Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 06:36
Behavioral task
behavioral1
Sample
Quas_Brout_ncrypt.exe
Resource
win7-20240903-en
General
-
Target
Quas_Brout_ncrypt.exe
-
Size
3.1MB
-
MD5
df7b0e428b11f8aa5102168e65156a3b
-
SHA1
7a48d280aee1b17e8a2e36b21c7441d4670cc7bc
-
SHA256
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
-
SHA512
c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
-
SSDEEP
49152:HvyI22SsaNYfdPBldt698dBcjH+a071Jv0oGdPZTHHB72eh2NT:Hvf22SsaNYfdPBldt6+dBcjH+a0A/
Malware Config
Extracted
quasar
1.4.1
BROUTEUR
voltazur.ddns.net:4789
b435e96f-9e1a-4119-b07d-1ebccf7eb1b5
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/memory/2100-1-0x00000000000D0000-0x00000000003F4000-memory.dmp family_quasar behavioral1/files/0x0008000000018c34-5.dat family_quasar behavioral1/memory/2092-7-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar behavioral1/memory/1588-32-0x00000000012C0000-0x00000000015E4000-memory.dmp family_quasar behavioral1/memory/2776-43-0x0000000000190000-0x00000000004B4000-memory.dmp family_quasar behavioral1/memory/2348-54-0x0000000000940000-0x0000000000C64000-memory.dmp family_quasar behavioral1/memory/576-65-0x0000000001250000-0x0000000001574000-memory.dmp family_quasar behavioral1/memory/2360-106-0x00000000012E0000-0x0000000001604000-memory.dmp family_quasar behavioral1/memory/1616-128-0x00000000003A0000-0x00000000006C4000-memory.dmp family_quasar behavioral1/memory/3044-139-0x0000000000360000-0x0000000000684000-memory.dmp family_quasar behavioral1/memory/1936-150-0x0000000001030000-0x0000000001354000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2092 Clients.exe 3060 Clients.exe 1588 Clients.exe 2776 Clients.exe 2348 Clients.exe 576 Clients.exe 896 Clients.exe 2832 Clients.exe 2824 Clients.exe 2360 Clients.exe 2228 Clients.exe 1616 Clients.exe 3044 Clients.exe 1936 Clients.exe 2052 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe Quas_Brout_ncrypt.exe File opened for modification C:\Program Files\SubDare\Clients.exe Quas_Brout_ncrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2840 PING.EXE 1552 PING.EXE 496 PING.EXE 468 PING.EXE 2728 PING.EXE 912 PING.EXE 2352 PING.EXE 1272 PING.EXE 2556 PING.EXE 2036 PING.EXE 1020 PING.EXE 1920 PING.EXE 880 PING.EXE 2336 PING.EXE 1692 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1272 PING.EXE 1920 PING.EXE 2036 PING.EXE 880 PING.EXE 2336 PING.EXE 1020 PING.EXE 496 PING.EXE 2556 PING.EXE 912 PING.EXE 1692 PING.EXE 2840 PING.EXE 2728 PING.EXE 2352 PING.EXE 1552 PING.EXE 468 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1800 schtasks.exe 1744 schtasks.exe 1900 schtasks.exe 1440 schtasks.exe 1716 schtasks.exe 1240 schtasks.exe 1800 schtasks.exe 2792 schtasks.exe 3000 schtasks.exe 1860 schtasks.exe 1796 schtasks.exe 2548 schtasks.exe 2616 schtasks.exe 1596 schtasks.exe 2816 schtasks.exe 1192 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2100 Quas_Brout_ncrypt.exe Token: SeDebugPrivilege 2092 Clients.exe Token: SeDebugPrivilege 3060 Clients.exe Token: SeDebugPrivilege 1588 Clients.exe Token: SeDebugPrivilege 2776 Clients.exe Token: SeDebugPrivilege 2348 Clients.exe Token: SeDebugPrivilege 576 Clients.exe Token: SeDebugPrivilege 896 Clients.exe Token: SeDebugPrivilege 2832 Clients.exe Token: SeDebugPrivilege 2824 Clients.exe Token: SeDebugPrivilege 2360 Clients.exe Token: SeDebugPrivilege 2228 Clients.exe Token: SeDebugPrivilege 1616 Clients.exe Token: SeDebugPrivilege 3044 Clients.exe Token: SeDebugPrivilege 1936 Clients.exe Token: SeDebugPrivilege 2052 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1800 2100 Quas_Brout_ncrypt.exe 31 PID 2100 wrote to memory of 1800 2100 Quas_Brout_ncrypt.exe 31 PID 2100 wrote to memory of 1800 2100 Quas_Brout_ncrypt.exe 31 PID 2100 wrote to memory of 2092 2100 Quas_Brout_ncrypt.exe 33 PID 2100 wrote to memory of 2092 2100 Quas_Brout_ncrypt.exe 33 PID 2100 wrote to memory of 2092 2100 Quas_Brout_ncrypt.exe 33 PID 2092 wrote to memory of 1744 2092 Clients.exe 34 PID 2092 wrote to memory of 1744 2092 Clients.exe 34 PID 2092 wrote to memory of 1744 2092 Clients.exe 34 PID 2092 wrote to memory of 2736 2092 Clients.exe 36 PID 2092 wrote to memory of 2736 2092 Clients.exe 36 PID 2092 wrote to memory of 2736 2092 Clients.exe 36 PID 2736 wrote to memory of 2684 2736 cmd.exe 38 PID 2736 wrote to memory of 2684 2736 cmd.exe 38 PID 2736 wrote to memory of 2684 2736 cmd.exe 38 PID 2736 wrote to memory of 2556 2736 cmd.exe 39 PID 2736 wrote to memory of 2556 2736 cmd.exe 39 PID 2736 wrote to memory of 2556 2736 cmd.exe 39 PID 2736 wrote to memory of 3060 2736 cmd.exe 40 PID 2736 wrote to memory of 3060 2736 cmd.exe 40 PID 2736 wrote to memory of 3060 2736 cmd.exe 40 PID 3060 wrote to memory of 2792 3060 Clients.exe 41 PID 3060 wrote to memory of 2792 3060 Clients.exe 41 PID 3060 wrote to memory of 2792 3060 Clients.exe 41 PID 3060 wrote to memory of 3064 3060 Clients.exe 43 PID 3060 wrote to memory of 3064 3060 Clients.exe 43 PID 3060 wrote to memory of 3064 3060 Clients.exe 43 PID 3064 wrote to memory of 2008 3064 cmd.exe 45 PID 3064 wrote to memory of 2008 3064 cmd.exe 45 PID 3064 wrote to memory of 2008 3064 cmd.exe 45 PID 3064 wrote to memory of 1920 3064 cmd.exe 46 PID 3064 wrote to memory of 1920 3064 cmd.exe 46 PID 3064 wrote to memory of 1920 3064 cmd.exe 46 PID 3064 wrote to memory of 1588 3064 cmd.exe 47 PID 3064 wrote to memory of 1588 3064 cmd.exe 47 PID 3064 wrote to memory of 1588 3064 cmd.exe 47 PID 1588 wrote to memory of 1900 1588 Clients.exe 48 PID 1588 wrote to memory of 1900 1588 Clients.exe 48 PID 1588 wrote to memory of 1900 1588 Clients.exe 48 PID 1588 wrote to memory of 808 1588 Clients.exe 50 PID 1588 wrote to memory of 808 1588 Clients.exe 50 PID 1588 wrote to memory of 808 1588 Clients.exe 50 PID 808 wrote to memory of 1620 808 cmd.exe 52 PID 808 wrote to memory of 1620 808 cmd.exe 52 PID 808 wrote to memory of 1620 808 cmd.exe 52 PID 808 wrote to memory of 2036 808 cmd.exe 53 PID 808 wrote to memory of 2036 808 cmd.exe 53 PID 808 wrote to memory of 2036 808 cmd.exe 53 PID 808 wrote to memory of 2776 808 cmd.exe 54 PID 808 wrote to memory of 2776 808 cmd.exe 54 PID 808 wrote to memory of 2776 808 cmd.exe 54 PID 2776 wrote to memory of 1796 2776 Clients.exe 55 PID 2776 wrote to memory of 1796 2776 Clients.exe 55 PID 2776 wrote to memory of 1796 2776 Clients.exe 55 PID 2776 wrote to memory of 2216 2776 Clients.exe 57 PID 2776 wrote to memory of 2216 2776 Clients.exe 57 PID 2776 wrote to memory of 2216 2776 Clients.exe 57 PID 2216 wrote to memory of 1720 2216 cmd.exe 59 PID 2216 wrote to memory of 1720 2216 cmd.exe 59 PID 2216 wrote to memory of 1720 2216 cmd.exe 59 PID 2216 wrote to memory of 912 2216 cmd.exe 60 PID 2216 wrote to memory of 912 2216 cmd.exe 60 PID 2216 wrote to memory of 912 2216 cmd.exe 60 PID 2216 wrote to memory of 2348 2216 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quas_Brout_ncrypt.exe"C:\Users\Admin\AppData\Local\Temp\Quas_Brout_ncrypt.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1800
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1744
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QykHY1c2skSR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2556
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jjtmB4pzut8c.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2008
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1920
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1900
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yg51YIio5OLX.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2036
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1796
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LRmsoZBAtjGt.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:912
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1596
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hztdVBEJ9Uy5.bat" "11⤵PID:1612
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1692
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:576 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1440
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A0J66EUnke21.bat" "13⤵PID:1652
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:880
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:3000
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LYB3jljCWEOp.bat" "15⤵PID:276
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2336
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\irmvU2XLsEyp.bat" "17⤵PID:2820
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cJ6bgXACfMee.bat" "19⤵PID:2612
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1272
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1192
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9phGZcsYeG3i.bat" "21⤵PID:1872
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1020
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2616
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VR0qpuL4xaNS.bat" "23⤵PID:1660
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2840
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\abdaiKw1Yl0d.bat" "25⤵PID:2852
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1120
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1716
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pUX8hrXpNNfe.bat" "27⤵PID:2528
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:496
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1240
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3aKaFu58Spn8.bat" "29⤵PID:2344
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1724
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:468
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1800
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9zKiI1VtkR5W.bat" "31⤵PID:2424
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5df7b0e428b11f8aa5102168e65156a3b
SHA17a48d280aee1b17e8a2e36b21c7441d4670cc7bc
SHA256f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
SHA512c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
-
Filesize
195B
MD5d278cb1451c129072034514bb7ce84f7
SHA1bd4f3674c3b03d57d00d6459d49e0a3cc0732d83
SHA256156c80b21ce80cc94c49a5cd6bb7051f86e21bd93c34faa30b393da7453d2125
SHA5128f68ebb8eec9cc64db4e851d9d64eabf3d3aec5e732df577d761d22efaaefb83bad41f47dd6eb9443d1b997efcb9e9162f7718fe2d22157095023b67bc29c57a
-
Filesize
195B
MD5b938ff304a9e7bb75c53b60a18c0170a
SHA158277cd222bdb790a53c49cd4c483d2c3a12e03f
SHA2561e27594885e10ef175d83d971aca7730a845f803067b96a9d699df04ee523c72
SHA5128eef83f8072c6665ede68f9c582b022c8aae4706b22700691fe8f49838704a011346a6b37e0837edb22fb963ea2a5d1ee46d669d0d54ba96da58b55f50398b2a
-
Filesize
195B
MD5edb9ebb71789c5a278c4b0a270c539b0
SHA148361da8b85aeccde0e9d85b04613453608fa12b
SHA256ee4dd4e2fb926a4f847ad5d08fc26f823cc220e43d776e2b88a617df4a1c1563
SHA5121d7f295765aa65a6c2ad5f1a15f9577f68b2a932b3b5a0ba8bf91892454b399f22e85b8f1afb31d4d10e2c320e3476d404028d44e180b551e5336b884521e571
-
Filesize
195B
MD54ab777b41ca75e41bee049273d2e14d2
SHA14b0037daa1fac13c26c68bff88b7b63db696f7eb
SHA2567d07ef2d5457928ebe9a870b55f8e9db1ed6ff45e69f03ae68a22a77ee37e7e3
SHA512726be6a0f50ac5e661944ddf51b110f33f73ac93b58ee3c59f62dc6f03ad80d488b08185d8546e77485c0ad9ae8545a300f56c8a12b49444bf7ed7ec1835de44
-
Filesize
195B
MD5c7445d43f54c84f72a89f13e2e4876a8
SHA10ded6f9ad047a4a9763b46f84ed0e5354d4a352d
SHA25618767574c4db338ff9abfc1350c40749ae7ea9743835487ce24fcc1d6bd6d026
SHA512be2cfc3cda7d54ef8521785a4a96e1be9656f3281c47111641800b680756ec16527ea15d2c17561790c8bdd9c83da1887aced5743e844cd5611a1d7a923cc8e2
-
Filesize
195B
MD58b85fc440f7284115afa6fd7b085a16b
SHA10c7b57a64801a8bfa419abf07c5b682693482b87
SHA25640f25fd303476b6157a4c528794240ef81eb80e47f987256051c57f9a3635f88
SHA5123ffb867d526bfd3075f0ca0bf2d0b35991be3445e1d9d052c3bc7fc81405603c31bc6251180788710e2599ae972c1c778200a1fd0522cf4b0bf2c898aee11e01
-
Filesize
195B
MD5b6ec5409642c4d54d6dcbe4deefa6585
SHA124424a9c866f23c976c5e77587dcf59e6645611a
SHA256f1c97092b7dec3c00f3dfa8a3b50155e3d3008374a1d27622d925bcf00389663
SHA5128231bf5bd01e4ca1df391eea813fa91efebac800d8026e0c03a480f98571abf15c8b7c0b74e6fe75aa400bc3099dba7005188ddabacecfe3f66fb4c0e9f62905
-
Filesize
195B
MD5700d6a049db52f0b9823c637b2809941
SHA1ce90b9054bf3caeddfea4e027cb7b7a37c2b8623
SHA2569d5e586a178d7b60cad8faffb77ea2d9fa1f9c05a71a2b462b191765e2ae3eb9
SHA512af17350e7cc5ff62bb15d591206f1182a68fe54a91317e2c55448914f1dbe58f357c436e1d03f199fed1d2170e2e9ed9c3aaeeea50322cabe0606733eae3de58
-
Filesize
195B
MD58ec77af8db5079a14929368b92e0ff9f
SHA101d0cea2c0c3920a25043246a37d6d878b29cc43
SHA256476cce1f65a04a2af732e1d70b4c7afcc9f591a35a94c8a1efa6bcbeb4d2f995
SHA512e9dc5b632ab0d9a20c427d3e5470e0e83aa4a4950676dff4080c63bda8ff29e8a606dbe5d8c1a9c27e5a44094ec041d581723575d17ad1afab2313615a0aef7d
-
Filesize
195B
MD50ee876545082d74a33e23beb377cb0ef
SHA12d38f07a3a858f9ab9f2f3c0a179651fc48a37af
SHA2560ece5628ea6a0c8f59244fcf2acba021e8f148a9a7603a28707debe4ee1f991e
SHA512f7bc782a117be91a24049a0e3f7950559f67cd1159d71109270ef3eb29d47965fe12cde25bc36958c89e06be99e13b411eb17d803e0da597a12baee43bf9d6ce
-
Filesize
195B
MD590c96a1be3332f9c8a0f484d126f2ba0
SHA1885be42f260268bb256e9492638b641b93616e76
SHA256176d70241d7059224fe624def9c12b8ea5451e3c9e30057dafcbfb73c732b8a0
SHA51200552494ddd7fcd6167c34dd9ff8cda61d5da30bef1ae53fbf2ffcb714780276e7c32aa2db6864ad90153f34993f30266fb590c53f4d69db30e5012b6a5d07bf
-
Filesize
195B
MD59d6df5e530196e0a7be204e3254c1750
SHA18fa27764ddcb8a435ff58468e1f630b4c2c2f8c9
SHA2564e70a55573190a755a75fa61ad5c349eb6e0e46758806745100253e525f8c304
SHA5123cb3416cb2e9db9cd38c4d601e3bb3ce8114c135c7f37c923966b146fa145f3445eb762f85b7c0b212cddadc4d6afd69bac17cc6311c59819b3567892070767d
-
Filesize
195B
MD51ccbaabc1d87191542bfc1a695513798
SHA1910a9c68c20e30091214fe61f1fa33d5ce60a066
SHA256ec067bdb15751af6a49875a780d1ea6a10e2e065da711a46da3f4ab63e73cf80
SHA512d29def13fb8c89ba8547c06af36f3b16e272335430078d4b02210207341f7b45641a6bfa6b548ab382b9b50498679279eb854f379e4f025dfe62731c1c6a39e9
-
Filesize
195B
MD5d69007a065133d3fdc17bbe02881da11
SHA1fe763122705b7d592835ed58af3ada71d61228e3
SHA2567981898cdeae3e95f249201dcc616128fae25fe465c8fbb886521ed204c60b67
SHA51221873b8a1c3ed960808689bdc5f01794ec1b3f72e2a92139371865907f36a58613fdc855474d573e368cedfd19d2e476b7dd671c2e7d050f6207e692802437fd
-
Filesize
195B
MD5963910293b7a5b43a1aece8ec7f72f06
SHA1691a277b38283b15628d4dd4d9c52a212ccb217a
SHA256b8d4035017293ce880d70bdbb3eaf05e6b4c65789387dad9518457928618c803
SHA5124cc0a5d44a0c5671e79381ed885e6f5d30790a3ad91a926604074c2aa05dfaf3358218df0a49d0b3a4a3714f80a3608b757a8604fb20332a0a56d234a3471b37