Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 13:38
Behavioral task
behavioral1
Sample
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Resource
win7-20241010-en
General
-
Target
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
-
Size
3.1MB
-
MD5
3d5f1d38a92807e7de7d98838e05c7e8
-
SHA1
38382972e6317a6e7010a8d48041e0960188fc48
-
SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
-
SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
-
SSDEEP
49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7
Malware Config
Extracted
quasar
1.4.1
Triage
sekacex395-58825.portmap.host:1194
144ba9a1-0ea5-481a-929a-2aff73023537
-
encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
-
install_name
Client.exe
-
log_directory
kLogs
-
reconnect_delay
3000
-
startup_key
Avast Free Antivirus
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5052-1-0x0000000000210000-0x0000000000534000-memory.dmp family_quasar behavioral2/files/0x0007000000023c98-6.dat family_quasar -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 12 IoCs
pid Process 4244 Client.exe 4880 Client.exe 4856 Client.exe 2508 Client.exe 868 Client.exe 864 Client.exe 4588 Client.exe 1032 Client.exe 1676 Client.exe 2212 Client.exe 4436 Client.exe 3536 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1780 PING.EXE 2692 PING.EXE 3572 PING.EXE 3328 PING.EXE 4728 PING.EXE 632 PING.EXE 3992 PING.EXE 1460 PING.EXE 2960 PING.EXE 1744 PING.EXE 2736 PING.EXE 3120 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 1460 PING.EXE 3572 PING.EXE 3328 PING.EXE 4728 PING.EXE 3120 PING.EXE 1780 PING.EXE 2692 PING.EXE 3992 PING.EXE 2960 PING.EXE 1744 PING.EXE 2736 PING.EXE 632 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4484 schtasks.exe 4896 schtasks.exe 1748 schtasks.exe 3000 schtasks.exe 1136 schtasks.exe 3492 schtasks.exe 864 schtasks.exe 4120 schtasks.exe 4328 schtasks.exe 3440 schtasks.exe 1136 schtasks.exe 1000 schtasks.exe 3776 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 5052 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe Token: SeDebugPrivilege 4244 Client.exe Token: SeDebugPrivilege 4880 Client.exe Token: SeDebugPrivilege 4856 Client.exe Token: SeDebugPrivilege 2508 Client.exe Token: SeDebugPrivilege 868 Client.exe Token: SeDebugPrivilege 864 Client.exe Token: SeDebugPrivilege 4588 Client.exe Token: SeDebugPrivilege 1032 Client.exe Token: SeDebugPrivilege 1676 Client.exe Token: SeDebugPrivilege 2212 Client.exe Token: SeDebugPrivilege 4436 Client.exe Token: SeDebugPrivilege 3536 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 864 5052 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 82 PID 5052 wrote to memory of 864 5052 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 82 PID 5052 wrote to memory of 4244 5052 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 84 PID 5052 wrote to memory of 4244 5052 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe 84 PID 4244 wrote to memory of 4484 4244 Client.exe 85 PID 4244 wrote to memory of 4484 4244 Client.exe 85 PID 4244 wrote to memory of 4112 4244 Client.exe 87 PID 4244 wrote to memory of 4112 4244 Client.exe 87 PID 4112 wrote to memory of 4520 4112 cmd.exe 89 PID 4112 wrote to memory of 4520 4112 cmd.exe 89 PID 4112 wrote to memory of 1780 4112 cmd.exe 90 PID 4112 wrote to memory of 1780 4112 cmd.exe 90 PID 4112 wrote to memory of 4880 4112 cmd.exe 95 PID 4112 wrote to memory of 4880 4112 cmd.exe 95 PID 4880 wrote to memory of 4120 4880 Client.exe 96 PID 4880 wrote to memory of 4120 4880 Client.exe 96 PID 4880 wrote to memory of 5088 4880 Client.exe 98 PID 4880 wrote to memory of 5088 4880 Client.exe 98 PID 5088 wrote to memory of 1916 5088 cmd.exe 100 PID 5088 wrote to memory of 1916 5088 cmd.exe 100 PID 5088 wrote to memory of 2692 5088 cmd.exe 101 PID 5088 wrote to memory of 2692 5088 cmd.exe 101 PID 5088 wrote to memory of 4856 5088 cmd.exe 105 PID 5088 wrote to memory of 4856 5088 cmd.exe 105 PID 4856 wrote to memory of 4328 4856 Client.exe 106 PID 4856 wrote to memory of 4328 4856 Client.exe 106 PID 4856 wrote to memory of 3384 4856 Client.exe 108 PID 4856 wrote to memory of 3384 4856 Client.exe 108 PID 3384 wrote to memory of 748 3384 cmd.exe 110 PID 3384 wrote to memory of 748 3384 cmd.exe 110 PID 3384 wrote to memory of 3992 3384 cmd.exe 111 PID 3384 wrote to memory of 3992 3384 cmd.exe 111 PID 3384 wrote to memory of 2508 3384 cmd.exe 114 PID 3384 wrote to memory of 2508 3384 cmd.exe 114 PID 2508 wrote to memory of 3440 2508 Client.exe 115 PID 2508 wrote to memory of 3440 2508 Client.exe 115 PID 2508 wrote to memory of 4408 2508 Client.exe 117 PID 2508 wrote to memory of 4408 2508 Client.exe 117 PID 4408 wrote to memory of 532 4408 cmd.exe 119 PID 4408 wrote to memory of 532 4408 cmd.exe 119 PID 4408 wrote to memory of 1460 4408 cmd.exe 120 PID 4408 wrote to memory of 1460 4408 cmd.exe 120 PID 4408 wrote to memory of 868 4408 cmd.exe 121 PID 4408 wrote to memory of 868 4408 cmd.exe 121 PID 868 wrote to memory of 1136 868 Client.exe 122 PID 868 wrote to memory of 1136 868 Client.exe 122 PID 868 wrote to memory of 4600 868 Client.exe 124 PID 868 wrote to memory of 4600 868 Client.exe 124 PID 4600 wrote to memory of 968 4600 cmd.exe 126 PID 4600 wrote to memory of 968 4600 cmd.exe 126 PID 4600 wrote to memory of 3572 4600 cmd.exe 127 PID 4600 wrote to memory of 3572 4600 cmd.exe 127 PID 4600 wrote to memory of 864 4600 cmd.exe 128 PID 4600 wrote to memory of 864 4600 cmd.exe 128 PID 864 wrote to memory of 4896 864 Client.exe 129 PID 864 wrote to memory of 4896 864 Client.exe 129 PID 864 wrote to memory of 2488 864 Client.exe 131 PID 864 wrote to memory of 2488 864 Client.exe 131 PID 2488 wrote to memory of 4520 2488 cmd.exe 133 PID 2488 wrote to memory of 4520 2488 cmd.exe 133 PID 2488 wrote to memory of 3328 2488 cmd.exe 134 PID 2488 wrote to memory of 3328 2488 cmd.exe 134 PID 2488 wrote to memory of 4588 2488 cmd.exe 135 PID 2488 wrote to memory of 4588 2488 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:864
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkAQBn468juo.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1780
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGSc0fqOogEy.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xL2VMoHZbszK.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3992
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N1z58xmtJ0Pj.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1460
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41jHEsrBdcQj.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3572
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Cg9S74gAfGL.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3328
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIUGG2SFYr2L.bat" "15⤵PID:3036
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4728
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cvDJwbx0nSss.bat" "17⤵PID:2064
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eu3ljTI7oJ2H.bat" "19⤵PID:2028
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T5RxhVgvfBUV.bat" "21⤵PID:2156
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1460
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2736
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FkMIo1s3y1d.bat" "23⤵PID:2668
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4312
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3120
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zukOwOIzmlHB.bat" "25⤵PID:2192
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5d898a4ac941aac059c0f8f1dc7d7f7d0
SHA1745b70e2c7b86372fb2e27f1aefdb5dce96a2c0b
SHA256ecddd5f4b3393bc6e23b2f50828f8d0069172ed15d5edb504d8ca468c424fcb4
SHA5127022d66be989a34b54a40513cdc1a5ae6810fb0e4c7184a18bb70a6dec6d8689c7adb5aed4531d98abd747255b4f04a726f06739dbe86013aa4180b41603d3ed
-
Filesize
207B
MD55e19f297516000e284fab970fb65ff9a
SHA135b8c148f6061d7a62fecae2616ea83aac1f62a7
SHA2569afa832cfaa901be5b7b05ad9d352135365bbdb71dd4f4f8b6242923ffe31b0b
SHA512b10c9aaceccb658df87d9c5d13f3b8b190e0c55d7a80511b8b978f65335613a4cf4e25cd01364ed5eb53566768420cada585da48917a0b8a0cbcf560f2b66a11
-
Filesize
207B
MD510c582e13a14b2324bfa7c505eb5f749
SHA17c00eff3c0aeab6ade17c07a009c7eac0bf5fe55
SHA256f502dcc7286df4af933821bb2ecf63ad30d82f808cce1bc62fc738b9aca4fedf
SHA5122fe2f97f9936c97e00a970fa72cac72e5ac71d65adc6eb2da78514ffd994da39ed1ec1e6f704ca1097450e4277c2224cc85cc1519362a271b3e80d82ece6e9c6
-
Filesize
207B
MD54917137cb13af781c41f6e281abc6482
SHA1fc0113e536b7916063d2bd2762eb53e4e989b5d2
SHA256ee5aec1b1ad309eb95061a0ded1d3d71dddb4204cb622b2982e7dfe93c14e3e1
SHA512f55055b9258b0b081627af2f27b57fb8cd1f0028ed3e73456d611db15427500458a88ecaad4742cebe41e79e18fdaf0d13339b3ee3155e19d1f1a01c0e1e1087
-
Filesize
207B
MD57587c7f65d7a0d249515cdc516273503
SHA105579f3fbd48813f8bb484ffbf0b58cb4404825c
SHA2564aace84d2e6a3b96f5f8cbf375705bbe6f964c80e0086f256e2dd37da75f4d98
SHA51227a237ce008f177a26b195a2fb0715b96c5b7dbaff7e489a954ba9ebbd4aed22794bd1afcbff1a7acf2654bdb066ce6d27f6d2c1ec62ee69e61dc6b5502e7f19
-
Filesize
207B
MD52109ae5bb8153f867019fb15642dfd10
SHA12cb304ab350aa7a9ce2ddea39e6889f857ee71c9
SHA256ac079fa8e295105a27c4c2226397ea7a84fac6d2b5c746ae771f1b2b5965f7af
SHA51268cc4fe30b5a1c2b7ba029f0cc4dd68e900942a9024a23127cb62e216cf2fbddb069ccda26fcf569075d2f4b618cb60b385d1e98a31b52590d53e4af2c409fa5
-
Filesize
207B
MD531ed1d1f380b118097f94a78e79070e9
SHA1672f12afe5c792430c62e69ce991941345686b9b
SHA2568e68751dc5a2d1c9d2b4ef5393772b13593d54df62e5982e683fc94bb82a71d3
SHA51204ff4ff1e06812d90322673872591ddb0e7f9da321bca237b478a4300b20677ef112df14fbaa9a9c12dd13e04689fd14e4e663f2d0465475154d3943e073c0f9
-
Filesize
207B
MD542d3d79b10658d921059ca03414bb19f
SHA1081715e111fe78869fbd4a6959c8fb33f7bfd893
SHA25654f408398e076cd47b5483e5183d61f3ba46ca1b1a36e7c5b793296389fa83ed
SHA512e16c6b17cece4bb3afa09c0fd3b164139540fbcd93dadcf9c849da49a5b20c5513fc8b6506f83d8fd6a2c01cb9788518b204a9c1a847e682623c7fb2d866bbc4
-
Filesize
207B
MD5dd99eed22782640a979e8ee4af65619d
SHA1d789d9f21ea44230f0e5e7ac2ac68f154288c322
SHA256edb6d471ca11a1e34201f2293aa871e3d78cbc913274a1d689e446fe1fa55e82
SHA512d51e479e90a43467d7d3cd65fb437b4c0a77811c0a0c4d45256a87bebf37a0754deced317b80dd4935679cd8616877da982625f54340e078ce07a691a20e3090
-
Filesize
207B
MD5b2a84555d4d4f7300f029f7c61121e4c
SHA15ee96fa092c303d8e8f2e51444559afa6541ed4e
SHA25627be454f57aa3c139d90bbdadf5116ff9a0e930ebcd749af19cb1ae9b3a4d5a1
SHA51258093ddcbfc516afe8b629dbdec06ae2e6cc3468bbadef61524e8b23ccbd725b0e632c39f3b30f0845a8a6e3023349389b37ae83c7513a6a7e93a88136de58ad
-
Filesize
207B
MD50b4ae50c27adb668bbd426dc62c72fb0
SHA1060813d9846bfe53ec0ca912206f9facb7b38bf2
SHA256e64e9ea6d10e350d1fbe746cca7c872fdccfab2611786aac9b63456d7613ffe8
SHA51276d053605cfe894517eb25dd88a32695b70e5eb84e92ed338d6f0b4210b88e5658fc5896ef57785fd40dde5a856d4425719fff63455f644f01e3c7ebf6794652
-
Filesize
207B
MD50b92032001a142b594f00630888de502
SHA1edcdc3610f2ec84061285d5c055b3cc0c50f839d
SHA256e82335ad25a7f7b2adb56684bcf0714b18062ea10054ec09c30c8a04ccd72106
SHA51269396effabad46fe9754b542325062a97cd96435a1b76727150bcf6171fb5f6f4ae7ae2e7b1fccf4ac9446c310bab47b6825cef0f626c99045d6e896475b9119
-
Filesize
3.1MB
MD53d5f1d38a92807e7de7d98838e05c7e8
SHA138382972e6317a6e7010a8d48041e0960188fc48
SHA2565ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA51235266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0