Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04/02/2025, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
Av1 Activator.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Av1 Activator.exe
Resource
win10v2004-20250129-en
General
-
Target
Av1 Activator.exe
-
Size
14.0MB
-
MD5
e580542da8b3b9d23a835600a4cb2e8b
-
SHA1
da7129371e6ff95e7e9e7cbca876cb53913280fa
-
SHA256
6907104c0ff29b9644167bb743c7a0056614d832f0dd160415532822254b4f24
-
SHA512
423aa62ff3a8faf8d949a6a6559b48634ae5aab374185e91c8d349e581702fa29aae2c06f54b5dfb716ccf8be120dbe510e6e63eeff21f66a3f57cce1e3881e8
-
SSDEEP
393216:GDNTd9YfXD5DwIpwL95M6lO7IxUc5GB2Q1cv9+inK5:kd9+zJwPL95M6lX5Gk9y
Malware Config
Extracted
quasar
1.4.1
Office04
rdtgtdrgfd-56277.portmap.host:56277
ccf570e8-30ac-4f23-9902-868025b6d01c
-
encryption_key
AB41F22B350F9B05BD105DBC654AA3C338A22A14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
1
-
subdirectory
SubDir
Extracted
discordrat
-
discord_token
MTI4OTU5MTU3OTc0NDY2NTYwMQ.GsHzQH.djdtGMjJ47j-WJek5CKvrqyGHoO3VoZvH-N1R4
-
server_id
1290067149813055590
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Quasar family
-
Quasar payload 11 IoCs
resource yara_rule behavioral1/files/0x000a00000001225f-3.dat family_quasar behavioral1/memory/2176-26-0x00000000009D0000-0x0000000000CF4000-memory.dmp family_quasar behavioral1/memory/1712-93-0x00000000011A0000-0x00000000014C4000-memory.dmp family_quasar behavioral1/memory/2936-106-0x0000000001350000-0x0000000001674000-memory.dmp family_quasar behavioral1/memory/2012-173-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar behavioral1/memory/2644-184-0x0000000000D50000-0x0000000001074000-memory.dmp family_quasar behavioral1/memory/2168-196-0x00000000003E0000-0x0000000000704000-memory.dmp family_quasar behavioral1/memory/2336-207-0x0000000001120000-0x0000000001444000-memory.dmp family_quasar behavioral1/memory/748-228-0x0000000001170000-0x0000000001494000-memory.dmp family_quasar behavioral1/memory/1324-270-0x0000000000130000-0x0000000000454000-memory.dmp family_quasar behavioral1/memory/2480-281-0x0000000000BE0000-0x0000000000F04000-memory.dmp family_quasar -
Executes dropped EXE 20 IoCs
pid Process 2176 asbdasb.exe 1644 j8uiy.exe 2744 Client-built.exe 3008 Exela.exe 1592 Exela.exe 1712 Client.exe 2936 Client.exe 1088 Client.exe 2012 Client.exe 2644 Client.exe 2168 Client.exe 2336 Client.exe 276 Client.exe 748 Client.exe 2584 Client.exe 2732 Client.exe 2716 Client.exe 1324 Client.exe 2480 Client.exe 2320 Client.exe -
Loads dropped DLL 11 IoCs
pid Process 2368 Av1 Activator.exe 1644 j8uiy.exe 1644 j8uiy.exe 3008 Exela.exe 1592 Exela.exe 2516 WerFault.exe 2516 WerFault.exe 2516 WerFault.exe 2516 WerFault.exe 2516 WerFault.exe 1188 Process not Found -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe asbdasb.exe File opened for modification C:\Windows\system32\SubDir asbdasb.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe asbdasb.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe -
resource yara_rule behavioral1/files/0x000500000001c741-75.dat upx behavioral1/memory/1592-77-0x000007FEF3660000-0x000007FEF3C48000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\asbdasb.exe Av1 Activator.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000600000001937b-25.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Av1 Activator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language j8uiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2408 PING.EXE 1184 PING.EXE 1896 PING.EXE 1556 PING.EXE 2788 PING.EXE 532 PING.EXE 1700 PING.EXE 1556 PING.EXE 2812 PING.EXE 1452 PING.EXE 2940 PING.EXE 2664 PING.EXE 2352 PING.EXE 592 PING.EXE 984 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2408 PING.EXE 1556 PING.EXE 1452 PING.EXE 1556 PING.EXE 592 PING.EXE 2664 PING.EXE 2352 PING.EXE 1184 PING.EXE 1896 PING.EXE 2940 PING.EXE 984 PING.EXE 2788 PING.EXE 532 PING.EXE 2812 PING.EXE 1700 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 448 schtasks.exe 1448 schtasks.exe 236 schtasks.exe 2156 schtasks.exe 2520 schtasks.exe 800 schtasks.exe 1180 schtasks.exe 1732 schtasks.exe 2792 schtasks.exe 1948 schtasks.exe 812 schtasks.exe 3012 schtasks.exe 2896 schtasks.exe 3036 schtasks.exe 2756 schtasks.exe 2820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 812 powershell.exe 2024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2176 asbdasb.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 1712 Client.exe Token: SeDebugPrivilege 2936 Client.exe Token: SeDebugPrivilege 1088 Client.exe Token: SeDebugPrivilege 2012 Client.exe Token: SeDebugPrivilege 2644 Client.exe Token: SeDebugPrivilege 2168 Client.exe Token: SeDebugPrivilege 2336 Client.exe Token: SeDebugPrivilege 276 Client.exe Token: SeDebugPrivilege 748 Client.exe Token: SeDebugPrivilege 2584 Client.exe Token: SeDebugPrivilege 2732 Client.exe Token: SeDebugPrivilege 2716 Client.exe Token: SeDebugPrivilege 1324 Client.exe Token: SeDebugPrivilege 2480 Client.exe Token: SeDebugPrivilege 2320 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1712 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2024 2368 Av1 Activator.exe 30 PID 2368 wrote to memory of 2024 2368 Av1 Activator.exe 30 PID 2368 wrote to memory of 2024 2368 Av1 Activator.exe 30 PID 2368 wrote to memory of 2024 2368 Av1 Activator.exe 30 PID 2368 wrote to memory of 2176 2368 Av1 Activator.exe 32 PID 2368 wrote to memory of 2176 2368 Av1 Activator.exe 32 PID 2368 wrote to memory of 2176 2368 Av1 Activator.exe 32 PID 2368 wrote to memory of 2176 2368 Av1 Activator.exe 32 PID 2368 wrote to memory of 1644 2368 Av1 Activator.exe 33 PID 2368 wrote to memory of 1644 2368 Av1 Activator.exe 33 PID 2368 wrote to memory of 1644 2368 Av1 Activator.exe 33 PID 2368 wrote to memory of 1644 2368 Av1 Activator.exe 33 PID 1644 wrote to memory of 812 1644 j8uiy.exe 34 PID 1644 wrote to memory of 812 1644 j8uiy.exe 34 PID 1644 wrote to memory of 812 1644 j8uiy.exe 34 PID 1644 wrote to memory of 812 1644 j8uiy.exe 34 PID 1644 wrote to memory of 2744 1644 j8uiy.exe 36 PID 1644 wrote to memory of 2744 1644 j8uiy.exe 36 PID 1644 wrote to memory of 2744 1644 j8uiy.exe 36 PID 1644 wrote to memory of 2744 1644 j8uiy.exe 36 PID 1644 wrote to memory of 3008 1644 j8uiy.exe 37 PID 1644 wrote to memory of 3008 1644 j8uiy.exe 37 PID 1644 wrote to memory of 3008 1644 j8uiy.exe 37 PID 1644 wrote to memory of 3008 1644 j8uiy.exe 37 PID 3008 wrote to memory of 1592 3008 Exela.exe 38 PID 3008 wrote to memory of 1592 3008 Exela.exe 38 PID 3008 wrote to memory of 1592 3008 Exela.exe 38 PID 2744 wrote to memory of 2516 2744 Client-built.exe 39 PID 2744 wrote to memory of 2516 2744 Client-built.exe 39 PID 2744 wrote to memory of 2516 2744 Client-built.exe 39 PID 2176 wrote to memory of 2520 2176 asbdasb.exe 40 PID 2176 wrote to memory of 2520 2176 asbdasb.exe 40 PID 2176 wrote to memory of 2520 2176 asbdasb.exe 40 PID 2176 wrote to memory of 1712 2176 asbdasb.exe 42 PID 2176 wrote to memory of 1712 2176 asbdasb.exe 42 PID 2176 wrote to memory of 1712 2176 asbdasb.exe 42 PID 1712 wrote to memory of 800 1712 Client.exe 43 PID 1712 wrote to memory of 800 1712 Client.exe 43 PID 1712 wrote to memory of 800 1712 Client.exe 43 PID 1712 wrote to memory of 532 1712 Client.exe 45 PID 1712 wrote to memory of 532 1712 Client.exe 45 PID 1712 wrote to memory of 532 1712 Client.exe 45 PID 532 wrote to memory of 2712 532 cmd.exe 47 PID 532 wrote to memory of 2712 532 cmd.exe 47 PID 532 wrote to memory of 2712 532 cmd.exe 47 PID 532 wrote to memory of 1700 532 cmd.exe 48 PID 532 wrote to memory of 1700 532 cmd.exe 48 PID 532 wrote to memory of 1700 532 cmd.exe 48 PID 532 wrote to memory of 2936 532 cmd.exe 50 PID 532 wrote to memory of 2936 532 cmd.exe 50 PID 532 wrote to memory of 2936 532 cmd.exe 50 PID 2936 wrote to memory of 3036 2936 Client.exe 51 PID 2936 wrote to memory of 3036 2936 Client.exe 51 PID 2936 wrote to memory of 3036 2936 Client.exe 51 PID 2936 wrote to memory of 1960 2936 Client.exe 53 PID 2936 wrote to memory of 1960 2936 Client.exe 53 PID 2936 wrote to memory of 1960 2936 Client.exe 53 PID 1960 wrote to memory of 856 1960 cmd.exe 55 PID 1960 wrote to memory of 856 1960 cmd.exe 55 PID 1960 wrote to memory of 856 1960 cmd.exe 55 PID 1960 wrote to memory of 1556 1960 cmd.exe 56 PID 1960 wrote to memory of 1556 1960 cmd.exe 56 PID 1960 wrote to memory of 1556 1960 cmd.exe 56 PID 1960 wrote to memory of 1088 1960 cmd.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Av1 Activator.exe"C:\Users\Admin\AppData\Local\Temp\Av1 Activator.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAcQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZgBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAagBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAawBnACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\asbdasb.exe"C:\Windows\asbdasb.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2520
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:800
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3nX0pREF1SaS.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1700
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3036
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dc68PvSVFDMT.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ioSw68vYb8JN.bat" "8⤵PID:2360
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2408
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PD4q4Dce0mBm.bat" "10⤵PID:2928
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2788
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1180
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zFjpZAnc9kk2.bat" "12⤵PID:1452
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:812
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Hf2aQIEU4hs7.bat" "14⤵PID:1360
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1184
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dDaHmIeNMqPS.bat" "16⤵PID:2032
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:532
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:448
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RlLDjVlA4SiU.bat" "18⤵PID:1724
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1896
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:236
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\nBx5WMjC4Uwb.bat" "20⤵PID:2848
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dz2DbcU3Mn9n.bat" "22⤵PID:2828
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:592
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2896
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4SBMx5mYPpqN.bat" "24⤵PID:2612
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2812
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:1732
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\627wRYWjQson.bat" "26⤵PID:2160
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:1900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1452
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:1448
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZODNS4lklFJ7.bat" "28⤵PID:2964
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2980
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\81xZY3jO9YEA.bat" "30⤵PID:2080
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:2376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2664
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "1" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:2156
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dU0BSaTfkACh.bat" "32⤵PID:2184
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\j8uiy.exe"C:\Users\Admin\AppData\Local\Temp\j8uiy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbQBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAawBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAYQBxACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2744 -s 5964⤵
- Loads dropped DLL
PID:2516
-
-
-
C:\Users\Admin\AppData\Local\Temp\Exela.exe"C:\Users\Admin\AppData\Local\Temp\Exela.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\Exela.exe"C:\Users\Admin\AppData\Local\Temp\Exela.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5581e5c2f071fb164993ff2f62b8fd1ae
SHA1540a3f5f3b7a9016dc749d5fc97813099b7f83e3
SHA256dab404bd64e0afc157832c5424f46467fd28ca23ee2e7a62b3471874123bc4b8
SHA512202b000bded561e57f02b940a61da97ff14528c03ff2bfbcfa79475bd04d597545fbab4afd62cfdeb5aeade66e219604a8794b12a7578aa67b196c1de9e74930
-
Filesize
196B
MD5c163482e2fec9b96d80b4f2c07d56058
SHA1daa4a087dcabd11238b5ab2ba711b42899f2897c
SHA2564117193ab06a70413f9bbba8dc43da52cb5ba55037e022376af60c466a492cb8
SHA51267fd51273d5d8568d82a904e0607f3280d7b2534d9743e2e67f76bd9adfe9111217c72f716f9341eb823f22ed07e2847442a6293d33cbafdfb529fae1fd70a3c
-
Filesize
196B
MD548f2e7d0edbbfe9078b150efa4576658
SHA1164d019189fb361e39f5d5611a8e04e140aa9855
SHA2566732035b1c8810151d04c9c28b83ae4e32f715fb3f17d4346bce019274148b1a
SHA512228c6b13599ea6751f5d371394a8efef7d2d8b45c119d22cabfd5cc1041f487a5cc8471b56fbcb95bb133128e98b404700f27a55baf6f93ac489bd969658d626
-
Filesize
196B
MD5852f350a7ec3b53353b3305b344a25c0
SHA1ec27b709c54374626d0b70eb570f4e465c84371d
SHA2562c225a6b3a5e0cc0fab00cb810fc31789ac4edbf6f1d4107c6f54ab760aa25b6
SHA512a1bbca55c9937d652d37ec085bb5907b42acf6e5a95449f056d7525cf9283d1cfb41582759930e8f054a9b9675e2b764ffc44ce6a637b43e924ca5a5ddbcb453
-
Filesize
78KB
MD55ed25ab5a733eb8a2cee9fd326be07fa
SHA1ee86bd7a71f4e555c49fa6fce57d59fa956e1904
SHA25653005b8c463416db7850e95397a31b386a271f762d85054def330fc46c6d42ce
SHA512199dd05c1b5ed3acc112b1c7eaa3f732ab4a29df1ed54c387fd147be8e958625aa6474f03c0853439623c855527de938726273c915b762dcf531011453795e98
-
Filesize
10.8MB
MD5f0baad1e8de90f51b2253167824a9067
SHA14982740ba7be94f0cade61d2cd6563d77c2c2f11
SHA25683d4771d091a222a7f52a5e9d58d2ba608f2c3056be98e4c6e4e6ef24acb4c59
SHA512a887471d5e420619652851494838dbe62594b649b15a98bd9535559bcbf5451bc53509621f29ef172e8eebf67a39157d422b6d5886a6e10c0e4b3482c3854fee
-
Filesize
196B
MD5a3a9057aed230c70a254914189f12dc9
SHA12c4ee951f2938f609408bd3d4e5c5775c7e7cc0d
SHA2561c59fe45855efd902fb15b2ce068638aab28ee9b5d425f37a186b87ac1e11752
SHA51231d002db2dc56854cedf5976b4faf40b251579f93e5d80a81bd87f34532130582de8b62cf34a60339060ec766daa49fe1c339e73a13426a2d65b14f764ed882d
-
Filesize
196B
MD56b731c2a1b1bdbef37d9b8dbd52d773e
SHA1c4c706e6b1e12e1d9a02658fe80aa7c819b8bfef
SHA25662c768b393dac65cc63b5089c4905b291abb64f2ac502d8055021ad8a885a8df
SHA5121d0a952b9cad7c54f6f220d5c2ba0a4e7b77c6c0b8f39cfbc3addf57f93d17998bf61a0171836d86876a293459dd06a6f10db0b7778fb85b4803501e824b6b27
-
Filesize
196B
MD5aef184586c8f9ecb5c96b597cd2e8431
SHA1383375a11094878ac98d9174cec0f423599f955b
SHA2567b8e2d7500549d87e69d7e56357bc4b3ebc1461edc7e4a9593f57f9094f9d7b0
SHA512a48b3bc127e28a266f431f7fee6f2c92a0e6bd01bddb53890f6be3aeaba5e201395bb9d0b08c70470392ee0b2c6c3491dcf63ec87eba58eb12bf3eff57ae3685
-
Filesize
196B
MD56853ea16cd42c0e232eb88e833978ed7
SHA176aaa2931910ae627dafae188f4a55e0f533bfb9
SHA25678cb32c739e1adbed785422f71373c68d574fa83aec761ab657b096630133e46
SHA512189387faee0bfd3a25be11af08ca6fe81327f05a0c4318b6fdb0295c68fd2ba57aa036b3f646b10b641c00180d8e583718b1578804c6abad7b6621b473955a98
-
Filesize
1.6MB
MD5db09c9bbec6134db1766d369c339a0a1
SHA1c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45
-
Filesize
196B
MD52b090c3e6a5f902b5af9e7a725439532
SHA1667ecd610667bd489859eeb4a2d260b8781082e1
SHA2561f57a072c1846e235454c735f091ff3fcbf1b82c0059cb03d3c43e184b3de908
SHA5127d8e4a1cc47f73161d4732c3a8c380992ea0104cdeccd2b5998de8eec4e94c845e898324be6380754f8c1b5d26d5b6b5c5c85cdffa1cd47cf0fe71f5246bdc11
-
Filesize
196B
MD5df60f3d261ea994a236550e84b9583ac
SHA17e22e65ae2b1e6d0a0ffc0749621764c28fafacc
SHA256c1bf0465cd2bd1e9b6040f45e04a046d8c7850bf5503076ab5932678d5930894
SHA5128023f530fb1541db6f7fb385a33d37248bfcbb9b69886798ea8ce3a395e3157313ebf505a820c6c804da004ebfb5cd23135c7c3adbb8324fbd01e9a5eb1f3cec
-
Filesize
196B
MD5ff4451bf1eb109acfbec7d2543f0ad9c
SHA16ca619f4de9b83c7fbc8e55682f96337977f79d9
SHA256fd0c5fc1f6c9d71c1d824e8946186b3cf199ff6d096e6d2c135836249d94db18
SHA5123b8d8906df1c91581174072578e76033e50c82273bf4009aa61811042f985558df0edf71761a85de0eac623d034efc892d98a63c70947250be7379ff58a227a7
-
Filesize
196B
MD569377402cc4a813a91973c68dff995f3
SHA1c43fd2fbb03c5483c7da135df1f70d096bb6a603
SHA256bdc6aec29598846dab92311cb12d8ee5fa2e320f5527fab930c3ff183268ef7d
SHA51253dfc1bd069c30489e28742f4fbfade31cb19f320e44710f1342d6692a23ad0896372b47e0eb619904edc699b4d35e5ec4c1c62dea7685736d55ec6ed316ded2
-
Filesize
196B
MD556217550c08e08fba82bda5957d550be
SHA1aeecc60beddd5df941a7db8af31bb5ece3e5b79e
SHA2567abe74fbb4155e00e59dead6f4f519503cb24f302de091387479c0059dfd3a4f
SHA5129bfcd8f26cff554dbef3e6b76e0e861bd24ed248593143e0a39da713c5efb67f1536db122402a7121fce1592ac340861eff69fab082927be5e09943089830396
-
Filesize
196B
MD5cd325c01dd602588875dfcbe0b5d8b1c
SHA160fb849681ced02b9f64678fe86f51db75a2ffcb
SHA256cf363c022c81eae65e1786f33e1dbb8c45b2a337efa97b2da2e1d0eca2741ce6
SHA51236b130d005168aa07596088854b6e6bb845d9cfed7df3e83c435b7706162762c8f6f7566376951805b2628aa4403c7872468fdf2407e1d1f700be8da259bbd1a
-
Filesize
196B
MD5f38a1f000fe0c16940a7dbece4962ec9
SHA1150a23ecf4a495c2a50a18a05cdfcad456d58ff5
SHA2566492cd4b2baa41a65e50983b99f0b4a99e30d2583d2135d9a4d9b498cf6864e2
SHA5128475e6174c8585e436c346df43e2f9c96c1d7b32b52d8f2d8ff65fc4aa4ab5dc94a747d2f69a0962f78706738ed29c42f49f599bc74e236ba298dc23ac2044a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD508f49bc6e84a141b064b69312640f615
SHA123ddcc721f1db7320e19ebbefc24f194beec37bf
SHA256701fe7086df46849b8ba77c13d66e45e1002570aa2be85831460a35289f8a34f
SHA512edc629033239962bde63b59d6a8589c40b53e0718320d5c4e2e533e431fe12f724386ca0560ef5da72da728f95703638557ff266fdfef30cad3b32c2fddbb6e0
-
Filesize
3.1MB
MD5ccc57d21edec2c59a19ea5fe7ed1a943
SHA12a76498d6f373dbd6820b0d105a8a94ff47836ce
SHA2567f50a9f5438fadc55d4e58f08e038a9b5c91616805adbaffc0a5d479ab3bea40
SHA5129d11de6305fe4f6ddce088fcb8bc6b409e88a26392f956e6adb91c9ce1b2286834ffff246174c3cdf0c32408dbcb56b724b5e536bec21e7f187becfa58e225cf
-
Filesize
10.9MB
MD57668e25767844dfe73d4b32ba789af08
SHA1be9529cfe4312009931948a6dc71bfa2e9048a2f
SHA25692a90caf596e0205e7c6d6a85c91ed5534a85d8d2a3d2bcd33f2c421b57bb461
SHA512ec1b681de88e7b88335adea38b5933c8c8b668281cad0a236d939ad1f92f0abd6a30a8598212678971fde80fa2d8663dec4c4df4e35e175ca3fc6bc412242f2a