Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 11:03
Behavioral task
behavioral1
Sample
CACert/CACert.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
CACert/CACert.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
CACert/Credit Agricole Certification.exe
Resource
win7-20241010-en
General
-
Target
CACert/CACert.exe
-
Size
3.1MB
-
MD5
66c0c400c027e476edc8452c4355150c
-
SHA1
2212e14ea0ec4393046217f837b107d20274c618
-
SHA256
d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924
-
SHA512
10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53
-
SSDEEP
49152:KvyI22SsaNYfdPBldt698dBcjHpND6kCWZLoGUqnTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHpNDTp
Malware Config
Extracted
quasar
1.4.1
Noah
creditagricole.zapto.org:4444
35b7f2fc-d3c2-4c55-949a-438b2c403cbf
-
encryption_key
482EAF21E4E65641294432E5F419F7A5A916811B
-
install_name
CACert.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Credit Agricole Cert
-
subdirectory
SubDir
Extracted
latentbot
creditagricole.zapto.org
Signatures
-
Latentbot family
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/3644-1-0x0000000000650000-0x0000000000974000-memory.dmp family_quasar behavioral2/files/0x0007000000023ca4-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CACert.exe -
Executes dropped EXE 15 IoCs
pid Process 4916 CACert.exe 3316 CACert.exe 1700 CACert.exe 2632 CACert.exe 4524 CACert.exe 4228 CACert.exe 4988 CACert.exe 2320 CACert.exe 3744 CACert.exe 2508 CACert.exe 3836 CACert.exe 3724 CACert.exe 3288 CACert.exe 2864 CACert.exe 2844 CACert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4448 PING.EXE 3884 PING.EXE 1248 PING.EXE 1504 PING.EXE 3008 PING.EXE 4456 PING.EXE 1576 PING.EXE 4760 PING.EXE 1552 PING.EXE 4244 PING.EXE 4300 PING.EXE 2660 PING.EXE 5044 PING.EXE 2688 PING.EXE 536 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2688 PING.EXE 2660 PING.EXE 1504 PING.EXE 4244 PING.EXE 4448 PING.EXE 5044 PING.EXE 3884 PING.EXE 4456 PING.EXE 1552 PING.EXE 3008 PING.EXE 1248 PING.EXE 1576 PING.EXE 536 PING.EXE 4760 PING.EXE 4300 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1344 schtasks.exe 1452 schtasks.exe 184 schtasks.exe 3368 schtasks.exe 3432 schtasks.exe 2516 schtasks.exe 4428 schtasks.exe 4780 schtasks.exe 3172 schtasks.exe 3884 schtasks.exe 2540 schtasks.exe 1000 schtasks.exe 3604 schtasks.exe 4228 schtasks.exe 4896 schtasks.exe 4520 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3644 CACert.exe Token: SeDebugPrivilege 4916 CACert.exe Token: SeDebugPrivilege 3316 CACert.exe Token: SeDebugPrivilege 1700 CACert.exe Token: SeDebugPrivilege 2632 CACert.exe Token: SeDebugPrivilege 4524 CACert.exe Token: SeDebugPrivilege 4228 CACert.exe Token: SeDebugPrivilege 4988 CACert.exe Token: SeDebugPrivilege 2320 CACert.exe Token: SeDebugPrivilege 3744 CACert.exe Token: SeDebugPrivilege 2508 CACert.exe Token: SeDebugPrivilege 3836 CACert.exe Token: SeDebugPrivilege 3724 CACert.exe Token: SeDebugPrivilege 3288 CACert.exe Token: SeDebugPrivilege 2864 CACert.exe Token: SeDebugPrivilege 2844 CACert.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3644 wrote to memory of 4228 3644 CACert.exe 82 PID 3644 wrote to memory of 4228 3644 CACert.exe 82 PID 3644 wrote to memory of 4916 3644 CACert.exe 84 PID 3644 wrote to memory of 4916 3644 CACert.exe 84 PID 4916 wrote to memory of 4896 4916 CACert.exe 85 PID 4916 wrote to memory of 4896 4916 CACert.exe 85 PID 4916 wrote to memory of 4744 4916 CACert.exe 87 PID 4916 wrote to memory of 4744 4916 CACert.exe 87 PID 4744 wrote to memory of 1712 4744 cmd.exe 89 PID 4744 wrote to memory of 1712 4744 cmd.exe 89 PID 4744 wrote to memory of 1552 4744 cmd.exe 90 PID 4744 wrote to memory of 1552 4744 cmd.exe 90 PID 4744 wrote to memory of 3316 4744 cmd.exe 96 PID 4744 wrote to memory of 3316 4744 cmd.exe 96 PID 3316 wrote to memory of 4520 3316 CACert.exe 97 PID 3316 wrote to memory of 4520 3316 CACert.exe 97 PID 3316 wrote to memory of 640 3316 CACert.exe 99 PID 3316 wrote to memory of 640 3316 CACert.exe 99 PID 640 wrote to memory of 776 640 cmd.exe 101 PID 640 wrote to memory of 776 640 cmd.exe 101 PID 640 wrote to memory of 5044 640 cmd.exe 102 PID 640 wrote to memory of 5044 640 cmd.exe 102 PID 640 wrote to memory of 1700 640 cmd.exe 105 PID 640 wrote to memory of 1700 640 cmd.exe 105 PID 1700 wrote to memory of 3432 1700 CACert.exe 106 PID 1700 wrote to memory of 3432 1700 CACert.exe 106 PID 1700 wrote to memory of 936 1700 CACert.exe 108 PID 1700 wrote to memory of 936 1700 CACert.exe 108 PID 936 wrote to memory of 2660 936 cmd.exe 110 PID 936 wrote to memory of 2660 936 cmd.exe 110 PID 936 wrote to memory of 4448 936 cmd.exe 111 PID 936 wrote to memory of 4448 936 cmd.exe 111 PID 936 wrote to memory of 2632 936 cmd.exe 113 PID 936 wrote to memory of 2632 936 cmd.exe 113 PID 2632 wrote to memory of 4780 2632 CACert.exe 114 PID 2632 wrote to memory of 4780 2632 CACert.exe 114 PID 2632 wrote to memory of 3392 2632 CACert.exe 116 PID 2632 wrote to memory of 3392 2632 CACert.exe 116 PID 3392 wrote to memory of 4280 3392 cmd.exe 118 PID 3392 wrote to memory of 4280 3392 cmd.exe 118 PID 3392 wrote to memory of 4244 3392 cmd.exe 119 PID 3392 wrote to memory of 4244 3392 cmd.exe 119 PID 3392 wrote to memory of 4524 3392 cmd.exe 121 PID 3392 wrote to memory of 4524 3392 cmd.exe 121 PID 4524 wrote to memory of 2540 4524 CACert.exe 122 PID 4524 wrote to memory of 2540 4524 CACert.exe 122 PID 4524 wrote to memory of 2080 4524 CACert.exe 124 PID 4524 wrote to memory of 2080 4524 CACert.exe 124 PID 2080 wrote to memory of 2028 2080 cmd.exe 126 PID 2080 wrote to memory of 2028 2080 cmd.exe 126 PID 2080 wrote to memory of 1504 2080 cmd.exe 127 PID 2080 wrote to memory of 1504 2080 cmd.exe 127 PID 2080 wrote to memory of 4228 2080 cmd.exe 128 PID 2080 wrote to memory of 4228 2080 cmd.exe 128 PID 4228 wrote to memory of 2516 4228 CACert.exe 129 PID 4228 wrote to memory of 2516 4228 CACert.exe 129 PID 4228 wrote to memory of 4848 4228 CACert.exe 131 PID 4228 wrote to memory of 4848 4228 CACert.exe 131 PID 4848 wrote to memory of 4700 4848 cmd.exe 133 PID 4848 wrote to memory of 4700 4848 cmd.exe 133 PID 4848 wrote to memory of 4300 4848 cmd.exe 134 PID 4848 wrote to memory of 4300 4848 cmd.exe 134 PID 4848 wrote to memory of 4988 4848 cmd.exe 135 PID 4848 wrote to memory of 4988 4848 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CACert\CACert.exe"C:\Users\Admin\AppData\Local\Temp\CACert\CACert.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4228
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cndoHwRem7zj.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nARRNJUzRfbN.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5044
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RjdFateXzJky.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q4l6PsdamkuF.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4244
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuepTMiAzvep.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1504
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYBL9PopRJb.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4300
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ELnEVcJkAQzS.bat" "15⤵PID:1348
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mVCz4kMEXJed.bat" "17⤵PID:3388
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3884
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TD4lq8apYZ6k.bat" "19⤵PID:4784
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4480
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoG5JcqCAbSu.bat" "21⤵PID:1120
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmTKd0281S8E.bat" "23⤵PID:964
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1576
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ILRXx3OuPPm.bat" "25⤵PID:4632
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mRPYWBNAPfrQ.bat" "27⤵PID:3412
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:536
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiVM4zG05aSK.bat" "29⤵PID:3156
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4760
-
-
C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yb27IQjBOKFW.bat" "31⤵PID:2900
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD5a58e44d5f2e7cf9c26278521ada7346a
SHA1313ec6f72a4432d7713730e16e65c3dd7dd2b966
SHA2564b64a51e53bbff078a5cb46ad7734f8837c7c1526a31b9c9828d0f86bafc98ec
SHA512914c5920facfa445f83152c8b589419761824c76ea0eb008bd417b57cb06a7e7a0ac43249def445034df790542d921254e045175fde00555962a087beaee56c7
-
Filesize
207B
MD532d1b7d36cc33d49d318ee85aaf86720
SHA17e03f0179785f65291418dc9f522f4c11ee57eed
SHA2569ba10d93e3ca7e40d221945100b34b5aa0f96738839b8506658e31d7c8eea49d
SHA51272eca76de22309b18c185d48a4fcfb3319f29d8644f1c2a6d5acf93d29d6a94dcdc3580ef6d00f3b3b5f3e30763daf0d9f13da643d3c9a763a1eb1abc454f378
-
Filesize
207B
MD5c9f56503dcfa07e546d307ab4da62695
SHA1dcb3223e70a42c1936d8b2168c12cdba41bf9dbf
SHA256938663e557aa848455ff3398c11d5d68d1cfcd8100a019a364e7a59a6df4277b
SHA5123c24e0045fb4be775df78c7662b34cc30a4f848da779273adf6c4037b36f1038e03cae09a4badeb8736a715cef7eda178399b300f97c6c6ee5b174b9b7bbc9eb
-
Filesize
207B
MD5b8fb5f880a06d355183c8aacd06f47fc
SHA11843441dbb8c868c680319feea3f72ff06873ad7
SHA256292f19c278159299d2b8970f905258b52e8207d0e73a6d3bccf433f3f0c4cbc1
SHA512a2fcf29ed3d0c5e08f1082bc33ba62ce71b3194c8c49f6a9b7c09061ea78e28eb3b3af01e335682280c1a7e5959a2deff31d709740516c2a2cbc5a04a76f0f0d
-
Filesize
207B
MD5fd555de9e7b56712bac11c6ad17721f3
SHA1a83faa2c3071c3ddd8b72c2d2bb8db69ef334a6b
SHA2567724bead77aecdb67120f2ccebf0759d2bb287faca02741f1a8c0acfde135d61
SHA5129cced1d42ef99bd26cfbaad700fd178f27add7d9813bbc451dda89a3efaa1432eba0ae6e0d5a12f5956258115850299f6476508bbfc08b4206c9d66998a1ed5a
-
Filesize
207B
MD5b5a69ec8765b07646c7c6ba90bc489cd
SHA12e5594e88cb04e15fa4437d861724d07f06aaf44
SHA256781a2724c321273cce12101033c6beb3409befb0aba787b323d2e269daa848b2
SHA51200fb6330534020a8cc8cbc4d9810b22bb23538e718861f13a3f84f2326a4a69647166f8f16e6cfd1cefdceaa367925055c071bce6bc231d27acf8a42b8dba517
-
Filesize
207B
MD5ff28f032ad2b33e321dad2f50ee7a6b4
SHA13f8e42d27ccbded50e28c24a4e57376d48b2c2f1
SHA25646503b2d2ec0d29a55a7ed61f8d40c30c216638731bfd9780692591360f540d2
SHA5123d4f5168d698312fcbd5f4d1b08f1ceda6d95e834bb980a400ae62aedfba410ff09b84d39af5924cb8a71d895abc0c3626f587b3e50527f7ed1b7ec064f1dcce
-
Filesize
207B
MD500c7cf1d33d51d235a9e28a9c1646751
SHA14801aaf7f1b4ad3418f464bf00571f863ae71949
SHA2565081f62685d5a69c1c05777ed26e65b498ae9c3fdd3cc4191ebca9bbeba16c0e
SHA5129b5c93a086099fdaf33ddeb18362fde87bad6f3fb6bb43d9864a5ec04810d44754cce59b2819ede8bf71ac6da79e12f75a08943b2089580e447dfb365563de0c
-
Filesize
207B
MD591fe7e6de45b563a8d3bc37f0d9cd19c
SHA1b26569948c8b9654a3b253f05cec0c60c46caee7
SHA25601f91b88189fe88966e6949aff5af25ad91e57f1cd5247b87b02cc4a60ae2095
SHA512d439d184a6c402bb699d8480aa804f3a5e3ff5bc36d55ce55b7863b4e0898cfaf2396911bed46e6e0be5beb4b0f7ef709048b23a80b161d281e79adb144ed544
-
Filesize
207B
MD5bbfe2de7de36a745fff6c6bfbf3fc310
SHA1611ffaf9a91c3a5732457f7ff8af6dac982a70b0
SHA2560a80f6f37af635815ccbe2a58544c50a560cffbf1c226de8ca4afc8bcfba695b
SHA5126e5fd2f5fc908ee206c72e4fb5eccfe4e0e785dd2f6d778960681f7a1921ad44c11f02ae276c4d1f5015892804223c28de4428bde0bb18c6b5430a26e0041ac3
-
Filesize
207B
MD5cddafcde7b5e6cd47b48581c25250bea
SHA18570160142d0d358bd1b7564ff2ccc2904297369
SHA2565b4313bb21530ff8b786170e6dd96826fea2f5131acc4e420c6ed8f4b141eab6
SHA512a5b6396e46a6ce62f1b1d04f2a65f95bd5c4eba6a12af5b968c2b1a572bf0345c60318b00b2e698d4dbf4e15bdafc0a0040407190e31aa43c9b699d9956e93f1
-
Filesize
207B
MD539625779f78e8e6df9bdac251d56fdcf
SHA130a56533b357e9123a87f4903176f1cf81df6b21
SHA2567a83dd3055f1db0e49710e0446d35f44e4169ea97aabd01ccf3cd632eddba64e
SHA512f79a5b64735cf63389ae04984296355b09604ab31709b30c89763afbb583699b07f862312a1829f8b0343f0c6cedf6b85bd166f72b1705b9b72fa58cd751e7e8
-
Filesize
207B
MD503cc96843764f6de72ec447adfb72873
SHA1b0a078b65894d6d3a246edcd0ec260528b83d939
SHA256ce4c463cee1c3da23281a2d151a46077725c9ab9707d10ccc67cbb89c077f1c1
SHA5123ef1deb425edb2016eb2c32831d1521f4d8d7a89680f6ea87c9fdff06276e5de15db7100e584e6c73f826069dd7bc4fcb26603f86766c7975c4de5be152d9caf
-
Filesize
207B
MD54c239f20ca826f40ffd5ad6c1b8306d6
SHA11acb10ff99a94f741923f64467815f4e64987e53
SHA256e2a2e5f851d8e0651f424a95e0de06aed679594a6b8b99064c764b614d11369a
SHA5123e2e22695a1806da5882b7343ccea5b0eaa205b0b86f0cb8e4dffd3ba072d37b52b9ffdd05b866d4fb83bedd17b517788402d0d62cde75d3dc2e9f51ba7fa344
-
Filesize
207B
MD5a4f7fd79281bc530284e0d7728ba0cdb
SHA17dd1f9569f3a9707259d4cb3442fa75aabd4fa10
SHA2569e856b4a18ec4822c8ba117a5dd8016dad1cba161e2f4a1ee8e104565ba074cc
SHA512bb64bdeab463c95f486e5b78dc872e5be606d4c9402ac6d116df62133095121f2dba8b2994d7834ee723fa4f03ba0e5dd601a4bb58602c0e0406183edb80d0a9
-
Filesize
3.1MB
MD566c0c400c027e476edc8452c4355150c
SHA12212e14ea0ec4393046217f837b107d20274c618
SHA256d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924
SHA51210908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53