Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 12:28
Behavioral task
behavioral1
Sample
ImageLogger3.5.exe
Resource
win7-20240903-en
General
-
Target
ImageLogger3.5.exe
-
Size
3.4MB
-
MD5
55fed3c2f548f0a0beed666f20a01d97
-
SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594
-
SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
-
SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
-
SSDEEP
49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke
Malware Config
Extracted
quasar
1.4.1
Office04
26.45.181.53:4782
91fc011d-5bd3-41d0-82ab-84cdbb628ab4
-
encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2704-1-0x0000000000970000-0x0000000000CD6000-memory.dmp family_quasar behavioral2/files/0x000b000000023b89-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 4008 Client.exe 4248 Client.exe 928 Client.exe 1036 Client.exe 1444 Client.exe 752 Client.exe 1068 Client.exe 1156 Client.exe 232 Client.exe 2572 Client.exe 3340 Client.exe 2936 Client.exe 4788 Client.exe 1712 Client.exe 4180 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 764 PING.EXE 868 PING.EXE 4532 PING.EXE 3064 PING.EXE 4252 PING.EXE 1716 PING.EXE 2888 PING.EXE 4900 PING.EXE 3540 PING.EXE 5084 PING.EXE 4180 PING.EXE 2704 PING.EXE 4340 PING.EXE 1004 PING.EXE 4372 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 764 PING.EXE 4900 PING.EXE 3540 PING.EXE 4372 PING.EXE 4532 PING.EXE 868 PING.EXE 2704 PING.EXE 3064 PING.EXE 4340 PING.EXE 4180 PING.EXE 2888 PING.EXE 4252 PING.EXE 1716 PING.EXE 5084 PING.EXE 1004 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3112 schtasks.exe 1360 schtasks.exe 392 schtasks.exe 1848 schtasks.exe 1464 schtasks.exe 2648 schtasks.exe 4068 schtasks.exe 3780 schtasks.exe 4984 schtasks.exe 3308 schtasks.exe 3920 schtasks.exe 1632 schtasks.exe 2744 schtasks.exe 5104 schtasks.exe 3328 schtasks.exe 3104 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2704 ImageLogger3.5.exe Token: SeDebugPrivilege 4008 Client.exe Token: SeDebugPrivilege 4248 Client.exe Token: SeDebugPrivilege 928 Client.exe Token: SeDebugPrivilege 1036 Client.exe Token: SeDebugPrivilege 1444 Client.exe Token: SeDebugPrivilege 752 Client.exe Token: SeDebugPrivilege 1068 Client.exe Token: SeDebugPrivilege 1156 Client.exe Token: SeDebugPrivilege 232 Client.exe Token: SeDebugPrivilege 2572 Client.exe Token: SeDebugPrivilege 3340 Client.exe Token: SeDebugPrivilege 2936 Client.exe Token: SeDebugPrivilege 4788 Client.exe Token: SeDebugPrivilege 1712 Client.exe Token: SeDebugPrivilege 4180 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 4008 Client.exe 4248 Client.exe 928 Client.exe 1036 Client.exe 1444 Client.exe 752 Client.exe 1068 Client.exe 1156 Client.exe 232 Client.exe 2572 Client.exe 3340 Client.exe 2936 Client.exe 4788 Client.exe 1712 Client.exe 4180 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4008 Client.exe 4248 Client.exe 928 Client.exe 1036 Client.exe 1444 Client.exe 752 Client.exe 1068 Client.exe 1156 Client.exe 232 Client.exe 2572 Client.exe 3340 Client.exe 2936 Client.exe 4788 Client.exe 1712 Client.exe 4180 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 4984 2704 ImageLogger3.5.exe 86 PID 2704 wrote to memory of 4984 2704 ImageLogger3.5.exe 86 PID 2704 wrote to memory of 4008 2704 ImageLogger3.5.exe 88 PID 2704 wrote to memory of 4008 2704 ImageLogger3.5.exe 88 PID 4008 wrote to memory of 3308 4008 Client.exe 91 PID 4008 wrote to memory of 3308 4008 Client.exe 91 PID 4008 wrote to memory of 532 4008 Client.exe 93 PID 4008 wrote to memory of 532 4008 Client.exe 93 PID 532 wrote to memory of 2032 532 cmd.exe 95 PID 532 wrote to memory of 2032 532 cmd.exe 95 PID 532 wrote to memory of 764 532 cmd.exe 96 PID 532 wrote to memory of 764 532 cmd.exe 96 PID 532 wrote to memory of 4248 532 cmd.exe 97 PID 532 wrote to memory of 4248 532 cmd.exe 97 PID 4248 wrote to memory of 3112 4248 Client.exe 98 PID 4248 wrote to memory of 3112 4248 Client.exe 98 PID 4248 wrote to memory of 1984 4248 Client.exe 100 PID 4248 wrote to memory of 1984 4248 Client.exe 100 PID 1984 wrote to memory of 4940 1984 cmd.exe 103 PID 1984 wrote to memory of 4940 1984 cmd.exe 103 PID 1984 wrote to memory of 4340 1984 cmd.exe 104 PID 1984 wrote to memory of 4340 1984 cmd.exe 104 PID 1984 wrote to memory of 928 1984 cmd.exe 106 PID 1984 wrote to memory of 928 1984 cmd.exe 106 PID 928 wrote to memory of 2648 928 Client.exe 107 PID 928 wrote to memory of 2648 928 Client.exe 107 PID 928 wrote to memory of 1560 928 Client.exe 109 PID 928 wrote to memory of 1560 928 Client.exe 109 PID 1560 wrote to memory of 4516 1560 cmd.exe 112 PID 1560 wrote to memory of 4516 1560 cmd.exe 112 PID 1560 wrote to memory of 1716 1560 cmd.exe 113 PID 1560 wrote to memory of 1716 1560 cmd.exe 113 PID 1560 wrote to memory of 1036 1560 cmd.exe 118 PID 1560 wrote to memory of 1036 1560 cmd.exe 118 PID 1036 wrote to memory of 1360 1036 Client.exe 119 PID 1036 wrote to memory of 1360 1036 Client.exe 119 PID 1036 wrote to memory of 3708 1036 Client.exe 121 PID 1036 wrote to memory of 3708 1036 Client.exe 121 PID 3708 wrote to memory of 1368 3708 cmd.exe 124 PID 3708 wrote to memory of 1368 3708 cmd.exe 124 PID 3708 wrote to memory of 4180 3708 cmd.exe 125 PID 3708 wrote to memory of 4180 3708 cmd.exe 125 PID 3708 wrote to memory of 1444 3708 cmd.exe 127 PID 3708 wrote to memory of 1444 3708 cmd.exe 127 PID 1444 wrote to memory of 4068 1444 Client.exe 128 PID 1444 wrote to memory of 4068 1444 Client.exe 128 PID 1444 wrote to memory of 3340 1444 Client.exe 131 PID 1444 wrote to memory of 3340 1444 Client.exe 131 PID 3340 wrote to memory of 4884 3340 cmd.exe 133 PID 3340 wrote to memory of 4884 3340 cmd.exe 133 PID 3340 wrote to memory of 868 3340 cmd.exe 134 PID 3340 wrote to memory of 868 3340 cmd.exe 134 PID 3340 wrote to memory of 752 3340 cmd.exe 136 PID 3340 wrote to memory of 752 3340 cmd.exe 136 PID 752 wrote to memory of 2744 752 Client.exe 137 PID 752 wrote to memory of 2744 752 Client.exe 137 PID 752 wrote to memory of 3348 752 Client.exe 139 PID 752 wrote to memory of 3348 752 Client.exe 139 PID 3348 wrote to memory of 444 3348 cmd.exe 142 PID 3348 wrote to memory of 444 3348 cmd.exe 142 PID 3348 wrote to memory of 2888 3348 cmd.exe 143 PID 3348 wrote to memory of 2888 3348 cmd.exe 143 PID 3348 wrote to memory of 1068 3348 cmd.exe 145 PID 3348 wrote to memory of 1068 3348 cmd.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe"C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4984
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMeXeHD1FG8C.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJwgZAVDT5UB.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4340
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1gpttesxFtC.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN9JdSfQPnNP.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4180
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7wANeKTQATlR.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:868
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8gizbFKcuC3K.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CthvZUgGd1ym.bat" "15⤵PID:3848
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4900
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O9CzcwsbbzpJ.bat" "17⤵PID:2100
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3540
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9gY5AtFjuGwQ.bat" "19⤵PID:3100
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2704
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neE4cTRhAsgq.bat" "21⤵PID:3580
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4820
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5084
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3340 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYbMHc0siWyF.bat" "23⤵PID:3512
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWLXSEUi2YJJ.bat" "25⤵PID:4624
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4876
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1004
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYzskin3vXmC.bat" "27⤵PID:3220
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4372
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w1l1AeknUJ6S.bat" "29⤵PID:3088
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4532
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4180 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I59tnl9g9aDq.bat" "31⤵PID:3308
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD56458ef9194d22dfc8a5f82be9bc69e34
SHA1c221326a7e0eabf6e2b5ddc6265808689c3b3d17
SHA256696a735ab2defb756b2a587e0ef7b9d8bd4bd3c2bdc41961445dcf492261c086
SHA512049a506f944ff6c2aaafb1fc7eb6f4e098b3ea759c4976d65ef65648aa4148da7cdce2de9d558db1daf40b48c8fc4b1cbe53cd16cae0f7be4b87f00b2407810e
-
Filesize
207B
MD568d75dd237f975a7a3362e13970d34c5
SHA13cf10e7d25c8b05dfb3077ab7e7f782220b706c1
SHA2560cf533846794f0630a953503e46729cf4ab2ed17e49cfd187987ad3f24c13543
SHA51263817d4aa9ada367b3c83375ac2ca44d0dfb738bdec7eb9eaa008b46e83c3e1c22d806cac7f66b28922808586983755777330d351841963355d33766c412a1a7
-
Filesize
207B
MD5c8948d641692e7f018a86d801b037b58
SHA1baca4fec543310a82a245bb72bad1e6027679101
SHA256a8e8533739c23c9957fdc1c68495e66feb5b053a458e19b4a10ce17c3e200eb7
SHA512385aeca43f090af3a7ae63c45a89e9777d321802019247cf4b23d59913d295c263dd42f279477b93151bb0bafba10690033572abcdc2625a4552abff705f1487
-
Filesize
207B
MD5bba8e53614f1956b564aa90801b42528
SHA17f5a08b8112cde8692550009745e1e215246345a
SHA256d24a5723111b8ed50e3e4e99e306f7840a08ff60bb689cddc0de913954001439
SHA512eadec04f45965d214f034e964a821cb429656dee2bc1750815a151cfd40ea4c1621ea2b9c6e6d598a85334e59908be8da40ad7a739194e4eb3ee3b8cec4bbf01
-
Filesize
207B
MD584eb00ef4a29c459059b6efbdfa95658
SHA1a06d7d365c0cf550262ff6b80b19619d4d728c78
SHA2565dd8fa567dd0e419674887695a2221df9fde542380938d86004e7c753df93986
SHA512b51f017080303466804f079edf6d2d9f2e5308c47099afe50e6c7505c75c8f38fcd9aaa1b179f017da98390365990fa01a3da1386b1ff7e1669bbdc48ee90093
-
Filesize
207B
MD5cf4648ce19b337558dfc64d7ff793379
SHA1d482437d7f54bfb1b0df4f5dc8bc49a196f0878b
SHA2564ec49d3493fd74ae9f11935148315be36100765211f067761ff7fc852a8654b3
SHA512e760cf456d4918c66363a494f51756716eac7a34dd76d3cfc843ddfa6ff13ff10adb200a23042591d9d5d5e219151063c0206f3f8a57c7bd742e4fbd6cd8f46f
-
Filesize
207B
MD549bb198ddf9ba241119ee7ca5b909aa7
SHA1e6177a21266ed268a6a697b0eb5379429aceaade
SHA2566e04964d11c6485ad593a7bdfd77c5fe03136adefee049051abdae928c48ac5a
SHA512466ce600df84c841438c32290814f2889415d859010c0de3fa1766ddeaad2ef2478e4c41e1d6fe3a9b2c6257693f25560bf9e1ba7753a60b0bac97a74903d1d2
-
Filesize
207B
MD5f2c5be7f2ef7e520b9db4c5b20b2e8df
SHA18fc1e7cfb5ca242be2e19f044dc0314b6daf3d48
SHA25684bab5f3b2ad1c6d32c59c7815aa454a6c4d7ff913a0ab86d32e2f17594f5553
SHA5127b771e6b07c348e29aa709d39335bd003865ff6af1a4eff54ad6b0c3e0aad81e7a263ea00f31d3f4735090923acf99f5f33d4f5c16f107fcd22cf0e0536e6b84
-
Filesize
207B
MD5349c29795f6eaa66713dd469a8535768
SHA1c19c802f9ac0447c9d8f3caef44569a858e6e435
SHA256892b2c401aa43271427998d68743f51b75317f122136fd3b3aee28114c8cc644
SHA512ed3ee0741ff39ec4d3f9ea19bf7c9463491625f5bf1b08b5f780fc86540ad88d6ad7f5e9cfe37fa70a16ab18cc6957f9f204a6a1372fa9be0b9b17a462a61ebe
-
Filesize
207B
MD50a6583f853d060aac6adaa236300f54c
SHA1849943564d3daf67a5faed429b0d4533ebc59bc8
SHA2565da0a06234715c13e340a4a7188e6de2fe3d612d2a42fea9b306960ed121115b
SHA5128f7b6f752bc8f88fb63b9383c0e97755a478c58dab534f45ba3fda83926ac110cf6bb7545bd0cc716a874f227dbe66becff055e8f59da82801c0c9ee9c3c2c27
-
Filesize
207B
MD593e3c88e9f79dd6284a3254254dd717d
SHA1eea320db69ea19929d3597b8c22944fccd52de9b
SHA256470f000af53010df4ccb4308249340f85049683bc706e1c5912e28d8a30d14e4
SHA51267709a7b5ef31af3d40ad96347cb201943e7df5805cdfb5c3512bbef59365b727f699d47eca8fa6f05da48a9348454481b77162752b1b0eab7517beec2f56241
-
Filesize
207B
MD5682384d493d910adbff53d76afa0c28e
SHA1822c88943962d9d302019c8cf9bf39c8ed368b10
SHA25616aace6acabb1145b05d7d77a862bc466a6e9e993eb555fe3d5fd0fa300129b6
SHA5127dd53357256975360e0ec374575ddd3c5e59fd2f9b70e9a1ff9b76a3a3e7356f58ec853ec5ef873a697f79498cd3ae21a073903a64061ed60c383dbe786431ef
-
Filesize
207B
MD59ea14ad45d594237150d1ab78054dbbf
SHA1a62076d5719d3462d27d75c7fbb1f6026ea85c87
SHA256ebc552540f3fa8291d1b5d109180b964c91f11ec67f41f449f77c2f101ecbc15
SHA512978ba35254be869ba70fb675d272c78cd396e6c50538d96234197b89a714d6cf0b443ba9b9aa8837a2a942edc18416ca205e0e425b6e5b0243c1433e10d4221f
-
Filesize
207B
MD5ce4ee6fceb7cc645d68fedcfd04ae116
SHA1a0f87cc041cac3dbba36a72a9c3fd80622d1ed1b
SHA256cf1a3bbafc9eb52f7fe7a5a8e0398018bc79a0e25355bdcf5cdad8ac9dfb40ec
SHA512e431f5e1b29189fa079fb81db1bd08416bc81ac6ca35206fb4c354503b530c9be37ee6bf26e0d03f735c09d520c0075ad61b96431bacfaf4264fcd465843a182
-
Filesize
207B
MD5ada91f157c5740f393a188b54f8bd5cc
SHA193c7a4ebce0451d85ee2aa0cf5609dbda513ccc8
SHA25606f9418fb54cbf04a81f4ac75761a55bfad6e216744763469283aca63435229e
SHA512b84ada4d18c7b45856b3bb1c79d833aa83c0aa45c5be11393797624ffd1ae402b94f6bcccfc5ae1a482ff1fbad9dc1a45be31ea0b320f5b80c9cf1eba674cd01
-
Filesize
3.4MB
MD555fed3c2f548f0a0beed666f20a01d97
SHA1e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA5122ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e