Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 07:27
Behavioral task
behavioral1
Sample
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
Resource
win7-20241010-en
General
-
Target
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe
-
Size
3.1MB
-
MD5
df7b0e428b11f8aa5102168e65156a3b
-
SHA1
7a48d280aee1b17e8a2e36b21c7441d4670cc7bc
-
SHA256
f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
-
SHA512
c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
-
SSDEEP
49152:HvyI22SsaNYfdPBldt698dBcjH+a071Jv0oGdPZTHHB72eh2NT:Hvf22SsaNYfdPBldt6+dBcjH+a0A/
Malware Config
Extracted
quasar
1.4.1
BROUTEUR
voltazur.ddns.net:4789
b435e96f-9e1a-4119-b07d-1ebccf7eb1b5
-
encryption_key
77E1CE64C90713D69376A654F4C56C1E0262C545
-
install_name
Clients.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsSystemTask
-
subdirectory
SubDare
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4868-1-0x00000000004B0000-0x00000000007D4000-memory.dmp family_quasar behavioral2/files/0x0007000000023c88-4.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Clients.exe -
Executes dropped EXE 15 IoCs
pid Process 1384 Clients.exe 2236 Clients.exe 2408 Clients.exe 4240 Clients.exe 4276 Clients.exe 2204 Clients.exe 3024 Clients.exe 416 Clients.exe 3452 Clients.exe 3524 Clients.exe 3964 Clients.exe 2884 Clients.exe 4624 Clients.exe 5064 Clients.exe 2244 Clients.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDare\Clients.exe f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe File opened for modification C:\Program Files\SubDare\Clients.exe f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1428 PING.EXE 2020 PING.EXE 392 PING.EXE 1916 PING.EXE 800 PING.EXE 4388 PING.EXE 2808 PING.EXE 2484 PING.EXE 3600 PING.EXE 1792 PING.EXE 4564 PING.EXE 1244 PING.EXE 1740 PING.EXE 5056 PING.EXE 624 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 624 PING.EXE 3600 PING.EXE 1740 PING.EXE 4564 PING.EXE 4388 PING.EXE 1916 PING.EXE 1428 PING.EXE 800 PING.EXE 2020 PING.EXE 5056 PING.EXE 1792 PING.EXE 1244 PING.EXE 2808 PING.EXE 2484 PING.EXE 392 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1420 schtasks.exe 736 schtasks.exe 1816 schtasks.exe 3092 schtasks.exe 5060 schtasks.exe 5064 schtasks.exe 692 schtasks.exe 2620 schtasks.exe 3652 schtasks.exe 2260 schtasks.exe 4868 schtasks.exe 1556 schtasks.exe 3688 schtasks.exe 1716 schtasks.exe 4480 schtasks.exe 4760 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4868 f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe Token: SeDebugPrivilege 1384 Clients.exe Token: SeDebugPrivilege 2236 Clients.exe Token: SeDebugPrivilege 2408 Clients.exe Token: SeDebugPrivilege 4240 Clients.exe Token: SeDebugPrivilege 4276 Clients.exe Token: SeDebugPrivilege 2204 Clients.exe Token: SeDebugPrivilege 3024 Clients.exe Token: SeDebugPrivilege 416 Clients.exe Token: SeDebugPrivilege 3452 Clients.exe Token: SeDebugPrivilege 3524 Clients.exe Token: SeDebugPrivilege 3964 Clients.exe Token: SeDebugPrivilege 2884 Clients.exe Token: SeDebugPrivilege 4624 Clients.exe Token: SeDebugPrivilege 5064 Clients.exe Token: SeDebugPrivilege 2244 Clients.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2260 4868 f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe 82 PID 4868 wrote to memory of 2260 4868 f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe 82 PID 4868 wrote to memory of 1384 4868 f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe 84 PID 4868 wrote to memory of 1384 4868 f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe 84 PID 1384 wrote to memory of 5060 1384 Clients.exe 85 PID 1384 wrote to memory of 5060 1384 Clients.exe 85 PID 1384 wrote to memory of 4796 1384 Clients.exe 87 PID 1384 wrote to memory of 4796 1384 Clients.exe 87 PID 4796 wrote to memory of 1156 4796 cmd.exe 89 PID 4796 wrote to memory of 1156 4796 cmd.exe 89 PID 4796 wrote to memory of 1428 4796 cmd.exe 90 PID 4796 wrote to memory of 1428 4796 cmd.exe 90 PID 4796 wrote to memory of 2236 4796 cmd.exe 95 PID 4796 wrote to memory of 2236 4796 cmd.exe 95 PID 2236 wrote to memory of 5064 2236 Clients.exe 97 PID 2236 wrote to memory of 5064 2236 Clients.exe 97 PID 2236 wrote to memory of 2180 2236 Clients.exe 99 PID 2236 wrote to memory of 2180 2236 Clients.exe 99 PID 2180 wrote to memory of 3084 2180 cmd.exe 101 PID 2180 wrote to memory of 3084 2180 cmd.exe 101 PID 2180 wrote to memory of 3600 2180 cmd.exe 102 PID 2180 wrote to memory of 3600 2180 cmd.exe 102 PID 2180 wrote to memory of 2408 2180 cmd.exe 105 PID 2180 wrote to memory of 2408 2180 cmd.exe 105 PID 2408 wrote to memory of 1716 2408 Clients.exe 106 PID 2408 wrote to memory of 1716 2408 Clients.exe 106 PID 2408 wrote to memory of 4036 2408 Clients.exe 108 PID 2408 wrote to memory of 4036 2408 Clients.exe 108 PID 4036 wrote to memory of 988 4036 cmd.exe 110 PID 4036 wrote to memory of 988 4036 cmd.exe 110 PID 4036 wrote to memory of 800 4036 cmd.exe 111 PID 4036 wrote to memory of 800 4036 cmd.exe 111 PID 4036 wrote to memory of 4240 4036 cmd.exe 114 PID 4036 wrote to memory of 4240 4036 cmd.exe 114 PID 4240 wrote to memory of 1420 4240 Clients.exe 115 PID 4240 wrote to memory of 1420 4240 Clients.exe 115 PID 4240 wrote to memory of 3116 4240 Clients.exe 117 PID 4240 wrote to memory of 3116 4240 Clients.exe 117 PID 3116 wrote to memory of 5084 3116 cmd.exe 119 PID 3116 wrote to memory of 5084 3116 cmd.exe 119 PID 3116 wrote to memory of 1792 3116 cmd.exe 120 PID 3116 wrote to memory of 1792 3116 cmd.exe 120 PID 3116 wrote to memory of 4276 3116 cmd.exe 121 PID 3116 wrote to memory of 4276 3116 cmd.exe 121 PID 4276 wrote to memory of 692 4276 Clients.exe 122 PID 4276 wrote to memory of 692 4276 Clients.exe 122 PID 4276 wrote to memory of 232 4276 Clients.exe 124 PID 4276 wrote to memory of 232 4276 Clients.exe 124 PID 232 wrote to memory of 4500 232 cmd.exe 126 PID 232 wrote to memory of 4500 232 cmd.exe 126 PID 232 wrote to memory of 1244 232 cmd.exe 127 PID 232 wrote to memory of 1244 232 cmd.exe 127 PID 232 wrote to memory of 2204 232 cmd.exe 128 PID 232 wrote to memory of 2204 232 cmd.exe 128 PID 2204 wrote to memory of 4868 2204 Clients.exe 129 PID 2204 wrote to memory of 4868 2204 Clients.exe 129 PID 2204 wrote to memory of 2960 2204 Clients.exe 131 PID 2204 wrote to memory of 2960 2204 Clients.exe 131 PID 2960 wrote to memory of 4024 2960 cmd.exe 133 PID 2960 wrote to memory of 4024 2960 cmd.exe 133 PID 2960 wrote to memory of 2020 2960 cmd.exe 134 PID 2960 wrote to memory of 2020 2960 cmd.exe 134 PID 2960 wrote to memory of 3024 2960 cmd.exe 135 PID 2960 wrote to memory of 3024 2960 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe"C:\Users\Admin\AppData\Local\Temp\f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lr6AKZM7LFBR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1428
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ynP7sxBuoqR1.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3084
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3600
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\36CuLarZPnAb.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:800
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ECe2LSoG5Bd.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:5084
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1792
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l285r5jg8NAk.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1244
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWMBHe3pcSWT.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5bOUeVoOvKCu.bat" "15⤵PID:5064
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1740
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIORyl2xmAQM.bat" "17⤵PID:3684
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4564
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T1g58XW7kDl5.bat" "19⤵PID:3868
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2356
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4388
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8WpBsyLFGia.bat" "21⤵PID:3476
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2808
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYHX2F0f2dIV.bat" "23⤵PID:1928
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKAuntqMOexw.bat" "25⤵PID:1084
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:392
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YTfps8RlgKyn.bat" "27⤵PID:1988
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:456
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1916
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\itAH1don7DDl.bat" "29⤵PID:3464
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5056
-
-
C:\Program Files\SubDare\Clients.exe"C:\Program Files\SubDare\Clients.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZzMtWxFxMceX.bat" "31⤵PID:1424
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5df7b0e428b11f8aa5102168e65156a3b
SHA17a48d280aee1b17e8a2e36b21c7441d4670cc7bc
SHA256f853596287c8f345eba943acdc0747f19bed0e5ebc041bc0ab1aa61413d970d9
SHA512c3dee0a61bc87eb230dce708172c95c5b3209d6d3c07198c2b92b68e5bd6d10e0ddf5193c4ad98be3bcb24e9627ef936de2a78274f477b33cacfe5117dc97abb
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
195B
MD527e4239596a5459b03a965744c1af78b
SHA1b4cd8c0e4a9edac4166281f5915b70945f7c91de
SHA256958d5167987fa157ff07b267471c5e59851b331c2e0973f799472bae617761ef
SHA512373bce01c658204057174346cb52e824b186b4df3bbf7f2a2a1904226e372b17ee89697259ce071d6793d582695e225b76d66c9fdb2c8c84a35f6f7e7b86836b
-
Filesize
195B
MD513845672036a781f443935cb076f2771
SHA1d76f420f1e5c8c9bc05e3af0825d114abce69d4b
SHA2563e2c870258ffa4b26b88bde278ec8c655a6a94b36252be660067240a090971fd
SHA5127388350a45d9708cc77f7df58cd81345af77879a40dd5f327fff7943c0ed4434e25196f43648897d549427c7c15ec7be0cba28a405420aa82d05ea361f93ab64
-
Filesize
195B
MD53555a59d705dba7605dbb5190594ccf7
SHA165863cc086efc0d5b6b42d6d3b64c0e1755565e0
SHA2565d8236a029b89ffa479b6702a2410041ddbfe8e7553068903275f45ae6e75ed9
SHA512137a2532599cc38c259ea121b9ed1c12a3ec638ee0efae8ca5ffb7a0d2da902fdaa156942314beb029246e2b330d274955b89ceb72cd908dbd32cab7afe0f4ea
-
Filesize
195B
MD51da41a2325ef606e42e7da9968d12db0
SHA10ce569440cdabc0ace957cdf6926960df2615a03
SHA256840353d13396929f1b276b0d7eafe957ce74bcba83a6af22586c4190898a705d
SHA5122cb0bbc41d3a646ad20adf8460f1e572f2d5585bdcec175708be15bb8425b8506c76438509f7badd7373cde850ed56c3cb065d8b7a024a494d03ab25c9f593d7
-
Filesize
195B
MD5a3bfe472845e4e6f17c915c31c52845d
SHA1b8ab0210218aea70784d9d80b39dd35a005b7158
SHA256161b2c482baed7d7d7eea6cf3315aa6d0068efff871d440c16f5178274e32d81
SHA5128776b1b64ce6a853bc53810bc265be98a24eab4c5ba1493b83871dd9b233893ebe62e0652aa292b5429a783f5b2d8251d6ee7c791dbbffc540a4cc6f72550214
-
Filesize
195B
MD5764848415a488c03bc1ef1ae9552aad3
SHA15ab56737e05a43e2b10df02089160f8bde81c835
SHA256579580fa3ff9d18a9d8e31a92a5a500fe4656e7567ad40c856573cd6a47367b5
SHA51276ddf4928871d2055c8029377aa1e5de9ee836074c81d8e29c04ae067ca3529785e775360c64531f9f7a5215c372b3262fe492562322a4ffddc92dd9aa39d727
-
Filesize
195B
MD5439c5fe33ae65d0b1b649516371beb32
SHA12481f7aa94418707a85a59da1d007a7e4d081383
SHA2565fc7802df02046228171202873e5d4d1eae50461240a5da17667f6a36ba351ce
SHA512a0e195d3e9fbafbdbaeab4e52087bc94cc84b268267dd2fe330037aae9456ba835fca14c2ab82dcbed558d7b843d0f28602f3c825eaac72f7f0fc6bed4a74aba
-
Filesize
195B
MD5925c30a4cdba7d784a7197f86d116858
SHA150d7cac8f28f17688ef7370b489f421f4c288662
SHA25619130602a19ab70d804a865780f6fb3c4bad3a93da83b43f2ed3570ca44d1190
SHA512968ee700093928c62b0a30ad1e084a370a7f26df98ffc15cd766295e02a4a12f0c59b771852f37475c283e51b93b90078b4c75a59be11877db45f63b29b4b6f6
-
Filesize
195B
MD532c06609f18b08c654a64226cce34394
SHA1eaaeb965e88c46b4f7c6bc4f7a22a7df6aa2db43
SHA25618d8e57ad0b98f4d7e9065f27f52a56883635e415dfe1478aa63ada4de0d4ba7
SHA5127dd394a19280845039cf39d34584429db2adcfefc006600e13d9968bef7add1d72681cf41fa61cb4b7242ff67af815e697342435aa0a52779b7ab20744cdceb5
-
Filesize
195B
MD5b32f092e3cae6b8fa4358e523613d23a
SHA187eba9d630707b420ebfcaca713e80e39103dfc7
SHA25681d9cf405fe34231d001b094a0a11c5523ad768517942959b79e8ecc1b745e7e
SHA512d8a58c12a8944a930458c83c83d0f69b652890d272d9c78881f5b8dc91680a8c48ae6cd6e00bf35ffc5dddb6e18a4afe0a59e6d37a767c8c7967d9b64e4f16ff
-
Filesize
195B
MD516b572dcef9e7f57f4258e9adc3290aa
SHA1f9dfad05806fe470a52a34c8abd9a27d395472ed
SHA25653137ae6644824dd74e841343df28e1a508ed3541b11dfe731e6e842ac2a73a8
SHA5121afb1d7adbac3f416adb6eebb518fb381d081713b14e6879d2268ab30027fb2fa48fdc2a16fc36e34b9a106f2c7a14665b1a94dd8fcf004a7175516c2805cbff
-
Filesize
195B
MD5168c2484a1f85f765f85522d4e34e910
SHA108da23a59664a3dc781eabd38ad9cba3638eb6d5
SHA256820f0367c052055d9360a5ce432038fdebb9a27496886e114f9be5981e865ca1
SHA512bd71e6d1da981c171f831e7d1c4eec92064f09465f87ee11f387c4fd3b931105985a71cc5a65d93c50208b13e91fb99caa5a3321ac104c3e53e01e8cab102356
-
Filesize
195B
MD56e057596c12dc6c4721628c2ef5b8777
SHA16ce28fe084691caecb5042a3661fff43e6370866
SHA256b10d6871e23e54c8f05b6c0f4913038b55f20a008eeb730a4f124b5f46350fc6
SHA512b70c4479c6a7f46da43fe98dd090098029b7263f2f3d741327b02dadd441cd3daba6179782edeb9cc178eb3c0b9f8d1ab07f5e50366acee1130895b499374f80
-
Filesize
195B
MD5102eb0ef7056508f84256f191f789b29
SHA16da127ecd6d1eca11d09475af0d89820098be2e5
SHA256ee7943f8f3eef823323cfef8ffc16c7dda8129d93ff231d97caa7460fdf59fdc
SHA5127a98f8d8e497866485ae739a3073962a45754195dcadfa2bb111383246ca3289796508504e4988bf503ba80ee91d40f8d741e8adeb3e4f568d0915f00de9e7b2
-
Filesize
195B
MD5027a68718322e1eec06144149f3382ce
SHA172b387677fc0ab63fb5608849cc2d6eb5f7bcb05
SHA25664277f1ea23551602291f2a7c64644244540ac527f563ee933dc07ecefddd722
SHA5128f47e84ea18ce7b9f14bf940d487e17e594ebf28d010203fb6f905d454fa4e06809e177038560997bbc4af8f8785d8ca76025f32c5860ee437de06e5925a9b99