quasar | 5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Size

498KB
MD5

0b289f42527f29b5080b2c27f1b81abc
SHA1

b4609368985d9c37c5b3b1bed3098360a7e2bd52
SHA256

5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8
SHA512

0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4
SSDEEP

12288:3bTrOWFYTzFpaioEoKibiDfq1NznYtK++0AY8fV2Ex82HzlGnmtwa4JwaC1rFDZU:rOWFepgio59nMKj0ABV2+Y7J1H

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	46	ip-api.com	Process not Found
	59	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
	5	ip-api.com	Process not Found

Quasar family
quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllchost.exe

Executes dropped EXE 14 IoCs

pid	Process
2760	dllchost.exe
4188	dllchost.exe
3588	dllchost.exe
3964	dllchost.exe
2044	dllchost.exe
1244	dllchost.exe
5056	dllchost.exe
2868	dllchost.exe
4836	dllchost.exe
3536	dllchost.exe
3708	dllchost.exe
2372	dllchost.exe
5056	dllchost.exe
4072	dllchost.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
46	ip-api.com
59	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4184	PING.EXE
1416	PING.EXE
4236	PING.EXE
1588	PING.EXE
3924	PING.EXE
2884	PING.EXE
4500	PING.EXE
1896	PING.EXE
3176	PING.EXE
3512	PING.EXE
4916	PING.EXE
1276	PING.EXE
1028	PING.EXE
4280	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4916	PING.EXE
1028	PING.EXE
3512	PING.EXE
1416	PING.EXE
4500	PING.EXE
1896	PING.EXE
3176	PING.EXE
3924	PING.EXE
4280	PING.EXE
2884	PING.EXE
1276	PING.EXE
4236	PING.EXE
4184	PING.EXE
1588	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2528	schtasks.exe
1764	schtasks.exe
2316	schtasks.exe
4764	schtasks.exe
860	schtasks.exe
1192	schtasks.exe
5100	schtasks.exe
1564	schtasks.exe
380	schtasks.exe
228	schtasks.exe
2520	schtasks.exe
2408	schtasks.exe
2640	schtasks.exe
3068	schtasks.exe
2184	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
Token: SeDebugPrivilege	2760	dllchost.exe
Token: SeDebugPrivilege	4188	dllchost.exe
Token: SeDebugPrivilege	3588	dllchost.exe
Token: SeDebugPrivilege	3964	dllchost.exe
Token: SeDebugPrivilege	2044	dllchost.exe
Token: SeDebugPrivilege	1244	dllchost.exe
Token: SeDebugPrivilege	5056	dllchost.exe
Token: SeDebugPrivilege	2868	dllchost.exe
Token: SeDebugPrivilege	4836	dllchost.exe
Token: SeDebugPrivilege	3536	dllchost.exe
Token: SeDebugPrivilege	3708	dllchost.exe
Token: SeDebugPrivilege	2372	dllchost.exe
Token: SeDebugPrivilege	5056	dllchost.exe
Token: SeDebugPrivilege	4072	dllchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2640	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	83
PID 4504 wrote to memory of 2640	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	83
PID 4504 wrote to memory of 2640	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	83
PID 4504 wrote to memory of 2760	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	85
PID 4504 wrote to memory of 2760	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	85
PID 4504 wrote to memory of 2760	4504	5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe	85
PID 2760 wrote to memory of 3068	2760	dllchost.exe	86
PID 2760 wrote to memory of 3068	2760	dllchost.exe	86
PID 2760 wrote to memory of 3068	2760	dllchost.exe	86
PID 2760 wrote to memory of 4756	2760	dllchost.exe	88
PID 2760 wrote to memory of 4756	2760	dllchost.exe	88
PID 2760 wrote to memory of 4756	2760	dllchost.exe	88
PID 4756 wrote to memory of 244	4756	cmd.exe	90
PID 4756 wrote to memory of 244	4756	cmd.exe	90
PID 4756 wrote to memory of 244	4756	cmd.exe	90
PID 4756 wrote to memory of 2884	4756	cmd.exe	91
PID 4756 wrote to memory of 2884	4756	cmd.exe	91
PID 4756 wrote to memory of 2884	4756	cmd.exe	91
PID 4756 wrote to memory of 4188	4756	cmd.exe	92
PID 4756 wrote to memory of 4188	4756	cmd.exe	92
PID 4756 wrote to memory of 4188	4756	cmd.exe	92
PID 4188 wrote to memory of 1564	4188	dllchost.exe	93
PID 4188 wrote to memory of 1564	4188	dllchost.exe	93
PID 4188 wrote to memory of 1564	4188	dllchost.exe	93
PID 4188 wrote to memory of 60	4188	dllchost.exe	95
PID 4188 wrote to memory of 60	4188	dllchost.exe	95
PID 4188 wrote to memory of 60	4188	dllchost.exe	95
PID 60 wrote to memory of 4828	60	cmd.exe	97
PID 60 wrote to memory of 4828	60	cmd.exe	97
PID 60 wrote to memory of 4828	60	cmd.exe	97
PID 60 wrote to memory of 4236	60	cmd.exe	98
PID 60 wrote to memory of 4236	60	cmd.exe	98
PID 60 wrote to memory of 4236	60	cmd.exe	98
PID 60 wrote to memory of 3588	60	cmd.exe	105
PID 60 wrote to memory of 3588	60	cmd.exe	105
PID 60 wrote to memory of 3588	60	cmd.exe	105
PID 3588 wrote to memory of 1192	3588	dllchost.exe	106
PID 3588 wrote to memory of 1192	3588	dllchost.exe	106
PID 3588 wrote to memory of 1192	3588	dllchost.exe	106
PID 3588 wrote to memory of 3020	3588	dllchost.exe	108
PID 3588 wrote to memory of 3020	3588	dllchost.exe	108
PID 3588 wrote to memory of 3020	3588	dllchost.exe	108
PID 3020 wrote to memory of 676	3020	cmd.exe	110
PID 3020 wrote to memory of 676	3020	cmd.exe	110
PID 3020 wrote to memory of 676	3020	cmd.exe	110
PID 3020 wrote to memory of 4184	3020	cmd.exe	111
PID 3020 wrote to memory of 4184	3020	cmd.exe	111
PID 3020 wrote to memory of 4184	3020	cmd.exe	111
PID 3020 wrote to memory of 3964	3020	cmd.exe	114
PID 3020 wrote to memory of 3964	3020	cmd.exe	114
PID 3020 wrote to memory of 3964	3020	cmd.exe	114
PID 3964 wrote to memory of 1764	3964	dllchost.exe	115
PID 3964 wrote to memory of 1764	3964	dllchost.exe	115
PID 3964 wrote to memory of 1764	3964	dllchost.exe	115
PID 3964 wrote to memory of 2852	3964	dllchost.exe	117
PID 3964 wrote to memory of 2852	3964	dllchost.exe	117
PID 3964 wrote to memory of 2852	3964	dllchost.exe	117
PID 2852 wrote to memory of 1400	2852	cmd.exe	119
PID 2852 wrote to memory of 1400	2852	cmd.exe	119
PID 2852 wrote to memory of 1400	2852	cmd.exe	119
PID 2852 wrote to memory of 4500	2852	cmd.exe	120
PID 2852 wrote to memory of 4500	2852	cmd.exe	120
PID 2852 wrote to memory of 4500	2852	cmd.exe	120
PID 2852 wrote to memory of 2044	2852	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe
"C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2640
- C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
  "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zow8rcP1yf4t.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:244
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2884
  - - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
      "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOgytm1QSepz.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4236
      - C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbgR3TbO1RPt.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M0umtCa0LMCU.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B8YwZl9FxCW3.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hboPp5hm6wk3.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3176
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ip8CVk9ZXDtp.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4916
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wglVD229dlhn.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkf91PFcohLn.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbISih8CuF9l.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R2lCBHWPXBgr.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgFY6eTZS37W.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tDNuYKkLuQUn.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "dllchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\43CUTsTbUAas.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dllchost.exe.log

Filesize
1KB

MD5
08853d2d986873ab78ccdc20d8aafb86

SHA1
437890ccf0d09513fd35c10780b50382293b0bd5

SHA256
e08b584695edef8556e0dbf2866466a3c428030d859eefd70e4ed45c88965002

SHA512
ad29cfe7b739474697e33cdc74d3f098321f519a8a6aea61252a9bc73b4002c4e2c4a2851259a8c2a0c7b2b59cb154b05e81822acc5937538981c56d7c8c3931

Download Submit
C:\Users\Admin\AppData\Local\Temp\43CUTsTbUAas.bat

Filesize
211B

MD5
0e392a4b6b4ab09b5979546ba44e56e7

SHA1
2682bd1aa28c669d95dd5cca2f46347326178216

SHA256
3d79b7713e2340cf871611ed8941637ec011676df5924aa3583335e19e9804d6

SHA512
bb38b292e1fcb9cde13b30578af3c724ef15895c817f2c02888cc8ff9e017e713630deec1fc6dd3b635c1fe7d221b50b581b0ae8d54138535006efad0d281184

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8YwZl9FxCW3.bat

Filesize
211B

MD5
e39dcc692c68f5a4387e2549d7be6646

SHA1
44d97ebe1187d8d096f1b8d0a0ace5b94b6275e8

SHA256
a82c07f9eda0280d9dfb917b33ddf7a43b602a077f910f5fd0d12713ab9549d0

SHA512
1d9d03df3f6d69f84652c535fe9101f44f6b5bf192c5fd075342ed23d8dd1b0f0f68031275b727fb32be42d43d27c8b9b67e5a9d174e7616bf4eb7019c726072

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgFY6eTZS37W.bat

Filesize
211B

MD5
0c75becfdfae82c763f2ef13701df5b9

SHA1
83441e5c22651e8307c34d76fbb53f39e9382a95

SHA256
0e0fd958f9ffe5752fae9acfdf63fb196461356e631ac54df0123ea022b31006

SHA512
46857b2e483980d10302cfb31b4b5ef2cbecf65b7a1c9b33ccd76160c810ae6cb74ab6d9678ab4a648dc1280e3ee03726011047e7f7728048b7cae100a4d6136

Download Submit
C:\Users\Admin\AppData\Local\Temp\M0umtCa0LMCU.bat

Filesize
211B

MD5
1e3f834e18ae2064b4f570586c265575

SHA1
f1f95412a878f726b8a1aece8401b6e1c40e755c

SHA256
2022ccffe9d674c35040182dd899343874ca6880429d83e9c8bb8615aa737bea

SHA512
317fd60d1f6c657c0ced43daf93d9a76cfe0bc92fa19de67a6ef2fe14c418af36d1f5ecf172df41841e7435bd8801a43a8d4f3f09361a61a2fdce84811d05a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2lCBHWPXBgr.bat

Filesize
211B

MD5
45b3e086c9959c8921326ca957b7249d

SHA1
940edd4b3045e8fde4ca77f14ed53159093c55b2

SHA256
59af8e09c06227bbe1ad0155d6f044da16cdd55980063c795cf30f90e2f80c04

SHA512
909e2242b0718b54320ddb9af550832ee0f8674570100a5d97cd1decca44075bab0bbd601b5c41581c63dddcbbfa28561405ed8fc0043020a854f34964537836

Download Submit
C:\Users\Admin\AppData\Local\Temp\hboPp5hm6wk3.bat

Filesize
211B

MD5
c5ef2f671aca8fe36d431763aed21983

SHA1
83b8130ab9a748d2531e7ff4ec8a53b593c26aba

SHA256
4cd264f0153d11a726b210628f646f378c56f8e03809094596251d55f79a989c

SHA512
ea8c3913777317740bf1fe29961fe70a983f03fa1362a7dac3e4ef627bfde30e827d9c9f8618e5545ce810d02b76637ae2515c1b74fb7717ba1541cb7563e1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip8CVk9ZXDtp.bat

Filesize
211B

MD5
be7e3272fa5a537218b87c1f062001bb

SHA1
de5c159d7107fa09cecd42b0cc2ac8c7952d773b

SHA256
2d1973e7e6b920211f54da46ed737a11bc9e0f2efa013b294f364fde0e510be3

SHA512
429d779207de70dae49c20f46895fcf15c29ca9654ed8f203354ffcc4bad9d5fc6bea91d0094fa2a701796c097d5dc06f7a04ca58145af698e7b834bdd5f0c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkf91PFcohLn.bat

Filesize
211B

MD5
ab9be834fe6a7d1f286c2f73b011485e

SHA1
6cd2c0f31101bcc0be921b7c251449822b44c0be

SHA256
72e060f456bb8e522255ad2c11dab7291d46c40d6776edfa1764cd94a389d39c

SHA512
70e37e374fd6c7dd7cb11399bc977b9d1d752759c6779d8b23bfda6f175c12d1d832f3461441026baaa0002c01f16be96f34530edbf1ee9058b5972632fe4abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOgytm1QSepz.bat

Filesize
211B

MD5
46e3e0df9897e4e88a23af30df2cec27

SHA1
6cb3bb3bc8d72053c15ed854b294418972646347

SHA256
99fc0c9688bb8b7d20ee89741d108efb97e9d2f3b2ea212fd004742c7332476b

SHA512
e3bfff5d1107a793c9d18ef1f8a7e69f04ad36d2bf89fc50a1b9fa7022b4593c88163c2d654a4614b88d233a880616c7dfa6bfc647905b188714acaebbf51b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDNuYKkLuQUn.bat

Filesize
211B

MD5
990600d8e65a382eca84164d28dc6c61

SHA1
e8b5d6c2c68024a14d1feac84079db9aa24a311c

SHA256
352f91f9538a614350226b03374672f338b4fb5a61add4d2e1faa5bf4efe55b0

SHA512
26e70e3dcf3718fd69c731676c9f171da5aa6926d30cf25643b563769a1ca00a6166fa0622eb720158bf8ba77033a00f7ede3826b0737162d611387c5fe00576

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbgR3TbO1RPt.bat

Filesize
211B

MD5
0472d98be2216cd54d8a833f9723f7f7

SHA1
176ef76dbc81d42b521f1d2a0322cbe5e59782f0

SHA256
beb4bdcac482e205cda8455bb2e5746465ef7cbdce7db2a83eb531e96481e1ec

SHA512
1b7ea5199bb548dde2e2513b0fd128447d0b4656a97e9c11768a0a02465f422375db3c9088718aaeca4a9349836a959c587f0e92037704348923510039cf913e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wglVD229dlhn.bat

Filesize
211B

MD5
02e56e9201f5d7f10d9b5b23e1470c89

SHA1
f072c61ee854c97e959c78deaab985f8bf49fc37

SHA256
ed0dc6eceabbc729291eeff9b85bc001076e016d67504d3cd514a8ce2f9655dc

SHA512
bc0b89295a847a3a32a82125aa035ff31d276ff33d6c893dc530b97b35ec1d120c8b813c6a5abb95dcea25d4a4da86770a23d2a7dde36134584e4b75fd9a7d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbISih8CuF9l.bat

Filesize
211B

MD5
b95072ee629febe8c73e8f7faa113593

SHA1
39da8420f8b8248e87e8b2f68fbcdb8c900d1827

SHA256
53ef165790dde16ba9a0075d93e60b6c127f67170ec7535f4b59b9a042899b55

SHA512
8618ad06454cd440f07bea120b793cb5dc8aec474e5e8c9e7ee8b4c72a13fc121e94b2c8e0b58e6194b3410422c56a6e510a6889aa97e4a8a57d7dab2cecd242

Download Submit
C:\Users\Admin\AppData\Local\Temp\zow8rcP1yf4t.bat

Filesize
211B

MD5
30e61fddc9ce64ad0b2deeb73a6f13f7

SHA1
34bd1c7b296d7ab094ed3b6e65812836358f0098

SHA256
b83016c265aa18a1aa1ba5c02e8025e7ba05a302b6a2145a6b8a23501d88a7ed

SHA512
ef8a1368a0fcdc8dd3eb2583312b799e7360692bcad6642ee1fbeae78fd4f3690310bc804e6b88df9d9d2c1aaecbc30cbde4b0f6e60bd8d28ca77bffd3e57e3f

Download Submit
C:\Users\Admin\AppData\Roaming\dllchost\dllchost.exe

Filesize
498KB

MD5
0b289f42527f29b5080b2c27f1b81abc

SHA1
b4609368985d9c37c5b3b1bed3098360a7e2bd52

SHA256
5e80f12a0c97e2df597c4f5029821ed77d30c42835db6190e6b6ba556d1987f8

SHA512
0af17966a2b3291f25dac48600360ae59f3e235162f9c3b5cb676a331089ac52e33e228df0b4471b946d2934cf0d4a880392f7b8690485741b2426474b7289e4

Download Submit
memory/2760-23-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/2760-17-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/2760-15-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4504-9-0x0000000006660000-0x000000000669C000-memory.dmp

Filesize
240KB

Download
memory/4504-16-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4504-0-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/4504-8-0x0000000006120000-0x0000000006132000-memory.dmp

Filesize
72KB

Download
memory/4504-7-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/4504-6-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4504-5-0x0000000005790000-0x0000000005796000-memory.dmp

Filesize
24KB

Download
memory/4504-4-0x0000000007DB0000-0x0000000007E42000-memory.dmp

Filesize
584KB

Download
memory/4504-3-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/4504-2-0x0000000007C30000-0x0000000007D0C000-memory.dmp

Filesize
880KB

Download
memory/4504-1-0x0000000000E80000-0x0000000000F02000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads