fd0117bc67862b14449b7c3b93d43963a41c0ff1951ac8875a7b6bf25e20b9bc

Analysis

max time kernel
42s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25eb2baae864b0db3f7d62221a7e7951.exe
Size

314KB
MD5

25eb2baae864b0db3f7d62221a7e7951
SHA1

60793fd02dbb30021ecb2bab3913caaac7a236f7
SHA256

fd0117bc67862b14449b7c3b93d43963a41c0ff1951ac8875a7b6bf25e20b9bc
SHA512

bf72c5b798816c47af59989d3e04791762b504ba32364664230ecfc3b2a6d8c48deedfaddf3221fdab50cb4616a4711af96230a531f29d1be85ee77bfa3e97fd
SSDEEP

6144:Ec0h522p3l04ZMSmIp3Uy28uhyjVFgMlEw3M:yhxp3lZnT9bD7gMlEw3M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	25eb2baae864b0db3f7d62221a7e7951.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\a.bat	25eb2baae864b0db3f7d62221a7e7951.exe
File opened for modification	C:\Program Files (x86)\a.bat	25eb2baae864b0db3f7d62221a7e7951.exe
File created	C:\Program Files (x86)\__tmp_rar_sfx_access_check_240604093	25eb2baae864b0db3f7d62221a7e7951.exe
File created	C:\Program Files (x86)\b.bat	25eb2baae864b0db3f7d62221a7e7951.exe
File opened for modification	C:\Program Files (x86)\b.bat	25eb2baae864b0db3f7d62221a7e7951.exe
File created	C:\Program Files (x86)\Jaba.vbs	25eb2baae864b0db3f7d62221a7e7951.exe
File opened for modification	C:\Program Files (x86)\Jaba.vbs	25eb2baae864b0db3f7d62221a7e7951.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	25eb2baae864b0db3f7d62221a7e7951.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3544	4656	25eb2baae864b0db3f7d62221a7e7951.exe	90
PID 4656 wrote to memory of 3544	4656	25eb2baae864b0db3f7d62221a7e7951.exe	90
PID 4656 wrote to memory of 3544	4656	25eb2baae864b0db3f7d62221a7e7951.exe	90
PID 3544 wrote to memory of 1352	3544	WScript.exe	104
PID 3544 wrote to memory of 1352	3544	WScript.exe	104
PID 3544 wrote to memory of 1352	3544	WScript.exe	104
PID 1352 wrote to memory of 3204	1352	cmd.exe	522
PID 1352 wrote to memory of 3204	1352	cmd.exe	522
PID 1352 wrote to memory of 3204	1352	cmd.exe	522
PID 1352 wrote to memory of 2168	1352	cmd.exe	521
PID 1352 wrote to memory of 2168	1352	cmd.exe	521
PID 1352 wrote to memory of 2168	1352	cmd.exe	521
PID 1352 wrote to memory of 1968	1352	cmd.exe	519
PID 1352 wrote to memory of 1968	1352	cmd.exe	519
PID 1352 wrote to memory of 1968	1352	cmd.exe	519
PID 1352 wrote to memory of 1596	1352	cmd.exe	517
PID 1352 wrote to memory of 1596	1352	cmd.exe	517
PID 1352 wrote to memory of 1596	1352	cmd.exe	517
PID 1352 wrote to memory of 2764	1352	cmd.exe	107
PID 1352 wrote to memory of 2764	1352	cmd.exe	107
PID 1352 wrote to memory of 2764	1352	cmd.exe	107
PID 1352 wrote to memory of 468	1352	cmd.exe	108
PID 1352 wrote to memory of 468	1352	cmd.exe	108
PID 1352 wrote to memory of 468	1352	cmd.exe	108
PID 1352 wrote to memory of 1960	1352	cmd.exe	515
PID 1352 wrote to memory of 1960	1352	cmd.exe	515
PID 1352 wrote to memory of 1960	1352	cmd.exe	515
PID 1352 wrote to memory of 3516	1352	cmd.exe	110
PID 1352 wrote to memory of 3516	1352	cmd.exe	110
PID 1352 wrote to memory of 3516	1352	cmd.exe	110
PID 1352 wrote to memory of 3312	1352	cmd.exe	514
PID 1352 wrote to memory of 3312	1352	cmd.exe	514
PID 1352 wrote to memory of 3312	1352	cmd.exe	514
PID 1352 wrote to memory of 3280	1352	cmd.exe	116
PID 1352 wrote to memory of 3280	1352	cmd.exe	116
PID 1352 wrote to memory of 3280	1352	cmd.exe	116
PID 1352 wrote to memory of 4880	1352	cmd.exe	113
PID 1352 wrote to memory of 4880	1352	cmd.exe	113
PID 1352 wrote to memory of 4880	1352	cmd.exe	113
PID 1352 wrote to memory of 2508	1352	cmd.exe	512
PID 1352 wrote to memory of 2508	1352	cmd.exe	512
PID 1352 wrote to memory of 2508	1352	cmd.exe	512
PID 1352 wrote to memory of 3796	1352	cmd.exe	510
PID 1352 wrote to memory of 3796	1352	cmd.exe	510
PID 1352 wrote to memory of 3796	1352	cmd.exe	510
PID 1352 wrote to memory of 3740	1352	cmd.exe	509
PID 1352 wrote to memory of 3740	1352	cmd.exe	509
PID 1352 wrote to memory of 3740	1352	cmd.exe	509
PID 1352 wrote to memory of 2212	1352	cmd.exe	508
PID 1352 wrote to memory of 2212	1352	cmd.exe	508
PID 1352 wrote to memory of 2212	1352	cmd.exe	508
PID 1352 wrote to memory of 2060	1352	cmd.exe	117
PID 1352 wrote to memory of 2060	1352	cmd.exe	117
PID 1352 wrote to memory of 2060	1352	cmd.exe	117
PID 1352 wrote to memory of 2376	1352	cmd.exe	135
PID 1352 wrote to memory of 2376	1352	cmd.exe	135
PID 1352 wrote to memory of 2376	1352	cmd.exe	135
PID 1352 wrote to memory of 208	1352	cmd.exe	134
PID 1352 wrote to memory of 208	1352	cmd.exe	134
PID 1352 wrote to memory of 208	1352	cmd.exe	134
PID 1352 wrote to memory of 2524	1352	cmd.exe	118
PID 1352 wrote to memory of 2524	1352	cmd.exe	118
PID 1352 wrote to memory of 2524	1352	cmd.exe	118
PID 1352 wrote to memory of 2952	1352	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\25eb2baae864b0db3f7d62221a7e7951.exe
"C:\Users\Admin\AppData\Local\Temp\25eb2baae864b0db3f7d62221a7e7951.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Jaba.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\b.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:9596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:9836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:9888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:9940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:12044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:10000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:9984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:8136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:7272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:6772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K a.bat
      4⤵
      PID:3204

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:11152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Jaba.vbs

Filesize
306B

MD5
a410c865bdc6d85de9802a3c481017d6

SHA1
96aa28bbf864a631fb599e8d4c3e9a7f35cfa6ec

SHA256
8531190471d92467360a8c61e38c2361cac694bf75389780aaf05a30892a4c1f

SHA512
7fd35d8ff237dcde8009e8e99185bbcd6e193611ffe82ca0425e3bc6b6631808dc9de9c5896aa51f7e2adb471cb77ad77e539dce680d1d2134dbbbca74765ea9

Download Submit
C:\Program Files (x86)\b.bat

Filesize
36B

MD5
b3ebe1826ce9d92b7a26d29fd22cd176

SHA1
859c5cdc5e7092246afc49cc96f32003c0f4a499

SHA256
bc0c7c119e1fea0b1f73250f4b7b065911ebed47b0808752854482506f085c7d

SHA512
22ad95de252895adda7eeaecbc237cea406c808c4bafbebb75d0365d29a3e47144152e06bc346f02e8ed6b12bfa54241dfc4606d957ae7cee23866ca1394d09b

Download Submit