Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 13:44
Behavioral task
behavioral1
Sample
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Resource
win7-20241023-en
General
-
Target
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
-
Size
3.1MB
-
MD5
3d5f1d38a92807e7de7d98838e05c7e8
-
SHA1
38382972e6317a6e7010a8d48041e0960188fc48
-
SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
-
SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
-
SSDEEP
49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7
Malware Config
Extracted
quasar
1.4.1
Triage
sekacex395-58825.portmap.host:1194
144ba9a1-0ea5-481a-929a-2aff73023537
-
encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
-
install_name
Client.exe
-
log_directory
kLogs
-
reconnect_delay
3000
-
startup_key
Avast Free Antivirus
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 7 IoCs
resource yara_rule behavioral1/memory/1888-1-0x0000000001090000-0x00000000013B4000-memory.dmp family_quasar behavioral1/files/0x0009000000015d18-6.dat family_quasar behavioral1/memory/2748-9-0x0000000000300000-0x0000000000624000-memory.dmp family_quasar behavioral1/memory/2908-23-0x0000000000CC0000-0x0000000000FE4000-memory.dmp family_quasar behavioral1/memory/2728-97-0x00000000012E0000-0x0000000001604000-memory.dmp family_quasar behavioral1/memory/2036-130-0x0000000000220000-0x0000000000544000-memory.dmp family_quasar behavioral1/memory/564-141-0x0000000001280000-0x00000000015A4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2748 Client.exe 2908 Client.exe 784 Client.exe 1756 Client.exe 1108 Client.exe 844 Client.exe 1940 Client.exe 2552 Client.exe 2728 Client.exe 2852 Client.exe 2896 Client.exe 2036 Client.exe 564 Client.exe 1592 Client.exe 2112 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1152 PING.EXE 1480 PING.EXE 1732 PING.EXE 2136 PING.EXE 2780 PING.EXE 2024 PING.EXE 2536 PING.EXE 2776 PING.EXE 1504 PING.EXE 2844 PING.EXE 1716 PING.EXE 836 PING.EXE 1716 PING.EXE 2608 PING.EXE 3040 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1716 PING.EXE 1504 PING.EXE 1152 PING.EXE 1480 PING.EXE 2844 PING.EXE 2780 PING.EXE 1732 PING.EXE 2776 PING.EXE 1716 PING.EXE 2608 PING.EXE 2024 PING.EXE 2536 PING.EXE 3040 PING.EXE 836 PING.EXE 2136 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe 2800 schtasks.exe 564 schtasks.exe 2120 schtasks.exe 2292 schtasks.exe 2308 schtasks.exe 2716 schtasks.exe 2980 schtasks.exe 2652 schtasks.exe 3044 schtasks.exe 3060 schtasks.exe 676 schtasks.exe 2280 schtasks.exe 2788 schtasks.exe 1044 schtasks.exe 1600 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe Token: SeDebugPrivilege 2748 Client.exe Token: SeDebugPrivilege 2908 Client.exe Token: SeDebugPrivilege 784 Client.exe Token: SeDebugPrivilege 1756 Client.exe Token: SeDebugPrivilege 1108 Client.exe Token: SeDebugPrivilege 844 Client.exe Token: SeDebugPrivilege 1940 Client.exe Token: SeDebugPrivilege 2552 Client.exe Token: SeDebugPrivilege 2728 Client.exe Token: SeDebugPrivilege 2852 Client.exe Token: SeDebugPrivilege 2896 Client.exe Token: SeDebugPrivilege 2036 Client.exe Token: SeDebugPrivilege 564 Client.exe Token: SeDebugPrivilege 1592 Client.exe Token: SeDebugPrivilege 2112 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2308 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 30 PID 1888 wrote to memory of 2308 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 30 PID 1888 wrote to memory of 2308 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 30 PID 1888 wrote to memory of 2748 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 32 PID 1888 wrote to memory of 2748 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 32 PID 1888 wrote to memory of 2748 1888 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 32 PID 2748 wrote to memory of 2800 2748 Client.exe 33 PID 2748 wrote to memory of 2800 2748 Client.exe 33 PID 2748 wrote to memory of 2800 2748 Client.exe 33 PID 2748 wrote to memory of 2132 2748 Client.exe 35 PID 2748 wrote to memory of 2132 2748 Client.exe 35 PID 2748 wrote to memory of 2132 2748 Client.exe 35 PID 2132 wrote to memory of 1260 2132 cmd.exe 37 PID 2132 wrote to memory of 1260 2132 cmd.exe 37 PID 2132 wrote to memory of 1260 2132 cmd.exe 37 PID 2132 wrote to memory of 2780 2132 cmd.exe 38 PID 2132 wrote to memory of 2780 2132 cmd.exe 38 PID 2132 wrote to memory of 2780 2132 cmd.exe 38 PID 2132 wrote to memory of 2908 2132 cmd.exe 40 PID 2132 wrote to memory of 2908 2132 cmd.exe 40 PID 2132 wrote to memory of 2908 2132 cmd.exe 40 PID 2908 wrote to memory of 2716 2908 Client.exe 41 PID 2908 wrote to memory of 2716 2908 Client.exe 41 PID 2908 wrote to memory of 2716 2908 Client.exe 41 PID 2908 wrote to memory of 540 2908 Client.exe 43 PID 2908 wrote to memory of 540 2908 Client.exe 43 PID 2908 wrote to memory of 540 2908 Client.exe 43 PID 540 wrote to memory of 884 540 cmd.exe 45 PID 540 wrote to memory of 884 540 cmd.exe 45 PID 540 wrote to memory of 884 540 cmd.exe 45 PID 540 wrote to memory of 1480 540 cmd.exe 46 PID 540 wrote to memory of 1480 540 cmd.exe 46 PID 540 wrote to memory of 1480 540 cmd.exe 46 PID 540 wrote to memory of 784 540 cmd.exe 47 PID 540 wrote to memory of 784 540 cmd.exe 47 PID 540 wrote to memory of 784 540 cmd.exe 47 PID 784 wrote to memory of 2652 784 Client.exe 48 PID 784 wrote to memory of 2652 784 Client.exe 48 PID 784 wrote to memory of 2652 784 Client.exe 48 PID 784 wrote to memory of 568 784 Client.exe 50 PID 784 wrote to memory of 568 784 Client.exe 50 PID 784 wrote to memory of 568 784 Client.exe 50 PID 568 wrote to memory of 1116 568 cmd.exe 52 PID 568 wrote to memory of 1116 568 cmd.exe 52 PID 568 wrote to memory of 1116 568 cmd.exe 52 PID 568 wrote to memory of 2024 568 cmd.exe 53 PID 568 wrote to memory of 2024 568 cmd.exe 53 PID 568 wrote to memory of 2024 568 cmd.exe 53 PID 568 wrote to memory of 1756 568 cmd.exe 54 PID 568 wrote to memory of 1756 568 cmd.exe 54 PID 568 wrote to memory of 1756 568 cmd.exe 54 PID 1756 wrote to memory of 3044 1756 Client.exe 55 PID 1756 wrote to memory of 3044 1756 Client.exe 55 PID 1756 wrote to memory of 3044 1756 Client.exe 55 PID 1756 wrote to memory of 2760 1756 Client.exe 57 PID 1756 wrote to memory of 2760 1756 Client.exe 57 PID 1756 wrote to memory of 2760 1756 Client.exe 57 PID 2760 wrote to memory of 2184 2760 cmd.exe 59 PID 2760 wrote to memory of 2184 2760 cmd.exe 59 PID 2760 wrote to memory of 2184 2760 cmd.exe 59 PID 2760 wrote to memory of 1732 2760 cmd.exe 60 PID 2760 wrote to memory of 1732 2760 cmd.exe 60 PID 2760 wrote to memory of 1732 2760 cmd.exe 60 PID 2760 wrote to memory of 1108 2760 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2308
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2800
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\z1x4aRJ5yDf2.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\97YoUMNTSEYV.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1480
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2652
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hPAm5uZjETY1.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1116
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2024
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3044
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qv0VSWUmDBuf.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1732
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3060
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8U0x9slfCqrW.bat" "11⤵PID:1496
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1892
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2844
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:564
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cLCrnOqLCmgP.bat" "13⤵PID:1668
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GNdpHfbVXrZM.bat" "15⤵PID:2296
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2536
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2788
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Jfsk4UkUCutk.bat" "17⤵PID:2872
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2776
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:676
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0dVVspSAAiPB.bat" "19⤵PID:2964
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1504
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2980
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\36OyHk4cXooM.bat" "21⤵PID:2328
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1152
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2120
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mKhhqWGLAZXN.bat" "23⤵PID:1296
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:836
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1044
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\d7YHl3cu9JsO.bat" "25⤵PID:2240
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2136
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2292
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\K2uC7WFGlOHL.bat" "27⤵PID:1880
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2264
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1600
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\z6fFWUVu5M4P.bat" "29⤵PID:2472
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2608
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QqV8Ywmsw8S9.bat" "31⤵PID:2800
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5c9f7d3465b0f8da98cc66aa60b83a6b8
SHA15a924db59f2009b664256611c2a0d0025b7f0565
SHA256288c0657c639827e231137478bb2e54b7b8144f56dd99097308c6f0dffd660aa
SHA512f8ad16749ffb0a30074d1c5514d049b228ef2099283f2799acb2d5c466caa6f7d894ba8b111f2cbc6d2ff968902f86f22872794d7ddc783e5ff9b17b4f2bf4ca
-
Filesize
207B
MD50fc0c0c997274e7cbea4a49525ce4589
SHA13654c624f45319eacd6e3470fa2bc4b474d4e5e3
SHA2565e3d55c7045aaf632146480edd49abf764a8da6c783d35bc2a33ea550ad299ce
SHA51213d82b8350bc67e6d1180f4df0f7ace729549235d5bfd499b730b6838d3a366fe2dc50054d94a58ddb99b4cae4d56ce9868a8635090d4ec98a50a0f837d9c792
-
Filesize
207B
MD576af40205311d43f12db6d844c60405e
SHA1c4194869435e3a448e2e13c1df9cc003982e3773
SHA256ec1724ea4d3dbc338e3219ac772b4b6c2bd79599bfab3403f7a5a898eaec40b0
SHA51204c9465567325830e4630d03be2be1f66422f8035df46f862f2b1d833b944501b3655406bf4a0c0d43d63db287282f1b5eff1ce4fca81998a85cdc431cfdd05d
-
Filesize
207B
MD514b4b8bcd00d511d9a180feb1d080811
SHA14e67955b200df7aae5c308d476b1bd125720bf89
SHA256d90fe7ab2628f6fbd1799b6612cec8ae9ce2e64dc914b67afa36d3405000c2d0
SHA512f3b1b48f81faa06a3dedbaec8b846ea77aa401222df65433f6b1123a7438f381ca5054485e286251e430cb67a09970da110ba5b06c1ff5138f3c1960c45b3fee
-
Filesize
207B
MD52709753b6a04cabac08de1023a00c35c
SHA153521265ccd3bb91d5745a1a449009e7972bbe91
SHA2564439d41cf97d47b5acd12f372961a3a824d7b4daea364413f1261b26885c37ed
SHA51280ec89cabd90dbac34be5c8608ffeb1fba5d988ad63f7ef32678f06dd6ed5a91f2ab693576dec3230a438d990e2c80480b396c3d378b903c4dc8d4a0007dc079
-
Filesize
207B
MD595363a7eda1a2897f8f44e40c49c6ef2
SHA18acf46ae78e898a6a1697ac2ff563f60a2b14f7e
SHA25655d46fc7388ce6d2fe6ccfac2dfc0c6b604a17f66abc8a76cd5af892827a9ffd
SHA512cd1e439cb43727694181534be5a8679bc0a690086bb59048378ca2c4e953a9e0e04f4fcd4459db918c90219e725db53e6dd3bc88538f947b46f217d2420177c1
-
Filesize
207B
MD5a007e41d3cb5e8ebff15c62ea33b612d
SHA1fd6712718b1eb6833bae0e075be4a2d66c8f67c2
SHA256d86e65364615738bc680dda86ec885eaf3402815b7459dc93891444244e28253
SHA5127febab4937fbae8a04803c7ddaf26ff6da43ffc0f52f62dad5fe0d16c798929a6b0c4786745e004c99fc9961671be804c28fc40220f0c4216348a19d1d9287e3
-
Filesize
207B
MD5d6e48bf7292ffa20adf6be1854ddcb62
SHA105511d3c6e2f61a6a35f0e46d72b57718207a1cb
SHA256980c97007b1c241676f8c47246c9eb4d9c278cbf16ef2db5991f56b2305d0a8f
SHA512b3ed387b4fc7b97102223ab2498cbbf378005f9f8883a32e6f6afa67a4558c8a8b7ed88ab803729a9f5869b3bf111778a61a4ca8469402104b76e0bef1438c5f
-
Filesize
207B
MD5584fdb0d957667a8f237839f86ce5ffa
SHA18e4b794f4b19aad60ec1ab0036ce4dff41a625b0
SHA256e80a4582d42ce9e1b1f0e09325eaee6345b0526cf27fa2ee7513bb4475dbfba8
SHA5127d8c388688c7b8318e0be8bef9d3487b8fa173ddc851b31b09145322aca2af754edb588cd78f357e716d9a6c2144895097776557b52752c9977481dd2644070b
-
Filesize
207B
MD5cb056a1f7654a689df0cfad6e0d01f95
SHA14c6226f2da8a071caa8295ac5236a52f5e6d080a
SHA256abdb73afa5b4f156b8bbf318acf7deeb17d3b423d882de859e1c208a0b8e89c8
SHA512947bf61069ae88c80dec4fa487888b41797b56410bb5ec70b0571d8f91432b82f420c59130bc9a1cd99f8393c8dcd45c24624d66bd98ceb8ed23bd417b6e84a8
-
Filesize
207B
MD56636657912d7c34aa0761e2dbc39ca71
SHA1c8ce2cc616b258c54a58b126dc65bf34506291ce
SHA256eb11a726f9f78910b330f66278b7364e9bc3b76607995895b20de030d6805413
SHA512be3dd65961c9ce700324c8e8002390d2736f32eb440bae6e39a8c777d875f490c6c2832e21140bf5d7f82b091d23f1082417b9d0ad81e9a081037173357c13e0
-
Filesize
207B
MD58f98a5e74b8306dde5e74b88fe0e0348
SHA18860ee8c9724e02b8aa6196564f7f97929058455
SHA256f4e0d70f90c8cd233d2b06cd77dcbff254bd787a5c7b8dab47581d7cbe52b5d2
SHA512ef20738d340addcb85134261745872089a1191e17712081121e273871df9b20225bd66c11c9f32345b595144ce36284acf4247cf3feb72ac6cbffa1faa8c43f8
-
Filesize
207B
MD53423fc4c382525186b4c37b0733f728c
SHA1115024611a2fdb0d5892c4b418f243920785c51d
SHA256d9dacbddf66c7b43c773a44d9055dcf4f88344fbe54dd3066f9fb57fe752e51d
SHA51223221b0850c0f26ee7f428213731091dbe758de192581d41abb3488db9129d4fb075deaa7d1123a8d7bb746f639efbd698f6ae94e8a7777430abe12e12b3c2c6
-
Filesize
207B
MD53b2623edd844990cccebfabe3d21dd10
SHA1d888bdae1b0f7af778c1fdb9bafed006ac407e7d
SHA256e098c582f657f504201fed63c13c021ee3fe4dda561d3b0988a9377f539e90de
SHA5124765a88afcb396484fbf3e5af01c4be8147ad0ae399109ef38262cbb6099b33e98f5760e1e02f6802cfc5bac6047a66b8d17cda8400e63843dceb10bb8a55c4d
-
Filesize
207B
MD5ead13efa246d0f99bfac32447e6f6c49
SHA12c924e485886cbf847c0812c0df6c76ebab221c4
SHA2564059de1b224a22c7d520b7672f649bdcb1dfface3ef6d269efbe3b3850f17a0a
SHA512b24c8aceb891f517dcd92f242c49ff0dfe17cdcef34852b427e000a6143cf5985e68fc73989a5056281e638308445ff2b14e90a0fdd3c3c0e79a5baac7579ed6
-
Filesize
3.1MB
MD53d5f1d38a92807e7de7d98838e05c7e8
SHA138382972e6317a6e7010a8d48041e0960188fc48
SHA2565ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA51235266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0