e58959207b4bfbf9c05dc1dceb613318efa
SHA25616d1714082b50f1745defcafe421953e3dcba39cef0d4522d29cc2e1c6cbdb2a
SHA51288974eff634285f33ff1c05a9c8a6c6c65c001f920ea25e754ab22a6070c55a6e69efe38719b04158fed5d41bd922915ba93105faa44a3448a00219ff251d8ee
-
Filesize
207B
MD5b65fb110df6a9429159ea5ed92203b05
SHA1518d17513eaffb9e0729df237cc2f845a4c46ff0
SHA256fc9463dc38092b8e5f63068dda01553f3dca825535b6aa716831aabee041755a
SHA51219e57d40d0074a1597635ac7db2d7e6f4d28ff58eaa2adacc2d9366be32ab12c4e5e1f740a5f8d83675b23933fc7e23ec2ca87ac5a0f2fa1cfd75a0f0ac3af01
-
Filesize
207B
MD5cbfc8e955d05b29ef61ea936065b81bb
SHA1064806c9b7e7549dbcc1bfc99019beb56b320484
SHA2560192ab259e4d4da62f96be869193512d821a0ea0828955d97ef0c31c9188771f
SHA5126c1a2fc05b18332dc02b180043251670e5debfa5b2d3c44f36393db8099a0c3d22ae5e1abe4a25e38b5e4f8d70f572e361ce99c737917b819e485d2904dc6c67
-
Filesize
207B
MD5168408698331b06d74604206a72dbd79
SHA10211976117c0a93f46f08f7034282fe49f6b2c21
SHA25603e62dca3254b7f33c28457054ca4b407ebc9b30fc4e15115bb50657259b7478
SHA51205fafa72500401c1556abe8f6aeea9728c82dfb76dacf6155744398eb3a103a3a771ef483e2f5287433922f29456b346cfc236d88c4a88cbfe0ea65140735a63
-
Filesize
207B
MD5d27e38e087c04fa5373405e2214899f4
SHA1f9d56bf5741f388195e4d1e09db01a8e97707321
SHA2561d0e3ff71853750ef3275aa0c296bd4f8e0f5b2772c887096e13174a75c5ad89
SHA512a9957a8d771ff974d9a33d29663c706ca1876409190c0a3bb1660417e0d50fc625b332eaeb6010294f53d50216a49ae735824971345349f46e314ed6c2cb00e9
-
Filesize
3.1MB
MD5f67e6aafbd9c86771f11c05ae83ae83e
SHA1c9fe04c78139d000182d89f4dd013e647db64cc0
SHA256534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362
SHA512f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a