Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 04:31
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20241023-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
c9861630ff205557654616ce62525119
-
SHA1
5c60d40d59b7795186022c630b232a5dcead5ef3
-
SHA256
bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
-
SHA512
18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8
-
SSDEEP
49152:tv+lL26AaNeWgPhlmVqvMQ7XSKeQRJ6CbR3LoGdYTHHB72eh2NT:tvuL26AaNeWgPhlmVqkQ7XSKeQRJ68
Malware Config
Extracted
quasar
1.4.1
Office04
/meming-28826.portmap.host:28826
0d852c3a-6700-4e42-85af-0da8a2a2fd2a
-
encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System Notification Tray
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 10 IoCs
resource yara_rule behavioral1/memory/3036-1-0x0000000000E40000-0x0000000001166000-memory.dmp family_quasar behavioral1/files/0x0009000000015cd1-6.dat family_quasar behavioral1/memory/2212-10-0x0000000000180000-0x00000000004A6000-memory.dmp family_quasar behavioral1/memory/2860-23-0x0000000000FB0000-0x00000000012D6000-memory.dmp family_quasar behavioral1/memory/1532-44-0x0000000000220000-0x0000000000546000-memory.dmp family_quasar behavioral1/memory/1656-55-0x0000000001070000-0x0000000001396000-memory.dmp family_quasar behavioral1/memory/3000-97-0x0000000000280000-0x00000000005A6000-memory.dmp family_quasar behavioral1/memory/2024-109-0x0000000000E50000-0x0000000001176000-memory.dmp family_quasar behavioral1/memory/556-130-0x0000000000FE0000-0x0000000001306000-memory.dmp family_quasar behavioral1/memory/2632-162-0x0000000001160000-0x0000000001486000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2212 Client.exe 2860 Client.exe 1320 Client.exe 1532 Client.exe 1656 Client.exe 1808 Client.exe 1760 Client.exe 2568 Client.exe 3000 Client.exe 2024 Client.exe 2912 Client.exe 556 Client.exe 2244 Client.exe 2108 Client.exe 2632 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2516 PING.EXE 1048 PING.EXE 2952 PING.EXE 1676 PING.EXE 2160 PING.EXE 632 PING.EXE 2500 PING.EXE 912 PING.EXE 1380 PING.EXE 1860 PING.EXE 596 PING.EXE 2960 PING.EXE 3020 PING.EXE 2624 PING.EXE 2412 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1380 PING.EXE 596 PING.EXE 3020 PING.EXE 2516 PING.EXE 1676 PING.EXE 1048 PING.EXE 2624 PING.EXE 2500 PING.EXE 2952 PING.EXE 2412 PING.EXE 912 PING.EXE 2960 PING.EXE 632 PING.EXE 1860 PING.EXE 2160 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 676 schtasks.exe 2612 schtasks.exe 3012 schtasks.exe 1660 schtasks.exe 2992 schtasks.exe 2664 schtasks.exe 2056 schtasks.exe 2684 schtasks.exe 288 schtasks.exe 2720 schtasks.exe 3012 schtasks.exe 1872 schtasks.exe 3056 schtasks.exe 1820 schtasks.exe 2384 schtasks.exe 688 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3036 Client-built.exe Token: SeDebugPrivilege 2212 Client.exe Token: SeDebugPrivilege 2860 Client.exe Token: SeDebugPrivilege 1320 Client.exe Token: SeDebugPrivilege 1532 Client.exe Token: SeDebugPrivilege 1656 Client.exe Token: SeDebugPrivilege 1808 Client.exe Token: SeDebugPrivilege 1760 Client.exe Token: SeDebugPrivilege 2568 Client.exe Token: SeDebugPrivilege 3000 Client.exe Token: SeDebugPrivilege 2024 Client.exe Token: SeDebugPrivilege 2912 Client.exe Token: SeDebugPrivilege 556 Client.exe Token: SeDebugPrivilege 2244 Client.exe Token: SeDebugPrivilege 2108 Client.exe Token: SeDebugPrivilege 2632 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2612 3036 Client-built.exe 30 PID 3036 wrote to memory of 2612 3036 Client-built.exe 30 PID 3036 wrote to memory of 2612 3036 Client-built.exe 30 PID 3036 wrote to memory of 2212 3036 Client-built.exe 32 PID 3036 wrote to memory of 2212 3036 Client-built.exe 32 PID 3036 wrote to memory of 2212 3036 Client-built.exe 32 PID 2212 wrote to memory of 3056 2212 Client.exe 33 PID 2212 wrote to memory of 3056 2212 Client.exe 33 PID 2212 wrote to memory of 3056 2212 Client.exe 33 PID 2212 wrote to memory of 2988 2212 Client.exe 35 PID 2212 wrote to memory of 2988 2212 Client.exe 35 PID 2212 wrote to memory of 2988 2212 Client.exe 35 PID 2988 wrote to memory of 2296 2988 cmd.exe 37 PID 2988 wrote to memory of 2296 2988 cmd.exe 37 PID 2988 wrote to memory of 2296 2988 cmd.exe 37 PID 2988 wrote to memory of 2960 2988 cmd.exe 38 PID 2988 wrote to memory of 2960 2988 cmd.exe 38 PID 2988 wrote to memory of 2960 2988 cmd.exe 38 PID 2988 wrote to memory of 2860 2988 cmd.exe 40 PID 2988 wrote to memory of 2860 2988 cmd.exe 40 PID 2988 wrote to memory of 2860 2988 cmd.exe 40 PID 2860 wrote to memory of 2684 2860 Client.exe 41 PID 2860 wrote to memory of 2684 2860 Client.exe 41 PID 2860 wrote to memory of 2684 2860 Client.exe 41 PID 2860 wrote to memory of 2868 2860 Client.exe 43 PID 2860 wrote to memory of 2868 2860 Client.exe 43 PID 2860 wrote to memory of 2868 2860 Client.exe 43 PID 2868 wrote to memory of 2140 2868 cmd.exe 45 PID 2868 wrote to memory of 2140 2868 cmd.exe 45 PID 2868 wrote to memory of 2140 2868 cmd.exe 45 PID 2868 wrote to memory of 632 2868 cmd.exe 46 PID 2868 wrote to memory of 632 2868 cmd.exe 46 PID 2868 wrote to memory of 632 2868 cmd.exe 46 PID 2868 wrote to memory of 1320 2868 cmd.exe 47 PID 2868 wrote to memory of 1320 2868 cmd.exe 47 PID 2868 wrote to memory of 1320 2868 cmd.exe 47 PID 1320 wrote to memory of 288 1320 Client.exe 48 PID 1320 wrote to memory of 288 1320 Client.exe 48 PID 1320 wrote to memory of 288 1320 Client.exe 48 PID 1320 wrote to memory of 1260 1320 Client.exe 50 PID 1320 wrote to memory of 1260 1320 Client.exe 50 PID 1320 wrote to memory of 1260 1320 Client.exe 50 PID 1260 wrote to memory of 804 1260 cmd.exe 52 PID 1260 wrote to memory of 804 1260 cmd.exe 52 PID 1260 wrote to memory of 804 1260 cmd.exe 52 PID 1260 wrote to memory of 1048 1260 cmd.exe 53 PID 1260 wrote to memory of 1048 1260 cmd.exe 53 PID 1260 wrote to memory of 1048 1260 cmd.exe 53 PID 1260 wrote to memory of 1532 1260 cmd.exe 54 PID 1260 wrote to memory of 1532 1260 cmd.exe 54 PID 1260 wrote to memory of 1532 1260 cmd.exe 54 PID 1532 wrote to memory of 3012 1532 Client.exe 55 PID 1532 wrote to memory of 3012 1532 Client.exe 55 PID 1532 wrote to memory of 3012 1532 Client.exe 55 PID 1532 wrote to memory of 2128 1532 Client.exe 57 PID 1532 wrote to memory of 2128 1532 Client.exe 57 PID 1532 wrote to memory of 2128 1532 Client.exe 57 PID 2128 wrote to memory of 3028 2128 cmd.exe 59 PID 2128 wrote to memory of 3028 2128 cmd.exe 59 PID 2128 wrote to memory of 3028 2128 cmd.exe 59 PID 2128 wrote to memory of 3020 2128 cmd.exe 60 PID 2128 wrote to memory of 3020 2128 cmd.exe 60 PID 2128 wrote to memory of 3020 2128 cmd.exe 60 PID 2128 wrote to memory of 1656 2128 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3056
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4J2EfPEIAZdu.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2296
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2684
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qjb1TAH2qEwf.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:632
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:288
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SeL89pefz6z8.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4Vl15fDoH8ij.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3020
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:676
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A3JTzDpMXudf.bat" "11⤵PID:2404
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1652
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1380
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1660
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\nRhdLWJg34Pv.bat" "13⤵PID:2132
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2224
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2624
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1820
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5U06HHeA1gL3.bat" "15⤵PID:2604
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2500
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2992
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2YhJyBoIYbel.bat" "17⤵PID:2816
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2720
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3p882ZabOZy7.bat" "19⤵PID:2740
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2412
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2384
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aiGW03aE7yfU.bat" "21⤵PID:1256
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\D6WHbxVac6Cb.bat" "23⤵PID:2916
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:912
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1872
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DX5xiWIoXv1V.bat" "25⤵PID:1652
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1676
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UTj450knkqEL.bat" "27⤵PID:2224
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2160
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2056
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uB19VbZsdVME.bat" "29⤵PID:2480
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:596
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:688
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8eKPt9vqamu9.bat" "31⤵PID:2956
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD59cbb9ae7bed3deb7358b4c188dd736ce
SHA10ee4c268fa6901ef9aba7d38b4eab962a15e88b4
SHA25678ae8dab4f3b34454e7851cacde6be8aa36be6f1b69485b355df80a4761370de
SHA51245e4dede5493ea5995c99145e1856504a906509f27d1d982ae6634ea7d5f8202919ac62d1b777c34859e9e5693d9b5e43b702f4f73040654529ad1e8069822b1
-
Filesize
207B
MD50610c26651c3f3ee06ef8331ac444077
SHA1dd009e93502e120af6968cd9dac1879ca0c8a4a9
SHA2567f1ad087cdd3dbf41eff384bf22bfad3a67115d69d87fe893b45485b3d26b525
SHA512ae400a561b7550956a339f8240a786dae57653d704c029c2cace79d755bc120b7bd3c442d2aeeb37d669e042975051bc9144fb3db6fca160e6f53292d38be493
-
Filesize
207B
MD51f009c7cee7e43806454d7abceb0b696
SHA1e306834a58b757bee2d60cf7b0650bec7b33a280
SHA256bd442cbd41e1bef4af84722235c8c3389f3211917abaf94733f4e2bc09a7e80d
SHA512f6d481d1298b93c7c8bcc4325ed142b7e396ff154000410ecccfc59e727b26f4200f4d0fe35b3b8ad5094c6b991a74baba3313ff90f2cead35ed8d7f79515244
-
Filesize
207B
MD56444c4d415224ef406bf6033f6c769fc
SHA19b70d8569b381643a8049d62853047a5e7123936
SHA25601a4fc50958ccf476b74ec54f332a096fc4811474e34c9492b6ce470d00e261a
SHA512c6a9bf20c792dc4089615ffdef3e5700203b6503cbab76991a91e48d202cf6f53ac308a6cefeb7fd123e070d8c137ef3757a80b0b518c4f34ca1998734e996b1
-
Filesize
207B
MD5945599a774e24130e8860b0a87fc6ba4
SHA14d43638460ef118752da6d1f71cb53f24bd8d053
SHA2569d55a71ba6e032d207a489f9481f39ffe865a56197eac900b49758cbc36b4d1d
SHA512bbda11422152abdff811fd72889cffd80ce8be2f5460de4a7734bbf69ef733f600b597375ae7c5d4cb7b2e695321ded13e0ec43c1282f226c10e25cab1f9a9f2
-
Filesize
207B
MD590eaae115f8313c5f28be3a32d1b1451
SHA1fb79b24796010884890cbff20ef5ca7f2fc407ae
SHA256373f78b4d730e4ceeeb89dd267946c4b2e9f02924c2e58691835de64c09b56a3
SHA5124b18b22463b6b00af798af44fda42efef38f67b8438a53566e4740c33cc3f87ca7c4502dbdb7c94ddc863186c869bea2f07209ac07538c19a0d09b4a96da767f
-
Filesize
207B
MD5e294b735eb0fb92573b56bc91dfb141a
SHA1974bbec1ed917a43cca0e0abefb8062bd5b677ff
SHA2568181309335ef74d34d1b5286a5c7d9ce8d62f0e937ce0d92dd619425d1731ce2
SHA5123db7f5886f8c62d53e6f0c76c98dd22c0dca9f8416add55c6cf697dbdaa3d373b427ed719ddaeb158bf096f535d536395975006e5b3043e7a002523975d3a1d7
-
Filesize
207B
MD55505c4b7452b47b3bb6f095d34ae5798
SHA1652ddf23b8858c592b9a3a31301d9fae945fc705
SHA2566262f985569a70182873357b21702a39e2d4397567c792a9b5766196f1e86c3b
SHA512e0578053729689e286d62c0074e062f5c513e34e669ee66799bd5df2ecf056f6184d6f0f40d8f16e5021294eb2a5476643a245d55b6bd2f6bc6a88a5ace59652
-
Filesize
207B
MD50a6b726d598f50ee3d37cfae1c442743
SHA1949bf0f338c2a16fd53cd7537c2ca83ddbd46989
SHA256b38f5e8611153f87e7472468066599514fce27166a2e7f35390a67b23e1f0226
SHA5127507213cae3d81776bf69b4a0f32a15468608cc5ebf56837a672b91c10beb9dfd7de5667daf7e5abf0e66a2591dcfb19febe789da71386f94e4cab51b790ac4f
-
Filesize
207B
MD58d0af8922d29f024b36387d5d27db211
SHA14cfab444f83e4689f8a232399d24822eabc1da06
SHA256f7bd0ec965decfb01235421853f5bfd312127b83c5533ce614cc215aecf3b458
SHA512ad666654126a9d11f92e5caf211a9921505b194c8ac1eeebec1e27fccdae3e6d03e518c118f284830c25ba650b5ea82345daed9e5b20f1792550454ca91a3806
-
Filesize
207B
MD59477e38b2841c624bb9a347c3ba3f317
SHA12a6b865755b1fe222c0a8b10503cf08aa3f92c7c
SHA2561ae3e62d4ecf88810809c1544835cb74b32cabf96dbc5f3bdf2ae3d7dd4534ae
SHA51212f76efa834fe63214e483057decb4f384d4b6e737d675f20a966837281aac7659ec0b2283bb93e05b240f05806f035751d39ad4ade1aee1644d13f966fea495
-
Filesize
207B
MD599220f9c116f188b0c660d9020ffa828
SHA149b29ecf510c6e2abe8d1c3488befade9f5d91f9
SHA2567adffab8ed55176c9772adf47a68e75d30693f682f794fbc9cf8d2f4fed3d21a
SHA512c9e03445f0433f7eafae13bcfefa5b54917ca537b31d563306b8d6ca703e06b8941438131086c3eae9a0d09fd00e7c5e9d5e52d2efed2a43fe3b328ff11bb7fb
-
Filesize
207B
MD503e90028366783a2df30695758143b37
SHA1c79fdad2dcdac849d054e6e59fdaebdfed34ad57
SHA2566730dfc13dcce896bff71bcea18ab66690fc38924f2c17d013d1c6c9a9b0eb8b
SHA51297b6be877297a85f7633ed5785c8259f7fe05397643755c9f5ff4c06cd8009b12823b0f910a85d6f37c0d7de23ed2676dc7ec5d4a1249ca75e95b2bab840c5f5
-
Filesize
207B
MD5207b37e31859b6b21e99a34ef88a4b71
SHA12986aeff77ee584d9e1fcc656988ace5fdbf8a55
SHA256147ce48461acd6472e7f476d81724002c32b89077cc53bdadafcbe0339961a68
SHA51261a771a33366f431d469370419da400670d196da918e6b580869f020ec118024748819175a3b6fb4f76578c8a7c1a130b65188ce4e920f5389838fda8c41c96b
-
Filesize
207B
MD50bd00114057719771adef1208f5b996f
SHA1a1b44d00c9527bdc0111e897499b46d4f12a6a8e
SHA2563dfddbb57388420d9374b9165371cfc1dc2033023feafd7e859c582b702acadf
SHA512d0f9f4631ac9164b69f07cdb6a94f6e36fd4576af6966cc2d236ba704057c22808723c37daee68aab6237cd925ee2f72630979090d0ad68e2ed3213395234def
-
Filesize
3.1MB
MD5c9861630ff205557654616ce62525119
SHA15c60d40d59b7795186022c630b232a5dcead5ef3
SHA256bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
SHA51218b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8