Analysis
-
max time kernel
140s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:01
Behavioral task
behavioral1
Sample
04fd43a2fbf40610f559b11414d1a71e.exe
Resource
win7-20240419-en
General
-
Target
04fd43a2fbf40610f559b11414d1a71e.exe
-
Size
3.1MB
-
MD5
04fd43a2fbf40610f559b11414d1a71e
-
SHA1
dc7608bd69368ac5a62a9d8e287cc89c31fa750f
-
SHA256
8f2f7929d4d3d04be498567f02d567521ce4c5e7a1d400c4f64f4c2bd78ddcb9
-
SHA512
dff106b855eb7ee3c9278d9d60ef4b303c670fc976781f9b6318615e60fb513e95aa09e258c36d140d93968951299b963bca3957e7037a0f0ea95e945f631e55
-
SSDEEP
49152:mvDI22SsaNYfdPBldt698dBcjHrQV37ar77oGd+VXTHHB72eh2NT:mv822SsaNYfdPBldt6+dBcjHK3w
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-41920.portmap.host:41920
63621aac-ae17-49da-9413-459827e68061
-
encryption_key
4F2985A1DF21C9CA0E34D9186E1BC62AF4B58C14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Opera GX
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4076-1-0x00000000001E0000-0x0000000000504000-memory.dmp family_quasar C:\Windows\System32\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 10 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1028 Client.exe 536 Client.exe 1108 Client.exe 2004 Client.exe 3320 Client.exe 452 Client.exe 4084 Client.exe 5104 Client.exe 3048 Client.exe 3832 Client.exe -
Drops file in System32 directory 21 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe04fd43a2fbf40610f559b11414d1a71e.exeClient.exedescription ioc process File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe 04fd43a2fbf40610f559b11414d1a71e.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe 04fd43a2fbf40610f559b11414d1a71e.exe File opened for modification C:\Windows\system32\SubDir 04fd43a2fbf40610f559b11414d1a71e.exe File opened for modification C:\Windows\system32\SubDir Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 11 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3092 PING.EXE 2516 PING.EXE 940 PING.EXE 3912 PING.EXE 208 PING.EXE 1744 PING.EXE 4460 PING.EXE 1576 PING.EXE 1180 PING.EXE 3092 PING.EXE 3504 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 376 schtasks.exe 2992 schtasks.exe 1112 schtasks.exe 4184 schtasks.exe 732 schtasks.exe 3192 schtasks.exe 5084 schtasks.exe 3996 schtasks.exe 3912 schtasks.exe 3544 schtasks.exe 1900 schtasks.exe 5016 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
04fd43a2fbf40610f559b11414d1a71e.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 4076 04fd43a2fbf40610f559b11414d1a71e.exe Token: SeDebugPrivilege 1028 Client.exe Token: SeDebugPrivilege 536 Client.exe Token: SeDebugPrivilege 1108 Client.exe Token: SeDebugPrivilege 2004 Client.exe Token: SeDebugPrivilege 3320 Client.exe Token: SeDebugPrivilege 452 Client.exe Token: SeDebugPrivilege 4084 Client.exe Token: SeDebugPrivilege 5104 Client.exe Token: SeDebugPrivilege 3048 Client.exe Token: SeDebugPrivilege 3832 Client.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1028 Client.exe 536 Client.exe 1108 Client.exe 2004 Client.exe 3320 Client.exe 452 Client.exe 4084 Client.exe 5104 Client.exe 3048 Client.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1028 Client.exe 536 Client.exe 1108 Client.exe 2004 Client.exe 3320 Client.exe 452 Client.exe 4084 Client.exe 5104 Client.exe 3048 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1028 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04fd43a2fbf40610f559b11414d1a71e.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 4076 wrote to memory of 3996 4076 04fd43a2fbf40610f559b11414d1a71e.exe schtasks.exe PID 4076 wrote to memory of 3996 4076 04fd43a2fbf40610f559b11414d1a71e.exe schtasks.exe PID 4076 wrote to memory of 1028 4076 04fd43a2fbf40610f559b11414d1a71e.exe Client.exe PID 4076 wrote to memory of 1028 4076 04fd43a2fbf40610f559b11414d1a71e.exe Client.exe PID 1028 wrote to memory of 3912 1028 Client.exe schtasks.exe PID 1028 wrote to memory of 3912 1028 Client.exe schtasks.exe PID 1028 wrote to memory of 4144 1028 Client.exe cmd.exe PID 1028 wrote to memory of 4144 1028 Client.exe cmd.exe PID 4144 wrote to memory of 2908 4144 cmd.exe chcp.com PID 4144 wrote to memory of 2908 4144 cmd.exe chcp.com PID 4144 wrote to memory of 2516 4144 cmd.exe PING.EXE PID 4144 wrote to memory of 2516 4144 cmd.exe PING.EXE PID 4144 wrote to memory of 536 4144 cmd.exe Client.exe PID 4144 wrote to memory of 536 4144 cmd.exe Client.exe PID 536 wrote to memory of 376 536 Client.exe schtasks.exe PID 536 wrote to memory of 376 536 Client.exe schtasks.exe PID 536 wrote to memory of 2768 536 Client.exe cmd.exe PID 536 wrote to memory of 2768 536 Client.exe cmd.exe PID 2768 wrote to memory of 4440 2768 cmd.exe chcp.com PID 2768 wrote to memory of 4440 2768 cmd.exe chcp.com PID 2768 wrote to memory of 940 2768 cmd.exe PING.EXE PID 2768 wrote to memory of 940 2768 cmd.exe PING.EXE PID 2768 wrote to memory of 1108 2768 cmd.exe Client.exe PID 2768 wrote to memory of 1108 2768 cmd.exe Client.exe PID 1108 wrote to memory of 3544 1108 Client.exe schtasks.exe PID 1108 wrote to memory of 3544 1108 Client.exe schtasks.exe PID 1108 wrote to memory of 1128 1108 Client.exe cmd.exe PID 1108 wrote to memory of 1128 1108 Client.exe cmd.exe PID 1128 wrote to memory of 1192 1128 cmd.exe chcp.com PID 1128 wrote to memory of 1192 1128 cmd.exe chcp.com PID 1128 wrote to memory of 1180 1128 cmd.exe PING.EXE PID 1128 wrote to memory of 1180 1128 cmd.exe PING.EXE PID 1128 wrote to memory of 2004 1128 cmd.exe Client.exe PID 1128 wrote to memory of 2004 1128 cmd.exe Client.exe PID 2004 wrote to memory of 1900 2004 Client.exe schtasks.exe PID 2004 wrote to memory of 1900 2004 Client.exe schtasks.exe PID 2004 wrote to memory of 5044 2004 Client.exe cmd.exe PID 2004 wrote to memory of 5044 2004 Client.exe cmd.exe PID 5044 wrote to memory of 3828 5044 cmd.exe chcp.com PID 5044 wrote to memory of 3828 5044 cmd.exe chcp.com PID 5044 wrote to memory of 3092 5044 cmd.exe PING.EXE PID 5044 wrote to memory of 3092 5044 cmd.exe PING.EXE PID 5044 wrote to memory of 3320 5044 cmd.exe Client.exe PID 5044 wrote to memory of 3320 5044 cmd.exe Client.exe PID 3320 wrote to memory of 2992 3320 Client.exe schtasks.exe PID 3320 wrote to memory of 2992 3320 Client.exe schtasks.exe PID 3320 wrote to memory of 1420 3320 Client.exe cmd.exe PID 3320 wrote to memory of 1420 3320 Client.exe cmd.exe PID 1420 wrote to memory of 4376 1420 cmd.exe chcp.com PID 1420 wrote to memory of 4376 1420 cmd.exe chcp.com PID 1420 wrote to memory of 3504 1420 cmd.exe PING.EXE PID 1420 wrote to memory of 3504 1420 cmd.exe PING.EXE PID 1420 wrote to memory of 452 1420 cmd.exe Client.exe PID 1420 wrote to memory of 452 1420 cmd.exe Client.exe PID 452 wrote to memory of 5016 452 Client.exe schtasks.exe PID 452 wrote to memory of 5016 452 Client.exe schtasks.exe PID 452 wrote to memory of 4356 452 Client.exe cmd.exe PID 452 wrote to memory of 4356 452 Client.exe cmd.exe PID 4356 wrote to memory of 3372 4356 cmd.exe chcp.com PID 4356 wrote to memory of 3372 4356 cmd.exe chcp.com PID 4356 wrote to memory of 208 4356 cmd.exe PING.EXE PID 4356 wrote to memory of 208 4356 cmd.exe PING.EXE PID 4356 wrote to memory of 4084 4356 cmd.exe Client.exe PID 4356 wrote to memory of 4084 4356 cmd.exe Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fd43a2fbf40610f559b11414d1a71e.exe"C:\Users\Admin\AppData\Local\Temp\04fd43a2fbf40610f559b11414d1a71e.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pzKKEkHCzrBM.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMQm14DM7Mxd.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mg5GdbLDA3rG.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7uGElpLiKIIq.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMva5WEMDqQQ.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcPKJchbrnUi.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IrtnYruOf9bg.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCUXSqRWZgRt.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7dObnY4ATtpX.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwvS1wCl1CCy.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"22⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Opera GX" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dimkvIw4cUhZ.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\7dObnY4ATtpX.batFilesize
196B
MD526133ea99d742e310b61b49ed535d6fd
SHA1bcb6e86c0190c7abe857aeb01f59428c722b9a48
SHA2564fe12ca7d811596c355d473af4d4438cab25e22693849ff61dc18a7a866c686e
SHA512fd40b962196d3c4238241e77f12208f23feea0e1523780a8007b821310cce3835e7268c79c1744314eb5cfb4af18fd1eb8488e1765ef6d761e2d594bfd5afdb8
-
C:\Users\Admin\AppData\Local\Temp\7uGElpLiKIIq.batFilesize
196B
MD5dd8bbd178613c8871bc9e4a5afbbc176
SHA1be346de49ce0c1a61b05d61938d956e28eeb44cb
SHA2560b16653b4d4fa95ce5d341500a6947d51864dff54d1c617549260b1dab174709
SHA512f06c7514b470f3308098489d56fd170d1a606ffae6f560e1bf9f99b665555496a140c8d0a1717a1ac50665c4fdfbb19eb2f400b7988306491e9332dd030de1c0
-
C:\Users\Admin\AppData\Local\Temp\IrtnYruOf9bg.batFilesize
196B
MD54b990eec2bc3bdcfcbc21f557d697b72
SHA12db20317aba43ece5991a98e9618e30541a389e5
SHA256f6041211e4eacb029ec6a46a37070f953d431c54afba02cb37a960f4bcb6a529
SHA512a66d85862a9faeaa26f4e7dd9767a0049f1d9fc5f5eed63cb0977b9fbf569f3a1d1be0fc82c01d29b57a08aa8b06d06ab98deab1ce63edb9d564acefa4a9bcb6
-
C:\Users\Admin\AppData\Local\Temp\LCUXSqRWZgRt.batFilesize
196B
MD576d99df0c594a180fc2791989349e801
SHA155b5ab9cd17e68e46320ca2aaedf2cd9aa7c8806
SHA2569594ce1560bcd923fe1662b75e82bc04160ce617bb3ff62d5ca7a52b94e0780e
SHA512b83647a739af4da3164d0ab403e2f7fa4911b71c6c945a4e34a1786084757682f651a6885b37c8a3f7d21d7c8431584829b8b2da34e0691ec6befa720cc0cfe4
-
C:\Users\Admin\AppData\Local\Temp\Mg5GdbLDA3rG.batFilesize
196B
MD5f1f63a7b5413f223d08f469406fbf664
SHA19c88d8c07a678cc8149199e5524d97bd35b0ace3
SHA25670f2e9de4da439edec540a5978d0904847aba199589e4e8e9d4776e6ea8c713f
SHA5125d9e3e9fb14c95492fb3c917cefc1c9f538db49af01d08c91a33097871014ce12284491d8cd9aef0598a67e70898d6fba247e1706f36e67da12dca5bda41287d
-
C:\Users\Admin\AppData\Local\Temp\PcPKJchbrnUi.batFilesize
196B
MD57b652b64057b2b28c59ec3ee0f3c2cce
SHA10649f95728aaa372e296698f771d122d33c26279
SHA256dbceb18585be4f081c61ed7415789b8350c2e07d796326ca52d72548689b3548
SHA51213c435c3812ee3893c6a92dc841520a3c97808fb386b8f97ae0e35e672783e9094cb8b55cc8430709618debadaf14ca2aba8b998b4b16c2a8c321e3d862aa773
-
C:\Users\Admin\AppData\Local\Temp\WMva5WEMDqQQ.batFilesize
196B
MD57e0a0afa168aac254e07fce06e701149
SHA1f10877d389caed7c001aacada028ddc863a0b47d
SHA25668f4b941419260f9d62c09695503639428e504d47b353d1664f8c35937130716
SHA5128cda928a92a04751f221f258b4c0d649bcd46b3ac94f746876d92b98b2d5e82f4323ca0b68912f4e0bc532ccb30624fe8d1b78f3ef7d439b759baaf3ad22382f
-
C:\Users\Admin\AppData\Local\Temp\dimkvIw4cUhZ.batFilesize
196B
MD538a08cf79473e5a4269478a4cee3e277
SHA194e526d8da0f91677f62c4d39376da9956d4269b
SHA25660d381e47a14bb4e4bd378b0161b81bedf2b691501f9903fb29ad21c09b12528
SHA51226b4280f97adfc148f1f28256caa23956a6676bd97cb4f0c13fde7d1edd8d7dfcf3d15bfd29e1f6072b3903edd04856ce8c0a7ac8f1c1cdb6b495f93a5735db6
-
C:\Users\Admin\AppData\Local\Temp\pzKKEkHCzrBM.batFilesize
196B
MD5801836111b4f90ba4e76c1dfb8deee8b
SHA11ed1ac20606e4ccb9a60fc492e1de0065637555f
SHA256b1c18cdc9c9ee1e9aec9be68a2a650587682a567e913fb366e6ac120e9f2a44b
SHA5127ec843a054a4583eff2d148d727a82a360dd9a76c9d4fa56ad81c38244b245ff53de96921bc4f7bc07b9167d47c98ce09c552a4dec991405b3b0f6a15312e346
-
C:\Users\Admin\AppData\Local\Temp\tMQm14DM7Mxd.batFilesize
196B
MD5e065d01c9d66147213c478f87be5d6e2
SHA16eabf2910a411c4ed688d5b4734a41017a925b19
SHA256dcdb6d9b0d22c284bb84d54598986fec29a31bbe0277ec6e2e76db0b2e1892c1
SHA512f7e30a2a3e553f146c8742890fb8d02f5c0faebda878fc1f4569ab842489f6fa9e79ee42bcdf3df45f23373a2a85b97579fa42247defc30f53cf6a969cd751b1
-
C:\Users\Admin\AppData\Local\Temp\vwvS1wCl1CCy.batFilesize
196B
MD5ed4555fd8fe4f75cdb5dd42cb80f09e7
SHA1c6ac9fea538e5f0f7cf5c58b01fb099246dbef77
SHA256585e927ed5d283ef16d8d338b64ddfabd12b034e21246cb23d0523ced403eac4
SHA5127db33cad08e208fc7c037429ec22c681357853ff156810a998593b46c716a63aac072b6e4d0b8c4f59392c6c2c506aae09bebd358f8ef6e930daf1e07e98fd77
-
C:\Windows\System32\SubDir\Client.exeFilesize
3.1MB
MD504fd43a2fbf40610f559b11414d1a71e
SHA1dc7608bd69368ac5a62a9d8e287cc89c31fa750f
SHA2568f2f7929d4d3d04be498567f02d567521ce4c5e7a1d400c4f64f4c2bd78ddcb9
SHA512dff106b855eb7ee3c9278d9d60ef4b303c670fc976781f9b6318615e60fb513e95aa09e258c36d140d93968951299b963bca3957e7037a0f0ea95e945f631e55
-
C:\Windows\System32\SubDir\Client.exeFilesize
2.3MB
MD5ecfd3916a0c7b222102d704f4791cf5d
SHA1caafefc6cae77efc44b096d4906ff8a53d8e1d10
SHA256074d1f1280ab5dc978dcd908b6cbe865bdb7712ce789b419e73236168f7d8948
SHA512285b1e6564cc7bbb2b1e7ebca10306f1c3bd628699b2e0ab1685c521381d1c89a404b2a10463bc6426a83f6a8b29cf70c711c73ced5caa26a50a701e0db78e0b
-
C:\Windows\System32\SubDir\Client.exeFilesize
661KB
MD5d54703cbc8a0573dfbebc57f1ea821c0
SHA13028178f7d0ce2911de59a0c29867286a8be3e95
SHA256ba84cf0d5b9de5c74e2b3414c4b642691fbd489c66c3960f004a51a86027a408
SHA512fba1a5bed8146832f6f66d3cc9cbe9bfa6046be4bd4b16b9858215c4a707824802e2c2d40b75c17d73fd023fc7a329caf0ce09031814f0df076883971574f56e
-
memory/1028-12-0x000000001CB60000-0x000000001CBB0000-memory.dmpFilesize
320KB
-
memory/1028-10-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmpFilesize
10.8MB
-
memory/1028-11-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmpFilesize
10.8MB
-
memory/1028-19-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmpFilesize
10.8MB
-
memory/1028-13-0x000000001CC70000-0x000000001CD22000-memory.dmpFilesize
712KB
-
memory/4076-9-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmpFilesize
10.8MB
-
memory/4076-2-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmpFilesize
10.8MB
-
memory/4076-0-0x00007FFCA3103000-0x00007FFCA3105000-memory.dmpFilesize
8KB
-
memory/4076-1-0x00000000001E0000-0x0000000000504000-memory.dmpFilesize
3.1MB