Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 13:44
Behavioral task
behavioral1
Sample
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Resource
win7-20241023-en
General
-
Target
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
-
Size
3.1MB
-
MD5
3d5f1d38a92807e7de7d98838e05c7e8
-
SHA1
38382972e6317a6e7010a8d48041e0960188fc48
-
SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
-
SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
-
SSDEEP
49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7
Malware Config
Extracted
quasar
1.4.1
Triage
sekacex395-58825.portmap.host:1194
144ba9a1-0ea5-481a-929a-2aff73023537
-
encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
-
install_name
Client.exe
-
log_directory
kLogs
-
reconnect_delay
3000
-
startup_key
Avast Free Antivirus
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5032-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp family_quasar behavioral2/files/0x0007000000023c95-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 2348 Client.exe 2944 Client.exe 980 Client.exe 3980 Client.exe 4444 Client.exe 1396 Client.exe 2976 Client.exe 1740 Client.exe 4924 Client.exe 3096 Client.exe 5028 Client.exe 1760 Client.exe 5056 Client.exe 4652 Client.exe 2832 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4672 PING.EXE 2764 PING.EXE 5112 PING.EXE 3304 PING.EXE 1364 PING.EXE 3784 PING.EXE 3572 PING.EXE 1892 PING.EXE 1972 PING.EXE 860 PING.EXE 4064 PING.EXE 2544 PING.EXE 4340 PING.EXE 2176 PING.EXE 472 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1364 PING.EXE 4672 PING.EXE 2544 PING.EXE 472 PING.EXE 3572 PING.EXE 3304 PING.EXE 1972 PING.EXE 2764 PING.EXE 5112 PING.EXE 4340 PING.EXE 4064 PING.EXE 3784 PING.EXE 1892 PING.EXE 860 PING.EXE 2176 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 228 schtasks.exe 4472 schtasks.exe 1728 schtasks.exe 1940 schtasks.exe 3908 schtasks.exe 2988 schtasks.exe 1764 schtasks.exe 2572 schtasks.exe 4976 schtasks.exe 3576 schtasks.exe 544 schtasks.exe 3680 schtasks.exe 2544 schtasks.exe 1488 schtasks.exe 772 schtasks.exe 2356 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 5032 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe Token: SeDebugPrivilege 2348 Client.exe Token: SeDebugPrivilege 2944 Client.exe Token: SeDebugPrivilege 980 Client.exe Token: SeDebugPrivilege 3980 Client.exe Token: SeDebugPrivilege 4444 Client.exe Token: SeDebugPrivilege 1396 Client.exe Token: SeDebugPrivilege 2976 Client.exe Token: SeDebugPrivilege 1740 Client.exe Token: SeDebugPrivilege 4924 Client.exe Token: SeDebugPrivilege 3096 Client.exe Token: SeDebugPrivilege 5028 Client.exe Token: SeDebugPrivilege 1760 Client.exe Token: SeDebugPrivilege 5056 Client.exe Token: SeDebugPrivilege 4652 Client.exe Token: SeDebugPrivilege 2832 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 772 5032 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 82 PID 5032 wrote to memory of 772 5032 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 82 PID 5032 wrote to memory of 2348 5032 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 84 PID 5032 wrote to memory of 2348 5032 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 84 PID 2348 wrote to memory of 1940 2348 Client.exe 85 PID 2348 wrote to memory of 1940 2348 Client.exe 85 PID 2348 wrote to memory of 5064 2348 Client.exe 87 PID 2348 wrote to memory of 5064 2348 Client.exe 87 PID 5064 wrote to memory of 1612 5064 cmd.exe 89 PID 5064 wrote to memory of 1612 5064 cmd.exe 89 PID 5064 wrote to memory of 1364 5064 cmd.exe 90 PID 5064 wrote to memory of 1364 5064 cmd.exe 90 PID 5064 wrote to memory of 2944 5064 cmd.exe 96 PID 5064 wrote to memory of 2944 5064 cmd.exe 96 PID 2944 wrote to memory of 2356 2944 Client.exe 97 PID 2944 wrote to memory of 2356 2944 Client.exe 97 PID 2944 wrote to memory of 3572 2944 Client.exe 99 PID 2944 wrote to memory of 3572 2944 Client.exe 99 PID 3572 wrote to memory of 1188 3572 cmd.exe 101 PID 3572 wrote to memory of 1188 3572 cmd.exe 101 PID 3572 wrote to memory of 4672 3572 cmd.exe 102 PID 3572 wrote to memory of 4672 3572 cmd.exe 102 PID 3572 wrote to memory of 980 3572 cmd.exe 105 PID 3572 wrote to memory of 980 3572 cmd.exe 105 PID 980 wrote to memory of 1764 980 Client.exe 106 PID 980 wrote to memory of 1764 980 Client.exe 106 PID 980 wrote to memory of 828 980 Client.exe 108 PID 980 wrote to memory of 828 980 Client.exe 108 PID 828 wrote to memory of 632 828 cmd.exe 110 PID 828 wrote to memory of 632 828 cmd.exe 110 PID 828 wrote to memory of 1972 828 cmd.exe 111 PID 828 wrote to memory of 1972 828 cmd.exe 111 PID 828 wrote to memory of 3980 828 cmd.exe 113 PID 828 wrote to memory of 3980 828 cmd.exe 113 PID 3980 wrote to memory of 4976 3980 Client.exe 114 PID 3980 wrote to memory of 4976 3980 Client.exe 114 PID 3980 wrote to memory of 4472 3980 Client.exe 116 PID 3980 wrote to memory of 4472 3980 Client.exe 116 PID 4472 wrote to memory of 400 4472 cmd.exe 118 PID 4472 wrote to memory of 400 4472 cmd.exe 118 PID 4472 wrote to memory of 3784 4472 cmd.exe 119 PID 4472 wrote to memory of 3784 4472 cmd.exe 119 PID 4472 wrote to memory of 4444 4472 cmd.exe 121 PID 4472 wrote to memory of 4444 4472 cmd.exe 121 PID 4444 wrote to memory of 2988 4444 Client.exe 122 PID 4444 wrote to memory of 2988 4444 Client.exe 122 PID 4444 wrote to memory of 1760 4444 Client.exe 124 PID 4444 wrote to memory of 1760 4444 Client.exe 124 PID 1760 wrote to memory of 4340 1760 cmd.exe 126 PID 1760 wrote to memory of 4340 1760 cmd.exe 126 PID 1760 wrote to memory of 2764 1760 cmd.exe 127 PID 1760 wrote to memory of 2764 1760 cmd.exe 127 PID 1760 wrote to memory of 1396 1760 cmd.exe 128 PID 1760 wrote to memory of 1396 1760 cmd.exe 128 PID 1396 wrote to memory of 3908 1396 Client.exe 129 PID 1396 wrote to memory of 3908 1396 Client.exe 129 PID 1396 wrote to memory of 468 1396 Client.exe 131 PID 1396 wrote to memory of 468 1396 Client.exe 131 PID 468 wrote to memory of 3180 468 cmd.exe 133 PID 468 wrote to memory of 3180 468 cmd.exe 133 PID 468 wrote to memory of 2544 468 cmd.exe 134 PID 468 wrote to memory of 2544 468 cmd.exe 134 PID 468 wrote to memory of 2976 468 cmd.exe 135 PID 468 wrote to memory of 2976 468 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:772
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3eLl8vsf21Ae.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1364
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m4Amz93mwoYh.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1188
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4672
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S3D2tjbCiZlw.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1972
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xTH17h3o4nK2.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3784
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8YyLsE1wnJwl.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aPRZdye3O8Fg.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aZDzfUqGlwvN.bat" "15⤵PID:3088
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5112
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8aMZM1lMTjFr.bat" "17⤵PID:3392
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3572
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8wkQbLO5I7xP.bat" "19⤵PID:632
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3508
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SG2SZcy9BG30.bat" "21⤵PID:3120
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3304
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqpTJ9P0TvZf.bat" "23⤵PID:2064
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:5000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4340
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcPYOdb4Rg8N.bat" "25⤵PID:4084
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:860
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q9pxB2YzU6Dz.bat" "27⤵PID:5092
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4064
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wq9r1VxU3CuD.bat" "29⤵PID:2084
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2176
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fknNtV1j2GbB.bat" "31⤵PID:3572
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD55a7846494f7551d07118877cd16642bd
SHA1cd6977e00a2a111ccfd69e7f8b86f8eb90b3fb63
SHA256749284ef2c1da48b9f3ee93b3f3265aea637fdae751b584fc48a00779f21cbad
SHA512632e425270fa9f8d7b858d02941ca5bd8484bb3e89e789637a4ae26d29cfc9761d3e5c6a20356d25d7cd850d35bb06d5a083e8fdad86b7fa266cb030b6c87ad3
-
Filesize
207B
MD56f89263f98117c1a90d1bcdaf04acb33
SHA1f3718b70359744dcde7ecdc777697edd734d84fd
SHA2569dd9afa1de4e5329ab47eeb59a87e07b5d8fa08ae34c202f0df447a09a9b9bba
SHA512f51ef08f054cabf2faaa73b442ab04caa08cb50e96c7a7b98f7cbf949691feaebbfd8371db9543ae987fe73d55d00f8f649f75cb3c8a0ab394122a623d761fa3
-
Filesize
207B
MD56e648a6ce89774d032343e5f9ff3f4cc
SHA1c8b88f195d46ab7d745266a68a111b059076ee37
SHA25677deeff24ebb06d471b28423a363845dfc16d2f482305509fd113d96c19f103c
SHA5122db6fa3e3b0f36f6a40baa91ac7eb581162253b1c0e424105a25b82ce86a1901b297049fef3a8f12a5282e3e2240992dbf9998d47c3ff49197783654578ae7ab
-
Filesize
207B
MD5d9f4744a2889ae5415408b1a1888abe4
SHA1286c3e9a39777bdbf6d0573a21de7820b45c4f5e
SHA2569d46ce18c68d9f46d40f8cde11f9137d44c549aacf08c473211147d8114b7e09
SHA512118d95a54e9d0ac81d4dfcb699abc4c39a0a35908be9608eb5f9d9522296acf06e0732cbeed6cea725843627690242923ac523fa7d2bd4ad44f9c9e0bb887d19
-
Filesize
207B
MD5a0341e29ee06abf7668b41495d2e156b
SHA11d164bcc173a60c00871fa7d508c3ed773a7608a
SHA2561a8de12bd8e7481ccd43d6643332bacfaf2378668bdd2553e5d5e891ad8ebb68
SHA51208919e85728da45033fd26145502f3d609c8efa54e9545042080646d28fdf75f3051bc6de62a5f87cfc8776f2ba7c51dc6005b43a527ac2a3e137c77914400a6
-
Filesize
207B
MD5ceb20c3208379d74b6a7901565992d80
SHA156b51c0bd31bcbc0f6d989b1e3cf9aca9f2c603f
SHA256bb18a04e6e374de1dde76110e101e7e83054a802b03e781a10302f7c538968df
SHA5125da92f17edb9110296ed0f202dd471fe00ab0c37023c1f3abbb6a23c9cb31459d3ef3ccfabbb7749ca6b8f01bd4ba0eb787932318f7f1037d1d7bd5969b5a447
-
Filesize
207B
MD51aa9fe4597ae77f3ff95c3021130567a
SHA1fbd77056753ffc4632fb1b3fdaf11d6edb2c2e1d
SHA256063c6cca23f6a103ce14621eb817c566149229cce9eaab2d439058e99c5012aa
SHA5120070d9a18ffd8fa9b8ca8ea5f486762534b5def9a48ffb07d210f4691a0885d4b5e1a8e9bfcb03423853a8707876fa525cc19dce973381b208dba2093f321776
-
Filesize
207B
MD5a448694399543791ea3f2c4fea71ecd5
SHA1f569faacf2b6c46b53ecb523ef653f91328a7d20
SHA256f0dbd9c3d0410efcf5ed04616db9d2b2e5b91619d7345f875fefa85e9c35e57c
SHA5123dc56fc370fe2012a412b482feb784217e01ad9e6e6245136949acad60b7c13ff4371911c4ad37b42f82e6ef50327799119f23af17f178bec3769c8bfd87431e
-
Filesize
207B
MD5b86c7240ee1540ef222b8d21d004c9cf
SHA12b99eda83f0ad3f3bc2e320b4b51c164017d8224
SHA2568b4c2e1d688fd403fbb42f78a05d925f1f1fe66361d3ebac1d4d84f279d1bbb7
SHA512376c8fecc3a4d1d22240fa92806fedf26d92b43785468504db7cde6abc84bdd3a67057252bf5a343fd087632ce08ada8b73b0498acc5be06c2524c7dd7077af7
-
Filesize
207B
MD5e64b3424c579dea40a68377b9346535a
SHA1e7dba609b84efaf55c254898565832933f2da5dc
SHA25631f561ce68165ad65ef7ff379c9ef4fd9c5e17f7eacb5799d2e0858974380c05
SHA51209ba8979d20c19843f78b365691db275030c59760271064e2ae45c26b11c7c4cb769325e6a1a465bb33f95f5385f83b97493395902d343f29f34b395191cd588
-
Filesize
207B
MD56212aa99940c55d2c4a8860979da22e4
SHA1e9e4ecaaf9ef044895c4dec6a8a289d2d9811aa1
SHA2561104fadd66031ca32c32d0969be9bd28683b819224fddc2d21c3326442cd1867
SHA51234c787adae6a305cf2f48ad2462e9ed463811c58416ab377fa8c39d6a88123d00bf035b8a8f7d46605c5f7ad20462232ca5c78f81eda64d9cbe38b16c9b2d54d
-
Filesize
207B
MD5cec21340740f88d38881ec19d96af332
SHA10cb4ea25495e4f882b4059f65997b84993071c99
SHA256cea1c2d4f25bf667d7abf206ed003cadcbc52aef6c51c2b50d4d61ec15c02c0e
SHA51287b3f0df2a47b5206d9160ae21ee7d1a0743f9119064212ebae8e47337dff7fcff2824dcec7fadf55e7a7ac358d7787ebcc5a96febfe1cbac8e72d083c3bffe8
-
Filesize
207B
MD59dad277580ba7f5145367f29eb6209b7
SHA1e33285c23e99096d9184d536ad0008e50eadb163
SHA256f4cb45356d2c9c000ef5a8b660f51d79b93a314522551d0df8737da873973ef4
SHA5126fd4d4d9b3c04c9aee1c8468ddef51e9704ee8a10a783db09ef0e435ff176dad3250f00a5e0d899960cb7adef3737932012cbd41734c3f9f18a12af4a5a9708f
-
Filesize
207B
MD57947aac79ba73f650e97f7a45c5fa1a9
SHA1f3f7d1699e18fc33d558cacf23994bbc2d0bf5d6
SHA256860294acf75b653fb72e22b571a2c9383673799c3ec86f37db7bcdb4e9e22b25
SHA51262d0b2c619bc61c6b862889bd663902f52c99aa4d42363c996250215426921ec4d0ca0e534f61e89af928427ed01f12c5c1870c3a88abe525ad6ba3f91b03657
-
Filesize
207B
MD563c25ebd3c1dda5e93814e72eb4b0c24
SHA1602024190e1803d34b61233316604f9ad2331055
SHA2567b3e65bb6dccd045d1c6cc65a445488c2844b4d176ad57992952cc660a1b274b
SHA5127903ef03fe56c2f38095bbdc825cc4f49c71ba15c721e1796e70a71de0928fc513cbff3ac692336da68e1f00ae0c35b1110fe4c08456658ba588741cbef27832
-
Filesize
3.1MB
MD53d5f1d38a92807e7de7d98838e05c7e8
SHA138382972e6317a6e7010a8d48041e0960188fc48
SHA2565ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA51235266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0