Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 13:54
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
8b4c57a61e6c5676459af46e842c6515
-
SHA1
4fdd72e3c52357b8d73bfd6e41ed23900c53b864
-
SHA256
df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce
-
SHA512
0168318edff24ad03e6105e9dd9e6f430526f9b39b9d324fd43d690877a9b0e3bb08fdb8f572f6223186c9bd7ef1da1e59dd75caecbac0c0c2d979bacb8b08fe
-
SSDEEP
49152:6vAt62XlaSFNWPjljiFa2RoUYI48RJ6bbR3LoGd8QGTHHB72eh2NT:6vs62XlaSFNWPjljiFXRoUYI48RJ6t
Malware Config
Extracted
quasar
1.4.1
Office04
sigma:4782
dcd58018-6881-4bdc-ada3-43241c4a02d7
-
encryption_key
2F0E0A6E0184EFAA28DCBF2BCF17796A6A6FA235
-
install_name
Flaretest.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 12 IoCs
resource yara_rule behavioral1/memory/1644-1-0x0000000000FF0000-0x0000000001314000-memory.dmp family_quasar behavioral1/files/0x0008000000015cf1-5.dat family_quasar behavioral1/memory/2920-8-0x0000000000C50000-0x0000000000F74000-memory.dmp family_quasar behavioral1/memory/1048-22-0x0000000000FC0000-0x00000000012E4000-memory.dmp family_quasar behavioral1/memory/2932-33-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar behavioral1/memory/1040-44-0x0000000000090000-0x00000000003B4000-memory.dmp family_quasar behavioral1/memory/928-55-0x0000000000990000-0x0000000000CB4000-memory.dmp family_quasar behavioral1/memory/2152-67-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral1/memory/2476-78-0x00000000010A0000-0x00000000013C4000-memory.dmp family_quasar behavioral1/memory/2652-90-0x0000000001160000-0x0000000001484000-memory.dmp family_quasar behavioral1/memory/1188-122-0x0000000000160000-0x0000000000484000-memory.dmp family_quasar behavioral1/memory/1340-133-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar -
Executes dropped EXE 12 IoCs
pid Process 2920 Flaretest.exe 1048 Flaretest.exe 2932 Flaretest.exe 1040 Flaretest.exe 928 Flaretest.exe 2152 Flaretest.exe 2476 Flaretest.exe 2652 Flaretest.exe 2680 Flaretest.exe 388 Flaretest.exe 1188 Flaretest.exe 1340 Flaretest.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2928 PING.EXE 1984 PING.EXE 804 PING.EXE 1640 PING.EXE 2548 PING.EXE 2820 PING.EXE 2252 PING.EXE 2828 PING.EXE 2112 PING.EXE 2264 PING.EXE 2544 PING.EXE 1736 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 1640 PING.EXE 2548 PING.EXE 2264 PING.EXE 2544 PING.EXE 804 PING.EXE 1736 PING.EXE 2820 PING.EXE 1984 PING.EXE 2252 PING.EXE 2928 PING.EXE 2828 PING.EXE 2112 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2280 schtasks.exe 2616 schtasks.exe 2876 schtasks.exe 1888 schtasks.exe 2512 schtasks.exe 1344 schtasks.exe 2288 schtasks.exe 2656 schtasks.exe 2320 schtasks.exe 1652 schtasks.exe 2104 schtasks.exe 2476 schtasks.exe 2740 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1644 Client-built.exe Token: SeDebugPrivilege 2920 Flaretest.exe Token: SeDebugPrivilege 1048 Flaretest.exe Token: SeDebugPrivilege 2932 Flaretest.exe Token: SeDebugPrivilege 1040 Flaretest.exe Token: SeDebugPrivilege 928 Flaretest.exe Token: SeDebugPrivilege 2152 Flaretest.exe Token: SeDebugPrivilege 2476 Flaretest.exe Token: SeDebugPrivilege 2652 Flaretest.exe Token: SeDebugPrivilege 2680 Flaretest.exe Token: SeDebugPrivilege 388 Flaretest.exe Token: SeDebugPrivilege 1188 Flaretest.exe Token: SeDebugPrivilege 1340 Flaretest.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2920 Flaretest.exe 1048 Flaretest.exe 2932 Flaretest.exe 1040 Flaretest.exe 928 Flaretest.exe 2152 Flaretest.exe 2476 Flaretest.exe 2652 Flaretest.exe 2680 Flaretest.exe 388 Flaretest.exe 1188 Flaretest.exe 1340 Flaretest.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2920 Flaretest.exe 1048 Flaretest.exe 2932 Flaretest.exe 1040 Flaretest.exe 928 Flaretest.exe 2152 Flaretest.exe 2476 Flaretest.exe 2652 Flaretest.exe 2680 Flaretest.exe 388 Flaretest.exe 1188 Flaretest.exe 1340 Flaretest.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2920 Flaretest.exe 1048 Flaretest.exe 2932 Flaretest.exe 1040 Flaretest.exe 928 Flaretest.exe 2152 Flaretest.exe 2476 Flaretest.exe 2652 Flaretest.exe 2680 Flaretest.exe 388 Flaretest.exe 1188 Flaretest.exe 1340 Flaretest.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2476 1644 Client-built.exe 30 PID 1644 wrote to memory of 2476 1644 Client-built.exe 30 PID 1644 wrote to memory of 2476 1644 Client-built.exe 30 PID 1644 wrote to memory of 2920 1644 Client-built.exe 32 PID 1644 wrote to memory of 2920 1644 Client-built.exe 32 PID 1644 wrote to memory of 2920 1644 Client-built.exe 32 PID 2920 wrote to memory of 2740 2920 Flaretest.exe 33 PID 2920 wrote to memory of 2740 2920 Flaretest.exe 33 PID 2920 wrote to memory of 2740 2920 Flaretest.exe 33 PID 2920 wrote to memory of 2796 2920 Flaretest.exe 35 PID 2920 wrote to memory of 2796 2920 Flaretest.exe 35 PID 2920 wrote to memory of 2796 2920 Flaretest.exe 35 PID 2796 wrote to memory of 2840 2796 cmd.exe 37 PID 2796 wrote to memory of 2840 2796 cmd.exe 37 PID 2796 wrote to memory of 2840 2796 cmd.exe 37 PID 2796 wrote to memory of 2928 2796 cmd.exe 38 PID 2796 wrote to memory of 2928 2796 cmd.exe 38 PID 2796 wrote to memory of 2928 2796 cmd.exe 38 PID 2796 wrote to memory of 1048 2796 cmd.exe 39 PID 2796 wrote to memory of 1048 2796 cmd.exe 39 PID 2796 wrote to memory of 1048 2796 cmd.exe 39 PID 1048 wrote to memory of 2656 1048 Flaretest.exe 40 PID 1048 wrote to memory of 2656 1048 Flaretest.exe 40 PID 1048 wrote to memory of 2656 1048 Flaretest.exe 40 PID 1048 wrote to memory of 2184 1048 Flaretest.exe 43 PID 1048 wrote to memory of 2184 1048 Flaretest.exe 43 PID 1048 wrote to memory of 2184 1048 Flaretest.exe 43 PID 2184 wrote to memory of 1008 2184 cmd.exe 45 PID 2184 wrote to memory of 1008 2184 cmd.exe 45 PID 2184 wrote to memory of 1008 2184 cmd.exe 45 PID 2184 wrote to memory of 2828 2184 cmd.exe 46 PID 2184 wrote to memory of 2828 2184 cmd.exe 46 PID 2184 wrote to memory of 2828 2184 cmd.exe 46 PID 2184 wrote to memory of 2932 2184 cmd.exe 47 PID 2184 wrote to memory of 2932 2184 cmd.exe 47 PID 2184 wrote to memory of 2932 2184 cmd.exe 47 PID 2932 wrote to memory of 2320 2932 Flaretest.exe 48 PID 2932 wrote to memory of 2320 2932 Flaretest.exe 48 PID 2932 wrote to memory of 2320 2932 Flaretest.exe 48 PID 2932 wrote to memory of 1424 2932 Flaretest.exe 50 PID 2932 wrote to memory of 1424 2932 Flaretest.exe 50 PID 2932 wrote to memory of 1424 2932 Flaretest.exe 50 PID 1424 wrote to memory of 2076 1424 cmd.exe 52 PID 1424 wrote to memory of 2076 1424 cmd.exe 52 PID 1424 wrote to memory of 2076 1424 cmd.exe 52 PID 1424 wrote to memory of 2112 1424 cmd.exe 53 PID 1424 wrote to memory of 2112 1424 cmd.exe 53 PID 1424 wrote to memory of 2112 1424 cmd.exe 53 PID 1424 wrote to memory of 1040 1424 cmd.exe 54 PID 1424 wrote to memory of 1040 1424 cmd.exe 54 PID 1424 wrote to memory of 1040 1424 cmd.exe 54 PID 1040 wrote to memory of 1652 1040 Flaretest.exe 55 PID 1040 wrote to memory of 1652 1040 Flaretest.exe 55 PID 1040 wrote to memory of 1652 1040 Flaretest.exe 55 PID 1040 wrote to memory of 448 1040 Flaretest.exe 57 PID 1040 wrote to memory of 448 1040 Flaretest.exe 57 PID 1040 wrote to memory of 448 1040 Flaretest.exe 57 PID 448 wrote to memory of 2252 448 cmd.exe 59 PID 448 wrote to memory of 2252 448 cmd.exe 59 PID 448 wrote to memory of 2252 448 cmd.exe 59 PID 448 wrote to memory of 2264 448 cmd.exe 60 PID 448 wrote to memory of 2264 448 cmd.exe 60 PID 448 wrote to memory of 2264 448 cmd.exe 60 PID 448 wrote to memory of 928 448 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2476
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CIZgi4uYAoiC.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2928
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2656
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\B55nQC2rJcBr.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1008
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2320
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JhJg32SENOVi.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1652
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7M5igSCqjmSV.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2264
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1344
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\W3YyS1SmYg6p.bat" "11⤵PID:1340
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2152 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2288
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pxUM6Ib8BToy.bat" "13⤵PID:884
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SVKOWDpW6en3.bat" "15⤵PID:2836
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2892
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2820
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2616
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Oi3r3JnuSDHX.bat" "17⤵PID:2628
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1984
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wJp7zXevpAFF.bat" "19⤵PID:536
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:804
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:388 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2104
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3inyZutgt4NK.bat" "21⤵PID:2596
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1188 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1888
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\m7nHoRQzIthJ.bat" "23⤵PID:1356
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1340 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Flaretest.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2512
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PY5idKesm2Nt.bat" "25⤵PID:2440
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD53916e8b8b91064b4a3db93b801f1959c
SHA134faef94bd6ab036f509ce1f05fc82db49d79470
SHA25656e95b0aff2bf473dd1d804336f4390c2e5a78ad782c8124cfa9a49952e30e1f
SHA512c96f825ef798e20f368115640fc379a07642d614731a66b4a4987ba6b9e5affa4cea831d198e2440fcc33ba7f656d85bfbc3caede37302a3a25379fc36fa36ab
-
Filesize
210B
MD57a27b3be99d56692966bcf6003fba4fa
SHA1e2523325a3671458a159419eed421940de699ed2
SHA2562f25e643e21431ef5e99b1b3071da52869dd0278658be0a242b63f11f9d98c07
SHA512f8257ade7bd67ad8747508b90ec79649e46d575a83dbe09d510e1ac7d9b1028fbc5947176b6d67367da58ff17be0297630b0ea011b3a6acff5498e6e09a0ac80
-
Filesize
210B
MD55e2213c89258e66ab473ef6fdb2a3b9d
SHA1010e531a5a7ced603e3ffb363ec5e349d4a334ae
SHA256326cd3e50599ba28a6f0008f23dac2cf68dca16b12c730dfefbc05c745010ae4
SHA5125272f57e63cc31da21b15b51171710f8b86e3613b5cfc8337a8428fa026fa776b1550f867a95012b2aedebe0903d3126c82161da6628e08d7f91a1253e279e33
-
Filesize
210B
MD58f4927742f02f90d58c291cb61408883
SHA137ed5cf0a558d5dcaea67d95753bcde037890195
SHA256043355de7678002af5f8a520c043cbf7c9c24fc67c0215847499fd791ae2f572
SHA512153842d776a83396fbb85a8617bb0469a32fee8897cafda1b5654ab34fc0739bc7edcde2a73d65917891a71f778174ef59458588f35efca75a90b0a4a582a40a
-
Filesize
210B
MD51668ad9250c2c1ddb6341ab1ebdf49c1
SHA13a1f7cef743855594c9c2fffad48df4dfdb0aaf6
SHA25626418f49acce94660c59420eaa3f6d13dee5ee47b059ec042a5970411241edce
SHA512f38deb367b4735d9f9b037075620633f728878b30260af3d7c83eeceeb39e3c7263088ee34ff9aebccefd766c92b17ea5e5c79c6ca9edd1eeb16a0f9c3ee2239
-
Filesize
210B
MD54c9d384f86e753774025bc7741875334
SHA15e4745e93995c16eabed11073df4a94ca76f51cf
SHA25642337ff65aff88c16dc5e5edc4a70d529cdf9701a7d904f6e8adeee4b4afd8b4
SHA512e3f82a74bc55104c27c309057f3f388885d232db53b440cb1b1fbbf30c818330e5905ce14777f9f63ea6a3fcdf013a048bd0500adc6f0a89616d8eb91e71f1da
-
Filesize
210B
MD5479f2c6f3e5999cabdd075167ff01130
SHA147cb4d94ce1c2f14c95c8339923b38ff76d26507
SHA256356df629efe510daabc1c48767410826b9faccb224ac235ffffa0d6efb519394
SHA512845d970fee97f254443ec15fb6517bb251132aeea67c2e172a0225b341e5d39ad81e3f45f582f5263bde13b94f9e47a62abfdce2f4de105bb83c8acb8501208a
-
Filesize
210B
MD5dcb616a9afded8274d29420b716cde4e
SHA15a7c43d59cf87e09974cc79b5ae1dcd1a115a658
SHA2560ec50eb1b92d367f78fcb97b7546e0b2e68d279700c5b69e2c1b9bd75c0fca2c
SHA5124534c71347835654a4abd62bc6c71e48c0c09c732d9639ca490c603017a84103a58b7a65e9bb3ef5b0e7670838204bb01c5ee80126c2cedadd6fba0fe908ae79
-
Filesize
210B
MD555a206f5255a5698c23d7d5f6561fc39
SHA1c5dc3c0cb5858ed27493e42390019d4077a75c4b
SHA25614b8728585337beacf820602aa6e3891ba1c5649eb0161c406aa0239b2ad0136
SHA51266273691f8299d9da35b46e9323b586b0aaf7ef5e220adad0249585146e6a27f36c076ef9106e00e55ccc70f41b55393fe84fe65e31e287cd7f3e4f36f9aeff0
-
Filesize
210B
MD5924230cbdbaa013784f9e0b078e8e937
SHA1237cf9c4431ba2c70b7bb30a7d13996e32722b0b
SHA256bc207afc138f78b53962d8efc98b2a9b2cd71a31278a940db615c3e84dad30f0
SHA5122cdc5bed87917dfbc4e891b8275d3db005c6a305df4c434302e462b0c66c987c466a1e8d80fb6f67db733b7b8e753d996560ed58fb10f0710cfd57b168cd7b39
-
Filesize
210B
MD5ab70d77fa7440c11cfc7b9d84af4948d
SHA15f6433628beed62412de21ead846e19331307218
SHA2569d14cc87a24c00eb152cfb39c0ae3917102b7199d323bf216d7c55f0684d11ac
SHA512864f5128d77f2c93fc8c418948552bd823474f7d516bce7945b58a4344e0cdda7fbfc79300142d56f05f279bf500ec5054b764793861685cd2549a9cab2e1a7c
-
Filesize
210B
MD5505563347992e4c9c6827d635093f5e5
SHA1aa1bee2ca8d9300f878c188cf6bb4c9790060b07
SHA256e5d9c6ba71003db2055680f9350f4d468baf0541878c39fe4889d36ba74ba2c4
SHA51272bbc6c0667648262536c238b6120e80f7756e8a1fe3964744e529fc47d1bd9605f49809f94b2f4fe28af36cb6cd49d725a81e429bb762c288372b23ddf3f91d
-
Filesize
3.1MB
MD58b4c57a61e6c5676459af46e842c6515
SHA14fdd72e3c52357b8d73bfd6e41ed23900c53b864
SHA256df3a935152015d9e0936d40f78012b2ecdd14c1fb1d58305f7e815f4ed1fefce
SHA5120168318edff24ad03e6105e9dd9e6f430526f9b39b9d324fd43d690877a9b0e3bb08fdb8f572f6223186c9bd7ef1da1e59dd75caecbac0c0c2d979bacb8b08fe