Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 04:31
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20241023-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
c9861630ff205557654616ce62525119
-
SHA1
5c60d40d59b7795186022c630b232a5dcead5ef3
-
SHA256
bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
-
SHA512
18b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8
-
SSDEEP
49152:tv+lL26AaNeWgPhlmVqvMQ7XSKeQRJ6CbR3LoGdYTHHB72eh2NT:tvuL26AaNeWgPhlmVqkQ7XSKeQRJ68
Malware Config
Extracted
quasar
1.4.1
Office04
/meming-28826.portmap.host:28826
0d852c3a-6700-4e42-85af-0da8a2a2fd2a
-
encryption_key
B323B6B4414256836290414EF6F85AFA580A2B68
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System Notification Tray
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1996-1-0x0000000000B60000-0x0000000000E86000-memory.dmp family_quasar behavioral2/files/0x0007000000023cc2-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 1764 Client.exe 4816 Client.exe 3308 Client.exe 3628 Client.exe 1008 Client.exe 2472 Client.exe 4932 Client.exe 4488 Client.exe 3676 Client.exe 1276 Client.exe 3060 Client.exe 3976 Client.exe 4384 Client.exe 2572 Client.exe 1804 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2252 PING.EXE 4836 PING.EXE 4804 PING.EXE 720 PING.EXE 468 PING.EXE 264 PING.EXE 1764 PING.EXE 3848 PING.EXE 3536 PING.EXE 2856 PING.EXE 3816 PING.EXE 4472 PING.EXE 4880 PING.EXE 4400 PING.EXE 1512 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1764 PING.EXE 3536 PING.EXE 720 PING.EXE 4880 PING.EXE 1512 PING.EXE 468 PING.EXE 2856 PING.EXE 4472 PING.EXE 4804 PING.EXE 4400 PING.EXE 264 PING.EXE 2252 PING.EXE 3816 PING.EXE 3848 PING.EXE 4836 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 4876 schtasks.exe 1644 schtasks.exe 1736 schtasks.exe 4420 schtasks.exe 1980 schtasks.exe 4532 schtasks.exe 2244 schtasks.exe 2344 schtasks.exe 3012 schtasks.exe 4692 schtasks.exe 1972 schtasks.exe 2108 schtasks.exe 4216 schtasks.exe 2752 schtasks.exe 4424 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1996 Client-built.exe Token: SeDebugPrivilege 1764 Client.exe Token: SeDebugPrivilege 4816 Client.exe Token: SeDebugPrivilege 3308 Client.exe Token: SeDebugPrivilege 3628 Client.exe Token: SeDebugPrivilege 1008 Client.exe Token: SeDebugPrivilege 2472 Client.exe Token: SeDebugPrivilege 4932 Client.exe Token: SeDebugPrivilege 4488 Client.exe Token: SeDebugPrivilege 3676 Client.exe Token: SeDebugPrivilege 1276 Client.exe Token: SeDebugPrivilege 3060 Client.exe Token: SeDebugPrivilege 3976 Client.exe Token: SeDebugPrivilege 4384 Client.exe Token: SeDebugPrivilege 2572 Client.exe Token: SeDebugPrivilege 1804 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 3004 1996 Client-built.exe 85 PID 1996 wrote to memory of 3004 1996 Client-built.exe 85 PID 1996 wrote to memory of 1764 1996 Client-built.exe 87 PID 1996 wrote to memory of 1764 1996 Client-built.exe 87 PID 1764 wrote to memory of 1980 1764 Client.exe 88 PID 1764 wrote to memory of 1980 1764 Client.exe 88 PID 1764 wrote to memory of 720 1764 Client.exe 90 PID 1764 wrote to memory of 720 1764 Client.exe 90 PID 720 wrote to memory of 2236 720 cmd.exe 92 PID 720 wrote to memory of 2236 720 cmd.exe 92 PID 720 wrote to memory of 1512 720 cmd.exe 93 PID 720 wrote to memory of 1512 720 cmd.exe 93 PID 720 wrote to memory of 4816 720 cmd.exe 97 PID 720 wrote to memory of 4816 720 cmd.exe 97 PID 4816 wrote to memory of 4216 4816 Client.exe 98 PID 4816 wrote to memory of 4216 4816 Client.exe 98 PID 4816 wrote to memory of 3488 4816 Client.exe 101 PID 4816 wrote to memory of 3488 4816 Client.exe 101 PID 3488 wrote to memory of 4316 3488 cmd.exe 104 PID 3488 wrote to memory of 4316 3488 cmd.exe 104 PID 3488 wrote to memory of 3536 3488 cmd.exe 105 PID 3488 wrote to memory of 3536 3488 cmd.exe 105 PID 3488 wrote to memory of 3308 3488 cmd.exe 114 PID 3488 wrote to memory of 3308 3488 cmd.exe 114 PID 3308 wrote to memory of 4876 3308 Client.exe 115 PID 3308 wrote to memory of 4876 3308 Client.exe 115 PID 3308 wrote to memory of 4740 3308 Client.exe 117 PID 3308 wrote to memory of 4740 3308 Client.exe 117 PID 4740 wrote to memory of 4484 4740 cmd.exe 120 PID 4740 wrote to memory of 4484 4740 cmd.exe 120 PID 4740 wrote to memory of 2856 4740 cmd.exe 121 PID 4740 wrote to memory of 2856 4740 cmd.exe 121 PID 4740 wrote to memory of 3628 4740 cmd.exe 126 PID 4740 wrote to memory of 3628 4740 cmd.exe 126 PID 3628 wrote to memory of 1644 3628 Client.exe 127 PID 3628 wrote to memory of 1644 3628 Client.exe 127 PID 3628 wrote to memory of 3864 3628 Client.exe 129 PID 3628 wrote to memory of 3864 3628 Client.exe 129 PID 3864 wrote to memory of 3888 3864 cmd.exe 132 PID 3864 wrote to memory of 3888 3864 cmd.exe 132 PID 3864 wrote to memory of 3816 3864 cmd.exe 133 PID 3864 wrote to memory of 3816 3864 cmd.exe 133 PID 3864 wrote to memory of 1008 3864 cmd.exe 134 PID 3864 wrote to memory of 1008 3864 cmd.exe 134 PID 1008 wrote to memory of 1736 1008 Client.exe 135 PID 1008 wrote to memory of 1736 1008 Client.exe 135 PID 1008 wrote to memory of 1836 1008 Client.exe 138 PID 1008 wrote to memory of 1836 1008 Client.exe 138 PID 1836 wrote to memory of 640 1836 cmd.exe 140 PID 1836 wrote to memory of 640 1836 cmd.exe 140 PID 1836 wrote to memory of 720 1836 cmd.exe 141 PID 1836 wrote to memory of 720 1836 cmd.exe 141 PID 1836 wrote to memory of 2472 1836 cmd.exe 142 PID 1836 wrote to memory of 2472 1836 cmd.exe 142 PID 2472 wrote to memory of 2344 2472 Client.exe 143 PID 2472 wrote to memory of 2344 2472 Client.exe 143 PID 2472 wrote to memory of 2672 2472 Client.exe 146 PID 2472 wrote to memory of 2672 2472 Client.exe 146 PID 2672 wrote to memory of 4648 2672 cmd.exe 148 PID 2672 wrote to memory of 4648 2672 cmd.exe 148 PID 2672 wrote to memory of 4472 2672 cmd.exe 149 PID 2672 wrote to memory of 4472 2672 cmd.exe 149 PID 2672 wrote to memory of 4932 2672 cmd.exe 152 PID 2672 wrote to memory of 4932 2672 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3004
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niljpqy95MBk.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2236
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OzTRSCckChNH.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3536
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGgV9q9kx1Rj.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2856
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6OPawt9CuJ2.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3816
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8JBP5RzFsW3.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:720
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UEtfW8ZtW4C.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4648
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l6s9H1uxOKQs.bat" "15⤵PID:2700
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3848
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QlVpcVJDCeEa.bat" "17⤵PID:3528
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4456
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:468
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEiwyx8Oees.bat" "19⤵PID:2164
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4880
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O0KnoJm9C8wf.bat" "21⤵PID:4124
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4804
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZnRbOKfrrCkY.bat" "23⤵PID:3836
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4848
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4836
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vD8cVeGmc1Y3.bat" "25⤵PID:3448
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4400
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7a1bWv5aD8O.bat" "27⤵PID:3940
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4204
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:264
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsGBd4PnkYC4.bat" "29⤵PID:2008
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System Notification Tray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6GIpjsle5W55.bat" "31⤵PID:1276
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD581c8785a2d66b4e4780e82d7e0ecd3e4
SHA18d25cb5465d5a7950266e59e4f75843f4dccb244
SHA256a40d55318dfc74929e091cba5c2171aec26464d2d0b5157cacff834c180c591e
SHA5122b8eab6c24fdc1f9a2b1a7c9edf6dd90f1459ca1072cf60402ceb35ec21f88c065c96e3609ea25051ec69f849ad640f1ccea55af7b82bfa03a68337f99bfb8b1
-
Filesize
207B
MD575e06c22940817f73578bb3cdaca6f88
SHA1403d12e765b63b16d2c700d116aa8b1db84a924c
SHA256fdc70209f80fac7a32f125b7c3cb6ca8eb7e9bdd0d566429c4580eada62e0c1d
SHA512a0bd517007b101ae963ab352173aa43b0a93f4eb6680ac0ed9dcb65b231e1c2e0f49e51d5168e48dd6ae3118584d2bcde69422710d7396f9bcbb5e5604d54151
-
Filesize
207B
MD523e19bc7c3955cb3500b61a0c82baa24
SHA1d46b8532b1a7457c0f84f54c6fcb6a0e504753ed
SHA2569261b07b3211847156b5e735afb2a33c7cbc5a40c79090437671b8934201d2cd
SHA51233b852ebd3450697151b7cf357fddc4d192204fa7fc840091ca30887133b4d70e2ce707bda46ed105ceed84bdc8cd990bf2c9deb1244d5b87f41b34b114196d5
-
Filesize
207B
MD550c61930f5e22a3b772f9ef629c741d0
SHA1ad0c1c9648de3859d16940bfa71c6a530c30db14
SHA2569e128352fa363d8696cb3c937e5842b6f7ed12b3a956d605316f042fd423433e
SHA51280d3fb233a7e3d960d1ee079ebe2e05851361c1c594968f80e3a43aeb66b926af73ae570e8f2d2a2bb73afdb7f5cb9d1bbc4472d03f1a231ba6f77abccb00b75
-
Filesize
207B
MD59a0cf6d44258b4b6d309fe9b6ebf1239
SHA1ca84667ef07076290d952b706fe166ca85f24c05
SHA25630034932d059423a8a558b44ee3178430851b799f507deaa237559cc0e3e29b8
SHA5126971c50f95328557f318a15f0b27e63b2e7aa91841ae245de4b5018525b0bbdfd62c8d023872819e29bb3acd01c329bf701b09246712b9a6c4bbaf4607e7fe55
-
Filesize
207B
MD595249b2ff9a8f3032427810bf11c5922
SHA14f7b0f786b4111b8c41c51effb95028aa018b9d5
SHA256d2cdabe3a735ff7218ba60bd7866916ba8bcee8f920f720d76fb72dd86955957
SHA512ff638abac9856c9ef1a06ece313139c26c01ef44ff205ae5efcfbf7d6598356ceffd137de57c2610d75da8e3b7db6d01aec0c10194bfdc6695898e0db6cf57a6
-
Filesize
207B
MD5619a5ddd96d069a3c77060d0b2d2d6a8
SHA1c17599e23824c54803cc273b9328df62cd422688
SHA256ec75987c2cc631deca508776ea18d76bcde5107c344f1c52a6e3917cf5bd591c
SHA512930d8212dfc1ae3961e435c96e9a8387d55aba52bd5ca27d95e677a18c41f4385c57b292be1b20d087592c4cfa2b8408edd67082172ed8fd4e61a44b0e22ed2b
-
Filesize
207B
MD51fbce7f6445bc09dac776f0e9419eeef
SHA1f49d0c8ab84a46a3c4123581fe6addad31d0a2df
SHA25690aa2130679b5fc2e7136f72c64ff6817aa91cb3caa394dbf414c47a81ee9bff
SHA5125db4ce559bb9980269d5859212e357ff2977303a4b96c8cdd3ae436118f90af8623d2b0dbcbea18b57bfae504e2ac7ee91e88c6e751b7b04d5af197ceea15c97
-
Filesize
207B
MD57fb83eaff61bc67d74416b1252e3eb52
SHA1312f53271593c18a7fe3279c09fc1359ee635c41
SHA256f88ede8b984db627ddc0bbe6e7307b6eb8539e4b5a371b4568f46bd76c54fc26
SHA512e2c26bcc1dfb5f4f7e0a48f17acd4a73953984cdee91569629aefdbff29473b8529c2ce5518e0e766541d633c8954a3beb3c7fb97f1c639b39510c44090ebded
-
Filesize
207B
MD511eda56f9ef67457ea9bc753327fecea
SHA137512e240de3b20bf9e6a4ff03d0a087f11a103f
SHA2567d50e42597656ae5f82472166725442e8842e6639bf3afc8560317451d409ab1
SHA5125baaadbe5a5795b10eaad57944d18874c75ea94901b27c995f6b88d70825fab363cf39b730f4b18392d678b827f0f393285c989f565e1528fe53bf8664e04f5d
-
Filesize
207B
MD5958c59717ba88793a5f8d4b11c6f1291
SHA1b233ed98a96c0f344e278f6bf749fab394119714
SHA256e5f93c5c19926f4910c9e443cc9521c660bb785a24ecec72c555835ab469f927
SHA51275d118c7d3bb49f871e675cfd19ce2b20e1333038d1b3984c9aa28fb84ee939b073726eed3c34c8076c2636d45029aa61585581632b0bf4cf60b97254c8220a0
-
Filesize
207B
MD581397273ecdd3d328b158c8a37d226bb
SHA1ab3014a5b2c6711957f94c66792e6cf28150736d
SHA256fde302664dd2af893023f5c99c3c768ed9985364a3416da4fcd47a6feb646208
SHA512bb582a287ffa2abacb35dab6a1b75d80bf105a179ff58f895ec0ccc34b2ea358c729bfaace9fa58f4b91db6e57fe832e3810c961e828d0a16e8f47891c5461c2
-
Filesize
207B
MD571285c916b9acf7e75cd1da22950eb33
SHA179d9c1b501e08e00069d49b3af455f0f6051bd43
SHA256334bf1b23e733affa1621c87dbab3fb6275a09f8027fb9fd9e85e49a030f60bd
SHA512efdb5af1d08915bdf663b37f917dd3ac116f6369abb9030410d9810f5cede32a7d1b5312013a9d6e940446fa085b560e92132d4aa101343ab09bfaabf703d8ee
-
Filesize
207B
MD59cb885a62376841fa0dd7deb729aabe4
SHA1e61f1d490c255e5dabd7f1fb470e73d5114b144c
SHA2561fa80502929a146f08bd5b26edec8c5dec67a883a73a58b1c4167f15b337b296
SHA512829094e442187aef096698249bdfb7fc6d817ad34bcc4f8ef420ba93621cada15fa35bb2df59449e47af6f09f9bce60d923a18742e01f4d46729ea4cb8bfc64c
-
Filesize
207B
MD5bff8713361546ca0f2307ee27b5e42e2
SHA178a5fc338f5e5aaf3b597030e5bc810d2c9fde64
SHA25666d524916d5eb720d759d4cdf675b477b0622dc481a434069215cb0c454f5f97
SHA512340166499ea8675c3f08db7c762308053d11ddf95495cc8d8fed74379fe643e8eac3d2b5026a7f30d683f82c4e08c6c5e859b5d6bc1c289b09df24e1359969ea
-
Filesize
3.1MB
MD5c9861630ff205557654616ce62525119
SHA15c60d40d59b7795186022c630b232a5dcead5ef3
SHA256bfd658e5b67652b3574a7414ca89d4a4b5b15c25cd789226a6cb897351a44a53
SHA51218b660b4a927534febca8e2a4a71a872ff1762c197a304be8bdd45337d30d193ea0da3900cb36ff8fd0fb3e40bfe999d9cdd8290814edca1a4a1ea57d3dfe4d8