Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:25
Behavioral task
behavioral1
Sample
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe
Resource
win7-20240903-en
General
-
Target
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe
-
Size
3.1MB
-
MD5
2be44f2f5ea83cbc61fbd13b50c0f88c
-
SHA1
f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
-
SHA256
cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
-
SHA512
95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHXBnubRZELoGdaTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHXBnoK
Malware Config
Extracted
quasar
1.4.1
AUTRE
voltazur.ddns.net:4789
eddf685a-87b7-4f5a-9bac-e09fd56aab1e
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3080-1-0x0000000000D00000-0x0000000001024000-memory.dmp family_quasar behavioral2/files/0x0009000000023bf6-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe -
Executes dropped EXE 15 IoCs
pid Process 4028 Clients.exe 400 Clients.exe 4872 Clients.exe 2296 Clients.exe 2328 Clients.exe 4512 Clients.exe 2596 Clients.exe 4844 Clients.exe 5008 Clients.exe 2648 Clients.exe 4040 Clients.exe 872 Clients.exe 4948 Clients.exe 4504 Clients.exe 2156 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe File opened for modification C:\Program Files\SubDare\Clients.exe cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3096 PING.EXE 3000 PING.EXE 4832 PING.EXE 4960 PING.EXE 4476 PING.EXE 1872 PING.EXE 5108 PING.EXE 2264 PING.EXE 2008 PING.EXE 3784 PING.EXE 860 PING.EXE 4708 PING.EXE 4744 PING.EXE 1176 PING.EXE 4460 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 4960 PING.EXE 3000 PING.EXE 1872 PING.EXE 2008 PING.EXE 4476 PING.EXE 860 PING.EXE 2264 PING.EXE 4708 PING.EXE 4744 PING.EXE 3096 PING.EXE 4832 PING.EXE 1176 PING.EXE 4460 PING.EXE 5108 PING.EXE 3784 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4672 schtasks.exe 3764 schtasks.exe 4352 schtasks.exe 4080 schtasks.exe 368 schtasks.exe 2260 schtasks.exe 1000 schtasks.exe 4732 schtasks.exe 2808 schtasks.exe 2944 schtasks.exe 1328 schtasks.exe 2860 schtasks.exe 2844 schtasks.exe 1688 schtasks.exe 1928 schtasks.exe 4936 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3080 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe Token: SeDebugPrivilege 4028 Clients.exe Token: SeDebugPrivilege 400 Clients.exe Token: SeDebugPrivilege 4872 Clients.exe Token: SeDebugPrivilege 2296 Clients.exe Token: SeDebugPrivilege 2328 Clients.exe Token: SeDebugPrivilege 4512 Clients.exe Token: SeDebugPrivilege 2596 Clients.exe Token: SeDebugPrivilege 4844 Clients.exe Token: SeDebugPrivilege 5008 Clients.exe Token: SeDebugPrivilege 2648 Clients.exe Token: SeDebugPrivilege 4040 Clients.exe Token: SeDebugPrivilege 872 Clients.exe Token: SeDebugPrivilege 4948 Clients.exe Token: SeDebugPrivilege 4504 Clients.exe Token: SeDebugPrivilege 2156 Clients.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4028 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 2260 3080 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 82 PID 3080 wrote to memory of 2260 3080 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 82 PID 3080 wrote to memory of 4028 3080 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 84 PID 3080 wrote to memory of 4028 3080 cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe 84 PID 4028 wrote to memory of 1000 4028 Clients.exe 85 PID 4028 wrote to memory of 1000 4028 Clients.exe 85 PID 4028 wrote to memory of 380 4028 Clients.exe 87 PID 4028 wrote to memory of 380 4028 Clients.exe 87 PID 380 wrote to memory of 1568 380 cmd.exe 89 PID 380 wrote to memory of 1568 380 cmd.exe 89 PID 380 wrote to memory of 2008 380 cmd.exe 90 PID 380 wrote to memory of 2008 380 cmd.exe 90 PID 380 wrote to memory of 400 380 cmd.exe 98 PID 380 wrote to memory of 400 380 cmd.exe 98 PID 400 wrote to memory of 4732 400 Clients.exe 99 PID 400 wrote to memory of 4732 400 Clients.exe 99 PID 400 wrote to memory of 608 400 Clients.exe 101 PID 400 wrote to memory of 608 400 Clients.exe 101 PID 608 wrote to memory of 4640 608 cmd.exe 103 PID 608 wrote to memory of 4640 608 cmd.exe 103 PID 608 wrote to memory of 4744 608 cmd.exe 104 PID 608 wrote to memory of 4744 608 cmd.exe 104 PID 608 wrote to memory of 4872 608 cmd.exe 105 PID 608 wrote to memory of 4872 608 cmd.exe 105 PID 4872 wrote to memory of 4672 4872 Clients.exe 106 PID 4872 wrote to memory of 4672 4872 Clients.exe 106 PID 4872 wrote to memory of 1124 4872 Clients.exe 108 PID 4872 wrote to memory of 1124 4872 Clients.exe 108 PID 1124 wrote to memory of 412 1124 cmd.exe 110 PID 1124 wrote to memory of 412 1124 cmd.exe 110 PID 1124 wrote to memory of 3784 1124 cmd.exe 111 PID 1124 wrote to memory of 3784 1124 cmd.exe 111 PID 1124 wrote to memory of 2296 1124 cmd.exe 114 PID 1124 wrote to memory of 2296 1124 cmd.exe 114 PID 2296 wrote to memory of 2844 2296 Clients.exe 115 PID 2296 wrote to memory of 2844 2296 Clients.exe 115 PID 2296 wrote to memory of 828 2296 Clients.exe 117 PID 2296 wrote to memory of 828 2296 Clients.exe 117 PID 828 wrote to memory of 1080 828 cmd.exe 119 PID 828 wrote to memory of 1080 828 cmd.exe 119 PID 828 wrote to memory of 3096 828 cmd.exe 120 PID 828 wrote to memory of 3096 828 cmd.exe 120 PID 828 wrote to memory of 2328 828 cmd.exe 121 PID 828 wrote to memory of 2328 828 cmd.exe 121 PID 2328 wrote to memory of 1688 2328 Clients.exe 122 PID 2328 wrote to memory of 1688 2328 Clients.exe 122 PID 2328 wrote to memory of 3256 2328 Clients.exe 124 PID 2328 wrote to memory of 3256 2328 Clients.exe 124 PID 3256 wrote to memory of 1924 3256 cmd.exe 126 PID 3256 wrote to memory of 1924 3256 cmd.exe 126 PID 3256 wrote to memory of 3000 3256 cmd.exe 127 PID 3256 wrote to memory of 3000 3256 cmd.exe 127 PID 3256 wrote to memory of 4512 3256 cmd.exe 128 PID 3256 wrote to memory of 4512 3256 cmd.exe 128 PID 4512 wrote to memory of 4080 4512 Clients.exe 129 PID 4512 wrote to memory of 4080 4512 Clients.exe 129 PID 4512 wrote to memory of 2236 4512 Clients.exe 131 PID 4512 wrote to memory of 2236 4512 Clients.exe 131 PID 2236 wrote to memory of 3840 2236 cmd.exe 133 PID 2236 wrote to memory of 3840 2236 cmd.exe 133 PID 2236 wrote to memory of 4476 2236 cmd.exe 134 PID 2236 wrote to memory of 4476 2236 cmd.exe 134 PID 2236 wrote to memory of 2596 2236 cmd.exe 135 PID 2236 wrote to memory of 2596 2236 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe"C:\Users\Admin\AppData\Local\Temp\cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lbRxf9X8ebso.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1568
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2008
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jt3US3w2aogo.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4744
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1kuGlddAwgXH.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:412
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3784
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9I4gOqMdXk0U.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3096
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAfFTg0aKnCv.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1924
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3000
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsFbQ1NdjjNk.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4476
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwzDtIKTzmmN.bat" "15⤵PID:4732
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2344
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4832
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M6gS3LhqcRB0.bat" "17⤵PID:5064
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1176
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SE8FuEsdWks0.bat" "19⤵PID:4792
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1872
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lnub3REabM9N.bat" "21⤵PID:3104
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:860
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHA3eFgErzur.bat" "23⤵PID:1760
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1924
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4460
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MdeVntnpAgl9.bat" "25⤵PID:4272
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4960
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qdSROlPn9Rz3.bat" "27⤵PID:2596
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5108
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zF9xqWl8CfuF.bat" "29⤵PID:3540
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2264
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1E6BnfFvS2A.bat" "31⤵PID:412
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52be44f2f5ea83cbc61fbd13b50c0f88c
SHA1f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9
SHA256cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a
SHA51295f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
195B
MD507e3b06e3cd852df77585309dcb43e06
SHA1e89f79d546279be6cf0a7925e2cad244dbc70b87
SHA256697c68fd5f13052eae860d7a7d1cd4f64e855a23f72fcde757917ef65691b822
SHA512515f2758b268f3bcc5ad896c0148aa8cd0a07554b61ca02d5254bdad7104ea7d5ff495e22f13a665b8abbfa2ca29cfcbf147e74dd27539ee1c4cdaaead57e309
-
Filesize
195B
MD5c9b576300fb1fe78434cae5fa2e31398
SHA199ffafa631320306fb96a8aa4435cf11b6677796
SHA2569b380bf4a8eb45c98fb8860c6a3cce48a274e80f076ef1e9163354894a72a67c
SHA51229d461552932f057a3df76d3740cee85975ad3642519b36453ad62c8a01768de7217d64f0eb0a9f4fcd7e6f66177d0e932e6e4955063e74ac6141b8f5c0ce023
-
Filesize
195B
MD5bbae629a6e784e6bb5aba4e4026c79c4
SHA1a6db91e8a6b2ba388d3609431455433718b3675d
SHA256f47b4e338cf8781fbbbc55a7ea6f0bc131dd436245cf5090a560e69d98163374
SHA5126867cd7eac630004d17583bff6d5db6036655b9b1981bc3de8677380ea96fdf2a7a3901eab717f13a352c3cd1131ace89f49986b24f1c938c5cd8cdb0b24bfba
-
Filesize
195B
MD518fad0317c5af20621ebffe821079deb
SHA1a657b43e08f9a68bf9d861025a1f5032a4527ac1
SHA2563eda83cc8181abfb82e8398650b6cde7dc173f1f8dad687484a94a4d9fdfe8c7
SHA512c6c8f69fba075f9a509c5aa6b651fc381bb1c5f6dc474304b4c2a6abeece284843a0a8d0dbad4e2af9df19446aa62a518d540e7aa5c4d43f2bab758ccc92b3cc
-
Filesize
195B
MD5663ad06a42975be4d80b3fa50d85b92a
SHA11d7996f1063963f132ac08991ee40b87d9be2219
SHA256018b12a117b33303bc77872ebf62924a89c78828ffb88e597c3a279fc05f3321
SHA5123fb21cd2a58729d4c198da0d89629c6268a129787ae6edfbb743844027192755c99cee2fec99cedaccb1774b551ff9cc184b6a85e5c35d55187f78d474db5563
-
Filesize
195B
MD576d3cdb0502cc45cc6f79277c4f55e1d
SHA13b9d3e66ffcbee4c6b228be614ab625ffed91e67
SHA256b106c039f7380621778045f0cbf99d7578e45e922f0d27f61f4a60afc864a662
SHA512ae716563d018c41a16568bf9b4bc6ac4e937d4fd2fba99d1596067e5675d863db1a3a10ea8755730cd3ac13467f84b978c07c9b686abc20e783307041e9d554d
-
Filesize
195B
MD5a2eca58cc86f0291d00cac4682028f8e
SHA1eedcf12f1a2cc4cbf64f74a8580c22c39844ebd6
SHA256d3be6de98b592e915228e2a6d8b9cc1baa4ee7345f63e7be2d0c8e32322b701d
SHA5120525f4c6c8dfe9b5df90a589fb6c3e6fa08af7509e80d3d2541839a325079d6e1a3eeca30aad4840c61b50491b39a97d8db7a2bf69e8cd8bf5f9ad7c0c1acd3a
-
Filesize
195B
MD5bb4fc822fff27e971722d32abf2d1b35
SHA1db3f9a6b19963868ac4f0c70fc5c81393952ef54
SHA256f40698004ddccbc8375abbc13ebd0d47966b03c9cc741484158e27e367246ac2
SHA512a857007348fbaddc32cfe386e2f120545f014c40a00149b794de9922c8b31ecca6dbbb1340d384c51550b363d85caff345e37503c8e5cb8047089e28ceec7c78
-
Filesize
195B
MD55644c983caf7733ccd21ee95cad9e170
SHA1eb3e65e8b2de8151ced386a9681fe270f2b7409e
SHA2568e0e10c479357cb05969c7d44b59206de5e29daf54e5a62f90f6c29a0f6ca5f4
SHA5127e764efc7c705da39a983826ff4f3a4959ebe91b15edb82f57a7e9407f6b2c734fc4b4d8176f5707b9eceedf33ac8b0f9ae6d89029a125bcb05855348cd55d1a
-
Filesize
195B
MD5fa3b2fbb398606af3121164f453b9624
SHA1af85c20c880c88107eff39a9d1b5b2694c7f74d8
SHA256a4ed437a20a64b5e2a7e8e632594860b5cb67f0aee1f076493ce3fd6bc7b58a3
SHA512592e6a037f4a96df9752e0b9c19aba688774138565ed09784d49b245495dcbb724c1ff8da4a0550fefd0c87b95d5bef146bcbf368b556287ac125d00bd0c4716
-
Filesize
195B
MD594b9392d33425abff02cff9075737d19
SHA17dc02f5a89e73e7c1977143499c49cf30205a668
SHA2568353d4106b0abf813d2d44168e39d0de3afde09f99952affa79ff28c4d71a73d
SHA5129bd6e60d679701a79869a85cdf4d569ff177d32e226551387c34095bc88dc441a9fc7ebe9f3740215d5e008ec0111fc0c1b7c03a527a9a0b1b591091bbff9231
-
Filesize
195B
MD5663fd15855e650caa46e0fef7353b1f2
SHA1e45b1c486b0ffc65032988decd0955ca8f290126
SHA256877b7ea4bbe6a103f36449c12826f802eb88bb83681835c8f83399e7b84137db
SHA51202f05e59d0c1fece4266cc16ec205b8b48d08d6326ddf9f6980e35cb5e27afb02e0bb76c72d4f62efff18a1a6300a37befaf887a6ef8fa8bbd1d0d47dbfaf342
-
Filesize
195B
MD5c3d0eeb2670e78a912af8083dd3888b6
SHA19e4005f57543a9bd476e49e9c63c7b5b20b65b70
SHA256dc1d2da434cd3f55dc21809af8b63921342e0e5449beb61914211e0aada4f01e
SHA5122e39356a7f349579f202ab78dbc6096db0bd1e0d7060d0d8fe7d231560ad03e608798265eb9b7044f251638595b4d87c575f9f6c1eeaa9e58e800c0d43f9e4e8
-
Filesize
195B
MD56e730ae09ccf001c5a57e121cc9550cd
SHA13d9948573c7653f29c8da6003a5cf8d0a5d105ef
SHA256dfc445293421bae3bb427796bbe156a6fe584304081c782c56f4711e5b18b025
SHA51285f487f1c5ec59a3019317c548a124f6106ee30bf4f7022722d14f33b7bb5d33491b321aae1a6d1f114711c8f6f7c38156b177eae528f910c258ac4fdbbe77ac
-
Filesize
195B
MD5d2b2b18565b959fa22b3ba00d4c67935
SHA1a4af3cbfb31c97730e885facef606a835b233677
SHA256e94cf5e264e1b7ebabd7fb2cb8585a3de942f2b2bd6f40ed9ee15f089c150873
SHA512eff22c24ffdd0e8941bf40cc72d69f43d32a1e42ed2ae29af8afb1fd4f0c3f7a1437c6a01a54272abc02087868afe3a4aeb7b43bc4032409b1396cd468c341a4