Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 12:22
Behavioral task
behavioral1
Sample
Image Logger 3.5.exe
Resource
win7-20240903-en
General
-
Target
Image Logger 3.5.exe
-
Size
3.4MB
-
MD5
55fed3c2f548f0a0beed666f20a01d97
-
SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594
-
SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
-
SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
-
SSDEEP
49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke
Malware Config
Extracted
quasar
1.4.1
Office04
26.45.181.53:4782
91fc011d-5bd3-41d0-82ab-84cdbb628ab4
-
encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1932-1-0x0000000000A40000-0x0000000000DA6000-memory.dmp family_quasar behavioral2/files/0x0011000000023b07-6.dat family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 3888 Client.exe 1928 Client.exe 1356 Client.exe 3524 Client.exe 3812 Client.exe 4452 Client.exe 5108 Client.exe 1072 Client.exe 1532 Client.exe 4748 Client.exe 748 Client.exe 3504 Client.exe 3532 Client.exe 1848 Client.exe 2808 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1476 PING.EXE 4164 PING.EXE 4880 PING.EXE 4388 PING.EXE 2136 PING.EXE 2792 PING.EXE 4016 PING.EXE 4880 PING.EXE 1428 PING.EXE 4268 PING.EXE 4728 PING.EXE 1524 PING.EXE 4972 PING.EXE 2732 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 1524 PING.EXE 4972 PING.EXE 4016 PING.EXE 2732 PING.EXE 2136 PING.EXE 4388 PING.EXE 4880 PING.EXE 1476 PING.EXE 4268 PING.EXE 4728 PING.EXE 4164 PING.EXE 2792 PING.EXE 4880 PING.EXE 1428 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2708 schtasks.exe 3412 schtasks.exe 1388 schtasks.exe 2172 schtasks.exe 1164 schtasks.exe 4872 schtasks.exe 4924 schtasks.exe 1580 schtasks.exe 1548 schtasks.exe 3480 schtasks.exe 1088 schtasks.exe 3780 schtasks.exe 4516 schtasks.exe 1936 schtasks.exe 4988 schtasks.exe 64 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1932 Image Logger 3.5.exe Token: SeDebugPrivilege 3888 Client.exe Token: SeDebugPrivilege 1928 Client.exe Token: SeDebugPrivilege 1356 Client.exe Token: SeDebugPrivilege 3524 Client.exe Token: SeDebugPrivilege 3812 Client.exe Token: SeDebugPrivilege 4452 Client.exe Token: SeDebugPrivilege 5108 Client.exe Token: SeDebugPrivilege 1072 Client.exe Token: SeDebugPrivilege 1532 Client.exe Token: SeDebugPrivilege 4748 Client.exe Token: SeDebugPrivilege 748 Client.exe Token: SeDebugPrivilege 3504 Client.exe Token: SeDebugPrivilege 3532 Client.exe Token: SeDebugPrivilege 1848 Client.exe Token: SeDebugPrivilege 2808 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 3888 Client.exe 1928 Client.exe 1356 Client.exe 3524 Client.exe 3812 Client.exe 4452 Client.exe 5108 Client.exe 1072 Client.exe 1532 Client.exe 4748 Client.exe 748 Client.exe 3504 Client.exe 3532 Client.exe 1848 Client.exe 2808 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 3888 Client.exe 1928 Client.exe 1356 Client.exe 3524 Client.exe 3812 Client.exe 4452 Client.exe 5108 Client.exe 1072 Client.exe 1532 Client.exe 4748 Client.exe 748 Client.exe 3504 Client.exe 3532 Client.exe 1848 Client.exe 2808 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2708 1932 Image Logger 3.5.exe 86 PID 1932 wrote to memory of 2708 1932 Image Logger 3.5.exe 86 PID 1932 wrote to memory of 3888 1932 Image Logger 3.5.exe 88 PID 1932 wrote to memory of 3888 1932 Image Logger 3.5.exe 88 PID 3888 wrote to memory of 4872 3888 Client.exe 89 PID 3888 wrote to memory of 4872 3888 Client.exe 89 PID 3888 wrote to memory of 2032 3888 Client.exe 91 PID 3888 wrote to memory of 2032 3888 Client.exe 91 PID 2032 wrote to memory of 760 2032 cmd.exe 93 PID 2032 wrote to memory of 760 2032 cmd.exe 93 PID 2032 wrote to memory of 4972 2032 cmd.exe 94 PID 2032 wrote to memory of 4972 2032 cmd.exe 94 PID 2032 wrote to memory of 1928 2032 cmd.exe 96 PID 2032 wrote to memory of 1928 2032 cmd.exe 96 PID 1928 wrote to memory of 4516 1928 Client.exe 97 PID 1928 wrote to memory of 4516 1928 Client.exe 97 PID 1928 wrote to memory of 2068 1928 Client.exe 99 PID 1928 wrote to memory of 2068 1928 Client.exe 99 PID 2068 wrote to memory of 2416 2068 cmd.exe 101 PID 2068 wrote to memory of 2416 2068 cmd.exe 101 PID 2068 wrote to memory of 4016 2068 cmd.exe 102 PID 2068 wrote to memory of 4016 2068 cmd.exe 102 PID 2068 wrote to memory of 1356 2068 cmd.exe 103 PID 2068 wrote to memory of 1356 2068 cmd.exe 103 PID 1356 wrote to memory of 4924 1356 Client.exe 104 PID 1356 wrote to memory of 4924 1356 Client.exe 104 PID 1356 wrote to memory of 3904 1356 Client.exe 106 PID 1356 wrote to memory of 3904 1356 Client.exe 106 PID 3904 wrote to memory of 3392 3904 cmd.exe 108 PID 3904 wrote to memory of 3392 3904 cmd.exe 108 PID 3904 wrote to memory of 4880 3904 cmd.exe 109 PID 3904 wrote to memory of 4880 3904 cmd.exe 109 PID 3904 wrote to memory of 3524 3904 cmd.exe 112 PID 3904 wrote to memory of 3524 3904 cmd.exe 112 PID 3524 wrote to memory of 3412 3524 Client.exe 114 PID 3524 wrote to memory of 3412 3524 Client.exe 114 PID 3524 wrote to memory of 4432 3524 Client.exe 116 PID 3524 wrote to memory of 4432 3524 Client.exe 116 PID 4432 wrote to memory of 3996 4432 cmd.exe 118 PID 4432 wrote to memory of 3996 4432 cmd.exe 118 PID 4432 wrote to memory of 2732 4432 cmd.exe 119 PID 4432 wrote to memory of 2732 4432 cmd.exe 119 PID 4432 wrote to memory of 3812 4432 cmd.exe 120 PID 4432 wrote to memory of 3812 4432 cmd.exe 120 PID 3812 wrote to memory of 3480 3812 Client.exe 121 PID 3812 wrote to memory of 3480 3812 Client.exe 121 PID 3812 wrote to memory of 3040 3812 Client.exe 123 PID 3812 wrote to memory of 3040 3812 Client.exe 123 PID 3040 wrote to memory of 4456 3040 cmd.exe 125 PID 3040 wrote to memory of 4456 3040 cmd.exe 125 PID 3040 wrote to memory of 4388 3040 cmd.exe 126 PID 3040 wrote to memory of 4388 3040 cmd.exe 126 PID 3040 wrote to memory of 4452 3040 cmd.exe 127 PID 3040 wrote to memory of 4452 3040 cmd.exe 127 PID 4452 wrote to memory of 1580 4452 Client.exe 128 PID 4452 wrote to memory of 1580 4452 Client.exe 128 PID 4452 wrote to memory of 4224 4452 Client.exe 130 PID 4452 wrote to memory of 4224 4452 Client.exe 130 PID 4224 wrote to memory of 3780 4224 cmd.exe 132 PID 4224 wrote to memory of 3780 4224 cmd.exe 132 PID 4224 wrote to memory of 1428 4224 cmd.exe 133 PID 4224 wrote to memory of 1428 4224 cmd.exe 133 PID 4224 wrote to memory of 5108 4224 cmd.exe 134 PID 4224 wrote to memory of 5108 4224 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozLdC0ZkXzMh.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4972
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqasXV6uMR7J.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2416
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4016
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gALF8mkBJaZ6.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3392
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4880
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPE1e0NIzN5A.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2732
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boaB1R457nbK.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4456
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4388
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dTdpsmbyrWUX.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3780
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1428
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoP32BfQ7nXd.bat" "15⤵PID:4744
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:5084
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IX9AXBNQyN30.bat" "17⤵PID:1184
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4944
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4268
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LlOh5ZoOUwtn.bat" "19⤵PID:4764
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1504
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4880
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4748 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGHLKphyvV2T.bat" "21⤵PID:4160
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4728
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:748 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j4kPnQYENWxI.bat" "23⤵PID:392
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3480
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4164
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3504 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obVTVGaWQhVG.bat" "25⤵PID:732
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1524
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96WsQeybAbtc.bat" "27⤵PID:2200
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2136
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UtN68XG00Bi.bat" "29⤵PID:1304
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QL0LRWTe3YXr.bat" "31⤵PID:4972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD58e1bc7e0909d20dcf5d19b9bfabfeff9
SHA13c3d29995133dd50e99930ef2e63c2bb43a84ba2
SHA256cddef336993b2446c422ed8c795ccd2b0e034fbf4bd35bb6a45d06a93dc67f6f
SHA512503299b68d922a5a85fc50a4907229f4f361c3d5c73c12494281a5a6dafb4d1a12ec70e9b6e2301cec4a1132ab681ec0e0fad68d676068935692360d1809758f
-
Filesize
207B
MD50d2c64b1e08c6b6f1a59421d585f0c32
SHA13f1c3903eb0bb937721aef972b77a9375c0a1598
SHA2564d5447da8d6b045949b223c377f2e950f1de2ec4f3e4699361cd501e3b937e84
SHA512d4cea23a72e5299a540e4707ad1f1b8d46a9cbf6ffb572f773db1b9e79ee2392f32d807ae971234609b1039f16087f13c4ac10b70565e156761e609eb5cb7afd
-
Filesize
207B
MD582b7435192791ea3445ad447884b0aa9
SHA182738188b540f87e57a520805de130a4aa1a8d6e
SHA256a5ee745ce39ea0f239a04a723e7516f818a49df1a358f3ddb098d77f0b8d59e0
SHA5120cb1ad1f9fe4762d39fad0a401ac0ab862039f11b6652efd66e587b7987a86ba559bab451bf77ac8f20ddbfabaa68420c10ad83204a36d3cdff82e010103a5ed
-
Filesize
207B
MD52855ca329e8e5333c7c6238daca15b80
SHA144f6201c9b0d5f116651c744387b7e1aba4a0e9e
SHA256f4517cf1b405c11c3d5f47d7ccf8c52fcf0ea0446a6e1b89427d17dd08b74dc3
SHA512254599a6961810eecdb4c0be7f0b86a51ef1f34f3d1afab3ec6bdf6a7583748a710d26ce7d6253760e3c087c883fe4a13a7d5fc679eddf775a52343b803fdf83
-
Filesize
207B
MD5b2a2da78b5980c665e6306ceebc1bae1
SHA124eb667ff00c76e2d5a08b12a18bea95da647f53
SHA2567fc813f48a480dc71d165d6f9b9ada05fdba97fce2193e9c273ca5a58c6190ef
SHA5123a066340fed855627de24e4c41cf3774d389caab58f1a6bc2e889280523beaa9c158647db4946941ead2c16a95f161a6960a3cd1740a6bf0e2bf90b85e4c8e7e
-
Filesize
207B
MD5e8373cef22ebc3a9ba18c9a28b5f3c86
SHA1700edfcba221b0c71d1f3e3307d0189669692e70
SHA256b251f8db294013b86819e2c9e4d59ccb73985812e9660b956de75baa81509ba6
SHA512406d36a230881da044c2175a62f4b57abdf14e3337619352469745fa5eb13d0aa983fc5df71c2cf12b75912d86df7dca4fc3db2543b86d26855d51cd7e6aedd8
-
Filesize
207B
MD52b40faf79add6ad4e16bafcf7c73de4e
SHA1d9540eab467e3d730c023cc19db6e84e8a3b9cf0
SHA256871f73a31b20a6967629493d2debb21f9e3856e73fc0edbb39387fdf15a5d8c1
SHA512be10bdb4bf943719291b9e4836e8a81e0d9e78538813d5971c9d10201b1e0067090d8a3544718bffb7e8aa7626d0a77101c81a26749cc13c22953b75dd97d628
-
Filesize
207B
MD58d019c123d0a21dc3173c487c7fb98db
SHA1117b02835e1fe17f56db297654251807bfa868b7
SHA2569c40e6962f99c9b8f7e7f43f69abd57f59312699dc5ec7307e248b691bbde336
SHA512d6b364ddd5946b060d24bcf616d1a37744df5c475f6746e050e4c7e2276bfe229c8aeb1d41f369f93f552f62f04b3c5e96bfb71afc93fff8faf075bd2c7e8c4d
-
Filesize
207B
MD57370c9e6095d01c19635a61c024d7cfc
SHA1f7f84824b61ac8ce21cac4eb6f659c71f11eac34
SHA25698d3e32679ea1b463e17917644f2f61039224b4f8d840844f1613598d0978120
SHA512fc56032c393366d6cdc493ef1ebe4b0a3fd14e4699acb944c8d38155904c43c89645dca23c06dcb4574e50e6f97f6d2de3843940433c0396b190277c9490f108
-
Filesize
207B
MD56a4eca497e1f71df6c4f80f552c60a29
SHA13f7f98e4cc08789f12e1264373a9bf7c3beb8df4
SHA256015dc628f33498f591447340702d628db85a71c2f98808d7085e77ceadd7d0c1
SHA512e295ef2a551b25208951df81844aed2e3ae9b332102b969d5042f4a7d60d7ebca7893f21812c867229a547a4373b16be02ae8ac61f142ae55cd0fdfcb5ab3ed2
-
Filesize
207B
MD5b3cfc67794b04ee506a507c8670087ec
SHA198b3a8a3da9c655e1de6e0255301ce8c764a452d
SHA256f25b989f8407a55f0ad785503e4452d32aa907d76180daf94a422b94e6d6d5db
SHA5123b68e207c5b3dfe93632736784502f0229779d1546cd6312b13f74ac0d26ed8cbacdcf38e2c4f117d740d6bfa32194b6f6752e6ed66fb61e5dda61aadc53d3b0
-
Filesize
207B
MD59c03471f85ab04182da2b84a934a2b0b
SHA1979486eee7a05209045aed3d6cb95ec2d2c8d4eb
SHA25667c9dd1a6f009f4e6d055c4ea5c5d93136a43c1f9a56a686f68c9b29c8a3a3c4
SHA5129b91284487fe89a6393e117876bef85315362434cf6b41d013a5e6640b9e78b57e42c2425b0ca880015e03dfd681cc05af7b506d0794afed5ebb1fd6cadc09c4
-
Filesize
207B
MD538c0a34fc2855fdbb1a768cecc8517ab
SHA1a7e191675ae661949d9f43a7938f7b49ec345f8c
SHA256bb9148bffa28033d4ed2d305d5521b74a03f1843a4196258bbcb41689f8c0fe4
SHA5129032b80e064899955eaf3877b408ad6adc88775c73993914c0677d4e9183810aeba0a2ccec5c7efc2f45d9fcab3965563d4e5d3b584f95626f6daff018a02953
-
Filesize
207B
MD5f36a40b0e046333fa26e4b4d6ab25fde
SHA14ffb5553f8a480db90a467add3bcb3b8b3adc6ec
SHA25683373f0ef823d99461bbe9d7ee95fda926d47a1c05d1d5294d07750666a5e2ab
SHA5123ad07703740bb71ff8ad5b0a65821faa147d70ba20e4d11298bea6bdbc88c0313f3b4e35e9578d45d94af506c0aff684965f18619c4b5efea7c584aefc8932aa
-
Filesize
3.4MB
MD555fed3c2f548f0a0beed666f20a01d97
SHA1e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA5122ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e