quasar | 185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe
Size

358KB
MD5

19f081815e6c363fc05fb4e4be28325f
SHA1

0ae19dc0f3874f9a80f6bb7c25a2e5b112f452f3
SHA256

185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e
SHA512

1c27a6c2ba52b0973b6aaea7bc66886400ac2bbd1d29f3512e31419efa8991b31f07d30cdb840b7829a9c2dccc944166889f44c16300fd3a65207fb979c415ac
SSDEEP

6144:mbZJrgLF70dPbTIMEnTzTzTF579QlbMUjflrsXc4f4Lnadp0y:O47O/IF79EjfCXcy4jk0y

Score

10^/10

quasar h-a-c-k-e-d discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

H-A-C-K-E-D

Niverzz-52901.portmap.host:52901

Mutex

QSR_MUTEX_zZK420JELHXuVWHG1x

Attributes

encryption_key
1C3jvNao2B1gXCjfEPbY
install_name
RuntimeBorker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe
	2	ip-api.com	Process not Found
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 17 IoCs

resource	yara_rule
behavioral1/memory/1324-1-0x0000000000CD0000-0x0000000000D30000-memory.dmp	family_quasar
behavioral1/files/0x000700000001920f-4.dat	family_quasar
behavioral1/memory/2220-9-0x0000000000D00000-0x0000000000D60000-memory.dmp	family_quasar
behavioral1/memory/2304-24-0x00000000012E0000-0x0000000001340000-memory.dmp	family_quasar
behavioral1/memory/2932-35-0x00000000012E0000-0x0000000001340000-memory.dmp	family_quasar
behavioral1/memory/2552-46-0x00000000000A0000-0x0000000000100000-memory.dmp	family_quasar
behavioral1/memory/1784-57-0x0000000000DF0000-0x0000000000E50000-memory.dmp	family_quasar
behavioral1/memory/1944-68-0x0000000000E20000-0x0000000000E80000-memory.dmp	family_quasar
behavioral1/memory/2848-79-0x0000000000220000-0x0000000000280000-memory.dmp	family_quasar
behavioral1/memory/300-90-0x0000000001300000-0x0000000001360000-memory.dmp	family_quasar
behavioral1/memory/832-101-0x0000000001300000-0x0000000001360000-memory.dmp	family_quasar
behavioral1/memory/2140-112-0x0000000000090000-0x00000000000F0000-memory.dmp	family_quasar
behavioral1/memory/1992-123-0x0000000000B50000-0x0000000000BB0000-memory.dmp	family_quasar
behavioral1/memory/1588-134-0x0000000000B50000-0x0000000000BB0000-memory.dmp	family_quasar
behavioral1/memory/2840-145-0x0000000000B70000-0x0000000000BD0000-memory.dmp	family_quasar
behavioral1/memory/576-156-0x0000000001270000-0x00000000012D0000-memory.dmp	family_quasar
behavioral1/memory/1692-167-0x00000000000E0000-0x0000000000140000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2220	RuntimeBorker.exe
2304	RuntimeBorker.exe
2932	RuntimeBorker.exe
2552	RuntimeBorker.exe
1784	RuntimeBorker.exe
1944	RuntimeBorker.exe
2848	RuntimeBorker.exe
300	RuntimeBorker.exe
832	RuntimeBorker.exe
2140	RuntimeBorker.exe
1992	RuntimeBorker.exe
1588	RuntimeBorker.exe
2840	RuntimeBorker.exe
576	RuntimeBorker.exe
1692	RuntimeBorker.exe

Loads dropped DLL 1 IoCs

pid	Process
1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1736	PING.EXE
2012	PING.EXE
344	PING.EXE
2912	PING.EXE
1748	PING.EXE
1044	PING.EXE
1940	PING.EXE
2652	PING.EXE
2380	PING.EXE
2184	PING.EXE
1704	PING.EXE
2016	PING.EXE
2360	PING.EXE
2248	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2184	PING.EXE
1748	PING.EXE
2016	PING.EXE
2012	PING.EXE
2912	PING.EXE
344	PING.EXE
2652	PING.EXE
1044	PING.EXE
2248	PING.EXE
1704	PING.EXE
2360	PING.EXE
1940	PING.EXE
2380	PING.EXE
1736	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2636	schtasks.exe
1464	schtasks.exe
812	schtasks.exe
2436	schtasks.exe
1744	schtasks.exe
1340	schtasks.exe
2868	schtasks.exe
2020	schtasks.exe
1604	schtasks.exe
1812	schtasks.exe
2764	schtasks.exe
1064	schtasks.exe
1576	schtasks.exe
2020	schtasks.exe
2252	schtasks.exe
2196	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe
Token: SeDebugPrivilege	2220	RuntimeBorker.exe
Token: SeDebugPrivilege	2304	RuntimeBorker.exe
Token: SeDebugPrivilege	2932	RuntimeBorker.exe
Token: SeDebugPrivilege	2552	RuntimeBorker.exe
Token: SeDebugPrivilege	1784	RuntimeBorker.exe
Token: SeDebugPrivilege	1944	RuntimeBorker.exe
Token: SeDebugPrivilege	2848	RuntimeBorker.exe
Token: SeDebugPrivilege	300	RuntimeBorker.exe
Token: SeDebugPrivilege	832	RuntimeBorker.exe
Token: SeDebugPrivilege	2140	RuntimeBorker.exe
Token: SeDebugPrivilege	1992	RuntimeBorker.exe
Token: SeDebugPrivilege	1588	RuntimeBorker.exe
Token: SeDebugPrivilege	2840	RuntimeBorker.exe
Token: SeDebugPrivilege	576	RuntimeBorker.exe
Token: SeDebugPrivilege	1692	RuntimeBorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2252	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	31
PID 1324 wrote to memory of 2252	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	31
PID 1324 wrote to memory of 2252	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	31
PID 1324 wrote to memory of 2252	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	31
PID 1324 wrote to memory of 2220	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	33
PID 1324 wrote to memory of 2220	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	33
PID 1324 wrote to memory of 2220	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	33
PID 1324 wrote to memory of 2220	1324	185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe	33
PID 2220 wrote to memory of 2868	2220	RuntimeBorker.exe	34
PID 2220 wrote to memory of 2868	2220	RuntimeBorker.exe	34
PID 2220 wrote to memory of 2868	2220	RuntimeBorker.exe	34
PID 2220 wrote to memory of 2868	2220	RuntimeBorker.exe	34
PID 2220 wrote to memory of 2788	2220	RuntimeBorker.exe	36
PID 2220 wrote to memory of 2788	2220	RuntimeBorker.exe	36
PID 2220 wrote to memory of 2788	2220	RuntimeBorker.exe	36
PID 2220 wrote to memory of 2788	2220	RuntimeBorker.exe	36
PID 2788 wrote to memory of 2784	2788	cmd.exe	38
PID 2788 wrote to memory of 2784	2788	cmd.exe	38
PID 2788 wrote to memory of 2784	2788	cmd.exe	38
PID 2788 wrote to memory of 2784	2788	cmd.exe	38
PID 2788 wrote to memory of 2652	2788	cmd.exe	39
PID 2788 wrote to memory of 2652	2788	cmd.exe	39
PID 2788 wrote to memory of 2652	2788	cmd.exe	39
PID 2788 wrote to memory of 2652	2788	cmd.exe	39
PID 2788 wrote to memory of 2304	2788	cmd.exe	41
PID 2788 wrote to memory of 2304	2788	cmd.exe	41
PID 2788 wrote to memory of 2304	2788	cmd.exe	41
PID 2788 wrote to memory of 2304	2788	cmd.exe	41
PID 2304 wrote to memory of 1464	2304	RuntimeBorker.exe	42
PID 2304 wrote to memory of 1464	2304	RuntimeBorker.exe	42
PID 2304 wrote to memory of 1464	2304	RuntimeBorker.exe	42
PID 2304 wrote to memory of 1464	2304	RuntimeBorker.exe	42
PID 2304 wrote to memory of 2428	2304	RuntimeBorker.exe	44
PID 2304 wrote to memory of 2428	2304	RuntimeBorker.exe	44
PID 2304 wrote to memory of 2428	2304	RuntimeBorker.exe	44
PID 2304 wrote to memory of 2428	2304	RuntimeBorker.exe	44
PID 2428 wrote to memory of 1932	2428	cmd.exe	46
PID 2428 wrote to memory of 1932	2428	cmd.exe	46
PID 2428 wrote to memory of 1932	2428	cmd.exe	46
PID 2428 wrote to memory of 1932	2428	cmd.exe	46
PID 2428 wrote to memory of 2360	2428	cmd.exe	47
PID 2428 wrote to memory of 2360	2428	cmd.exe	47
PID 2428 wrote to memory of 2360	2428	cmd.exe	47
PID 2428 wrote to memory of 2360	2428	cmd.exe	47
PID 2428 wrote to memory of 2932	2428	cmd.exe	48
PID 2428 wrote to memory of 2932	2428	cmd.exe	48
PID 2428 wrote to memory of 2932	2428	cmd.exe	48
PID 2428 wrote to memory of 2932	2428	cmd.exe	48
PID 2932 wrote to memory of 2020	2932	RuntimeBorker.exe	49
PID 2932 wrote to memory of 2020	2932	RuntimeBorker.exe	49
PID 2932 wrote to memory of 2020	2932	RuntimeBorker.exe	49
PID 2932 wrote to memory of 2020	2932	RuntimeBorker.exe	49
PID 2932 wrote to memory of 2156	2932	RuntimeBorker.exe	51
PID 2932 wrote to memory of 2156	2932	RuntimeBorker.exe	51
PID 2932 wrote to memory of 2156	2932	RuntimeBorker.exe	51
PID 2932 wrote to memory of 2156	2932	RuntimeBorker.exe	51
PID 2156 wrote to memory of 2228	2156	cmd.exe	53
PID 2156 wrote to memory of 2228	2156	cmd.exe	53
PID 2156 wrote to memory of 2228	2156	cmd.exe	53
PID 2156 wrote to memory of 2228	2156	cmd.exe	53
PID 2156 wrote to memory of 1044	2156	cmd.exe	54
PID 2156 wrote to memory of 1044	2156	cmd.exe	54
PID 2156 wrote to memory of 1044	2156	cmd.exe	54
PID 2156 wrote to memory of 1044	2156	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe
"C:\Users\Admin\AppData\Local\Temp\185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2252
- C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LRSDLhNbmnNh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2652
  - - C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QZuRpRSVOsa8.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
      - C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOjLlQY6U4tA.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JmFJ8YksCvSZ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Co2vcCwDzaqo.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwfPKCrn6rML.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AXLLTF0y0NI4.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fvsKqNDkiEqU.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vfqLZ0a6Un1D.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tlf6UGLN4Hqq.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VBoXQsrlpjn4.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vVnG83ZSbtz0.bat" "
        25⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4C8oHCbBKplv.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JTBRrUl5hRmE.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4C8oHCbBKplv.bat

Filesize
214B

MD5
803d28f8a60824ced8b0763f7b1ad148

SHA1
fe91eafbcbfa9ef5195434a0471580181f3dbb72

SHA256
fc5f7a07056fcea8063a4476e26518c979289fab491ae1502fdb02c94b11f58a

SHA512
f3c28b3c92fe54b42851225da47c7240f88f3d8e76a4115319a8599a4f1cc664b07cfbc3e4c87fae16e202b84fefd027f0a97ebb51563b5912bbabe35fea2510

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXLLTF0y0NI4.bat

Filesize
214B

MD5
27b700a6344457a745c88abb8890a71b

SHA1
8f07e85e7cc7fb98796235e55c3320673f56269a

SHA256
327d8f4833e8ed2cc22ddde2191c143349099370a05392660af5742b63da8e9f

SHA512
a0969961068920ae112530e422ca99413ce3b4999e2a8875b244aeb410607b82ce143a368fbc73acea2e511054621b1cd257b8ec672a2ecb4eb7764ae5af197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Co2vcCwDzaqo.bat

Filesize
214B

MD5
ee18013680ab2f40285157e8af572696

SHA1
0fe11ad35b50c61a5d2022be6ac4b897fd9c53a6

SHA256
0fbb3fddceef33749595cb8f40462a9c2c2418184476ed04322961eb4f75bd55

SHA512
cd1b55e54f869561057e45cc8a922321a1559e4b5d547adae924d33954626b0823ed6d993ca457230a34a07fa401e16dff45636b47c1ae6baa946454be1c9d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwfPKCrn6rML.bat

Filesize
214B

MD5
94a455cfce81600acd5f53d680fa2e74

SHA1
d8ac9e28162109f259903c13cf224438c0ac2df1

SHA256
beb94be0350a0289589ce1507c43bb472d85a3df537d996c5edd8de37c355797

SHA512
94926de7e0dacbf22eddab6859db94aa36519d8e4ecc0a0fe3bc4f1c817798f250f7615337dd9cf53219a1fed08934a7c1f427c7f77a2cb20cb166ac3ced57c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JTBRrUl5hRmE.bat

Filesize
214B

MD5
a48465cfe0eb6035ec9324e306929d4d

SHA1
7ab4106bc4e13d37c8959a4b0d171b9314526eab

SHA256
b16293194bd7dbd989e0dd76da017c3bca22501c09725a239ee3ce67c49f6b8f

SHA512
8289c42f2ae9212a80ac54fe849dccb4432087d8cff7bb4f11a5dfaafc4a69bdbac344d5a8dff4d2d525fb087ba39a977674da14569315c315e7b2dcc0406dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmFJ8YksCvSZ.bat

Filesize
214B

MD5
094f4d19a5a9aea5ac1d2405f02bb629

SHA1
d642c1e64bb147c232fec6cff31ac61a2343125a

SHA256
68a7cd6c28ccc82ff704f3faaecbf726f2aec4c023e25192da8fa5b5d2375d3a

SHA512
962098eda55adbde398c1eea639be116c58417e0de92c8c11f67bdbafaaba33b3743a435007ef060f001d7df70ec35734fb43f969cdbde967ef35baa371c14b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRSDLhNbmnNh.bat

Filesize
214B

MD5
61cfd5f77218bf56dad8357a923e16b0

SHA1
da3fd50cc60b4f01820cb35e438ce0493db5b440

SHA256
468658fb5c1f921969681cefb75936ce782d44ef8f5745f1f4cf692cb6c92963

SHA512
dd0d695fbd5308452cb1063fe0bfe9788fa2c3bb472c90441c1ef3025052c382f8d9bd0db2ffbc95e3423b72708ebf6beacd09897415b0bba1a8aba4846e5388

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZuRpRSVOsa8.bat

Filesize
214B

MD5
2e0e7a6fc8b78d193a229891e7dcc91a

SHA1
41becb1fbb82222cc173ed233a32ed8793b39ff0

SHA256
6b4483f66d1d79cbff24c503b94252ccdb7853ce2131528167bf7ec85636daf5

SHA512
6a43141d896ab86a2ad7815883a404d7a70f17140e77706db9caea6097a0d146dc2c39f0ce130464bfcacf4d2a0ff5b19c9a1dde0b34e63e28d3b76d06c197dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBoXQsrlpjn4.bat

Filesize
214B

MD5
5330ee9ed12fbd7b934b65a941417924

SHA1
8e257f300bc987c24983c35a388eea0f5e518cd0

SHA256
fdf76a59cabc5a23c5ef512366be2c07c8dc78202d88f5d9ab2508f1f68a28c5

SHA512
fb5f707b759b9f93bb162f8c1efff400f2a3c2025f767db1e665400400c62b0f0ec96ef3454cb62d1245d8426617c8d58b9c7ce6610f6dd8d3b736077a3c0e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvsKqNDkiEqU.bat

Filesize
214B

MD5
93aae8aa41fabc7f69a7b798605786c9

SHA1
f029dadb8548091709f059509ced384deea9010b

SHA256
1e61c9f5607419db3bd9304d7346ae11d7a484b64c2072675198ae0d8f5d8ee9

SHA512
5736cab66458d135191c26ebb876389834c465c1e8be67b618a59fa47da9e9c74de429756058dca518af4e6750a0df6ddc65748aa2fdda109b55060bcec40320

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOjLlQY6U4tA.bat

Filesize
214B

MD5
3b81e6eebaf2130dbb748661c1878da2

SHA1
94bc7205d56f18f009d3cc729aa8b25ef3e61ace

SHA256
0bd7660e07e46034ed90d76558928d03d63af759cdee3ec73eb8c07dead00732

SHA512
e10f496e0dbadb7dd28189655e0dce9d83189de772ee62c1b2b23dad1e9c57eb4664a79decd656edb25cf696026b499f2e9f151def3bc02ef10b74051991567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlf6UGLN4Hqq.bat

Filesize
214B

MD5
0bd034376d1e03f15bc3a74fb724a948

SHA1
71571d8632b5df7617b5691037c4e7f2fc42a4bf

SHA256
32e33ce434de14fe976c86fa4292623f155355d7162843b014a85ab4fbcbec36

SHA512
d5a358f87da7d71de14d46d0fad7fea5932ecb65dd77256ff1bbbdfe665be1f76e56dcc2078e9c9ba82f0a4d67195a523ab635370deb6ba2a0de6b9c5bc4924f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vVnG83ZSbtz0.bat

Filesize
214B

MD5
554a1d6b98a4b3c5de1222b01a220eba

SHA1
a8d40af16478ebe1c07aa98e382e46de931e0718

SHA256
f167b5a8b0b0188dfa30287829ebd53e514dc0828de8bb7678dc7d76284c7840

SHA512
873456c23d7e6d7c08c7d830d512d7de6697c4bb31fb12e78a66e281373c792cdf4046bf77c622c086dc55782c08504d369bed8123eaa77dd581d665b5a061e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfqLZ0a6Un1D.bat

Filesize
214B

MD5
767b4d8699055b54bc002df1f8674b77

SHA1
1171b2b242bf50ae6f4b61360bb5facc88eb54e1

SHA256
327a4416581e6835cbb1632478a7b4e34f344dcdbc551023d2342a42c8731139

SHA512
2f10ac9a69030a4d3f41d1634099628c7d09e13b0fbe466869e2cde23aeec9e7d87e1eae60df3694e68ee8d2dfc0e3e6b8734aea9266c5696f3700f66da2af1f

Download Submit
\Users\Admin\AppData\Roaming\SubDir\RuntimeBorker.exe

Filesize
358KB

MD5
19f081815e6c363fc05fb4e4be28325f

SHA1
0ae19dc0f3874f9a80f6bb7c25a2e5b112f452f3

SHA256
185e2153758f94ff134e690e74f875a469b9ac9b58284f8e1482b77c34935c5e

SHA512
1c27a6c2ba52b0973b6aaea7bc66886400ac2bbd1d29f3512e31419efa8991b31f07d30cdb840b7829a9c2dccc944166889f44c16300fd3a65207fb979c415ac

Download Submit
memory/300-90-0x0000000001300000-0x0000000001360000-memory.dmp

Filesize
384KB

Download
memory/576-156-0x0000000001270000-0x00000000012D0000-memory.dmp

Filesize
384KB

Download
memory/832-101-0x0000000001300000-0x0000000001360000-memory.dmp

Filesize
384KB

Download
memory/1324-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/1324-12-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-1-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1588-134-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1692-167-0x00000000000E0000-0x0000000000140000-memory.dmp

Filesize
384KB

Download
memory/1784-57-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/1944-68-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1992-123-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2140-112-0x0000000000090000-0x00000000000F0000-memory.dmp

Filesize
384KB

Download
memory/2220-22-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-11-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-9-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2220-10-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-24-0x00000000012E0000-0x0000000001340000-memory.dmp

Filesize
384KB

Download
memory/2552-46-0x00000000000A0000-0x0000000000100000-memory.dmp

Filesize
384KB

Download
memory/2840-145-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2848-79-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2932-35-0x00000000012E0000-0x0000000001340000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads