quasar | 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Size

3.1MB
MD5

4522bc113a6f5b984e9ffac278f9f064
SHA1

392ec955d7b5c5da965f7af9f929b89c33409b03
SHA256

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
SHA512

c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
SSDEEP

98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4596-1-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1172	PING.EXE
3168	PING.EXE
1484	PING.EXE
544	PING.EXE
3604	PING.EXE
1604	PING.EXE
2208	PING.EXE
4332	PING.EXE
4356	PING.EXE
2240	PING.EXE
1604	PING.EXE
3168	PING.EXE
2708	PING.EXE
4956	PING.EXE
1424	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3168	PING.EXE
2708	PING.EXE
4356	PING.EXE
544	PING.EXE
2208	PING.EXE
4332	PING.EXE
4956	PING.EXE
1484	PING.EXE
1604	PING.EXE
1604	PING.EXE
1424	PING.EXE
2240	PING.EXE
1172	PING.EXE
3604	PING.EXE
3168	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4656	schtasks.exe
3236	schtasks.exe
3496	schtasks.exe
1688	schtasks.exe
1476	schtasks.exe
564	schtasks.exe
3616	schtasks.exe
5116	schtasks.exe
4428	schtasks.exe
3484	schtasks.exe
4684	schtasks.exe
1152	schtasks.exe
3372	schtasks.exe
2864	schtasks.exe
4788	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4132	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4772	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4524	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3152	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	888	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4668	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	1240	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	1488	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3980	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2240	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4820	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3372	4596	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	83
PID 4596 wrote to memory of 3372	4596	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	83
PID 4596 wrote to memory of 4260	4596	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	85
PID 4596 wrote to memory of 4260	4596	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	85
PID 4260 wrote to memory of 2884	4260	cmd.exe	87
PID 4260 wrote to memory of 2884	4260	cmd.exe	87
PID 4260 wrote to memory of 3168	4260	cmd.exe	88
PID 4260 wrote to memory of 3168	4260	cmd.exe	88
PID 4260 wrote to memory of 2804	4260	cmd.exe	90
PID 4260 wrote to memory of 2804	4260	cmd.exe	90
PID 2804 wrote to memory of 4656	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	91
PID 2804 wrote to memory of 4656	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	91
PID 2804 wrote to memory of 3152	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	94
PID 2804 wrote to memory of 3152	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	94
PID 3152 wrote to memory of 4448	3152	cmd.exe	96
PID 3152 wrote to memory of 4448	3152	cmd.exe	96
PID 3152 wrote to memory of 1604	3152	cmd.exe	97
PID 3152 wrote to memory of 1604	3152	cmd.exe	97
PID 3152 wrote to memory of 4132	3152	cmd.exe	110
PID 3152 wrote to memory of 4132	3152	cmd.exe	110
PID 4132 wrote to memory of 3616	4132	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	111
PID 4132 wrote to memory of 3616	4132	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	111
PID 4132 wrote to memory of 4592	4132	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	114
PID 4132 wrote to memory of 4592	4132	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	114
PID 4592 wrote to memory of 2932	4592	cmd.exe	116
PID 4592 wrote to memory of 2932	4592	cmd.exe	116
PID 4592 wrote to memory of 2708	4592	cmd.exe	117
PID 4592 wrote to memory of 2708	4592	cmd.exe	117
PID 4592 wrote to memory of 4772	4592	cmd.exe	121
PID 4592 wrote to memory of 4772	4592	cmd.exe	121
PID 4772 wrote to memory of 5116	4772	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	123
PID 4772 wrote to memory of 5116	4772	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	123
PID 4772 wrote to memory of 3684	4772	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	126
PID 4772 wrote to memory of 3684	4772	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	126
PID 3684 wrote to memory of 3908	3684	cmd.exe	128
PID 3684 wrote to memory of 3908	3684	cmd.exe	128
PID 3684 wrote to memory of 4956	3684	cmd.exe	129
PID 3684 wrote to memory of 4956	3684	cmd.exe	129
PID 3684 wrote to memory of 4524	3684	cmd.exe	130
PID 3684 wrote to memory of 4524	3684	cmd.exe	130
PID 4524 wrote to memory of 4428	4524	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	131
PID 4524 wrote to memory of 4428	4524	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	131
PID 4524 wrote to memory of 1300	4524	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	134
PID 4524 wrote to memory of 1300	4524	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	134
PID 1300 wrote to memory of 1292	1300	cmd.exe	136
PID 1300 wrote to memory of 1292	1300	cmd.exe	136
PID 1300 wrote to memory of 1484	1300	cmd.exe	137
PID 1300 wrote to memory of 1484	1300	cmd.exe	137
PID 1300 wrote to memory of 2804	1300	cmd.exe	139
PID 1300 wrote to memory of 2804	1300	cmd.exe	139
PID 2804 wrote to memory of 3484	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	140
PID 2804 wrote to memory of 3484	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	140
PID 2804 wrote to memory of 4960	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	142
PID 2804 wrote to memory of 4960	2804	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	142
PID 4960 wrote to memory of 2664	4960	cmd.exe	145
PID 4960 wrote to memory of 2664	4960	cmd.exe	145
PID 4960 wrote to memory of 1424	4960	cmd.exe	146
PID 4960 wrote to memory of 1424	4960	cmd.exe	146
PID 4960 wrote to memory of 3152	4960	cmd.exe	148
PID 4960 wrote to memory of 3152	4960	cmd.exe	148
PID 3152 wrote to memory of 4684	3152	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	149
PID 3152 wrote to memory of 4684	3152	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	149
PID 3152 wrote to memory of 3740	3152	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	152
PID 3152 wrote to memory of 3740	3152	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUJeQlUf8saP.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2884
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3168
- - C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zE8gVr3SPB0A.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4448
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIBQAr9t1NQK.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGirJDXSbxjI.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7NkmGS5PRM57.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Az4XUu6c2XLd.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OPLWmOsB9U4q.bat" "
        14⤵
        
        PID:3740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tpJ28RpEtHh3.bat" "
        16⤵
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ttlfr7uZK0Nu.bat" "
        18⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ensrWg8MmadQ.bat" "
        20⤵
        
        PID:1116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\crZpRJZgRfAw.bat" "
        22⤵
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAraXakRNAJC.bat" "
        24⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\az6AZSg204Gr.bat" "
        26⤵
        
        PID:5084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WN9BVB8ExyQW.bat" "
        28⤵
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsO2rB7NQhKA.bat" "
        30⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7NkmGS5PRM57.bat

Filesize
261B

MD5
e3010b23b81535a2f237d0bd28803af4

SHA1
0dca6bcf32da1b2d9b3eae0351f7ff2b38f2c55a

SHA256
5bd39522b2f79ed629a7b797e472be9a66fdb872904ce0dd36d586d83340890c

SHA512
a4a2520f54edd1ffbbb8dbc7b99467cb36dcdd186752fa840413a6a225a327d04979757746af01bc92136253c1a6a349e343e29c8d3591ebea0833e679d2e00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Az4XUu6c2XLd.bat

Filesize
261B

MD5
7719d0814c526538ad91c47b0011c055

SHA1
bf8ae8121b20dc4c89225e26c81ab89dfaaf7857

SHA256
e8fd6c26b6c25017d0a10681587923cbb7ff36d06d3ac7c58baa0fa69e27897b

SHA512
62e3f630a6124020bb58906b61f5093484897c70d4d71d52639a56bccea6addba0714e2f12bbc25ebdd599b69ad531ebe19ddf130d17c1f4dff3784a4b529166

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPLWmOsB9U4q.bat

Filesize
261B

MD5
131c69f38a2ee2c93d3fe5a34c3245a1

SHA1
87f5cc71e1fc4444eacb49a7927c34dd96e29063

SHA256
525ed2ea5bb0ff7a97e8973ad4a711f31c0959c22f19e8bf7981a728f20bf79c

SHA512
50667a919e38633377c8fb229badaf0ae77f19d9e75bacaa2cf17540452eae57bf9b84fda5c3ddaa69ca1227bb945d7b29247916bcba99e952d09c89e3c452d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAraXakRNAJC.bat

Filesize
261B

MD5
5a63aaf8982b9616307acddff4b7fa43

SHA1
237f86ff38812abacb69e1040f58d8d9ae96e1b2

SHA256
86ce57ab57d43c0b05c4813a867f443fce119cc54a5a88ba9123b89e714d4220

SHA512
a27b1db3e5f30aee8312284ce06534152ffd7421b7b4de8d85f6fa0466c335cefd817904036f051a9b5f1137b23d45eb56f4a134811703c8887676c967a2f9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WN9BVB8ExyQW.bat

Filesize
261B

MD5
a1080c71fa5613172cc88654cff390f8

SHA1
53087cc8993f391f707a8497ab4617d89bb41a8f

SHA256
ba029af8040654c85e7648d7ee2f307aae5fff94a83e86eff87cc32f4ae58966

SHA512
f741d8e9ca387123da331f79bbb9ba47c1842c2de897526232ee85890ea306e5840299785a2a581087dde6848e8c7e1d84bc793e3df1a53eeca040381724f3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGirJDXSbxjI.bat

Filesize
261B

MD5
5bf9688c4d51ed4b7d9946947897fe8f

SHA1
3c3e9fda8c315c2ab1d6a6cd4fe7ba96f0536ea6

SHA256
9404ad8903dad3aa5d8090c1547565918965eec0c759a0d1e228f5be3f3f437b

SHA512
87805a0ab68be15266d1adacf2caba2447b22ff3f7f5ef5662d1116b223909d6c1ec35096315800162a66fff9aef192d891bcb174ebb90143338ae8c5d32a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIBQAr9t1NQK.bat

Filesize
261B

MD5
febb7d44ffd9a95344745fe3cd3d5a49

SHA1
f9bf52a2a62ffc10daf1f1fe34bf36f198edcd02

SHA256
e7a8b8c53315da6848725125b8a036d00e1cedabc4794c58098b4a6dec8166aa

SHA512
21d468eaa64228a6b266b948f8256c27a23092192d3ec353dc7a25073e12d64fee495bdb0dc6cf7b7b3464d1b5edd4a75538ca9a429f65120ce2de91d61e76bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\az6AZSg204Gr.bat

Filesize
261B

MD5
9c38f42f25fef7a62ad9c99df42a5d8b

SHA1
976c8115c926afd740d8002e3a563299ef498eed

SHA256
e5a198272ea697c51a4810150d7972c7db027679e6887aa7b216c5a792ccd686

SHA512
45b7180bb2e5ec7d78a8603871c59bf252c80383e07f1c100b93373c822ccb1ba4647b1e5cf4f251aa341026b09ba15dba7f24254acf052088518d3eb30af832

Download Submit
C:\Users\Admin\AppData\Local\Temp\crZpRJZgRfAw.bat

Filesize
261B

MD5
e3e6dad3112587e32ed20e5512ba9bf5

SHA1
64a0edb2eec1f63972d39dcfaa9c1c9ef5858b5a

SHA256
164e9e3905329577683eea19ff5d56bae1efdad0d8429c7e82a7d13dbb293260

SHA512
9d05edf4dfb7cb903aa86ae214550155ac80bc7a31632ba77f8c1d0f628788009074b9293ebc715b08f855ae296b03f505fc81225eccff180ff768326df03f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ensrWg8MmadQ.bat

Filesize
261B

MD5
4ba7425862f72883130f058fa0613bff

SHA1
2610f39ae46cda285f6580c24a9d4569df9bfbf2

SHA256
371a0eb32a47c29b67a4ef2b1c43b0a9c0ccef434ba5f4380d33a58ae22bcc2e

SHA512
9ec23e46e977d2192d37cf01f85499bda9032ed37e344e2d913226b94ef4eaaeec50bd4cb8edad1f9acd606b7b632ca5564f4650dabbbf89e040ac88b84007e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsO2rB7NQhKA.bat

Filesize
261B

MD5
1b9fb6b11ef18a94f1cf4c5bfc2a3231

SHA1
1720f86961d9a984a5214fa626e31a8421cbd5e3

SHA256
bd6b37deafc846a91190c208b0bf9da5a7cff1cb256117887b65ac6c3c4960f0

SHA512
e20215636b1b7f2ab902dee368f962154c0122aac141a834e945cdf4958384c6123c85cbba1cd991dc08395308e85dae56a1e5b1ccff2b783ad2829123ba5d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUJeQlUf8saP.bat

Filesize
261B

MD5
a2462905d4a44945ca49a56c3320c58c

SHA1
d64fcb3b5574f80b1d2c639d767b36ae1bc65154

SHA256
45a27f1f9be19aec0c6f8623334e5da12d8b915da47f489224832031e56f2a43

SHA512
ed897edd32cbb4c8c6b23e77f0a0eb8738f615a6dc2f5c0ac7cbb815e942bb2538cc25a5fdf05507530cbdc0c42d4395a1ed08d2f2ffccc6692da3ec84c3e3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpJ28RpEtHh3.bat

Filesize
261B

MD5
f2f26ceeeb011c09b7ed6c710569a1c8

SHA1
57eb01147f87566ddf37b4066b65d14b7fa49ebb

SHA256
7784791b397ccc3e8b9ba723ea5049f14474d3638f1de886e94952511bb452c1

SHA512
4cc23b0826fd1d4568a53140b18a7ac3637c2d05ee70f62d4d2a0f8d8b2430e53178eb37c596abe51818f5f3e9a42ee0ba9063627b4b2873a2c38f208fbd7365

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttlfr7uZK0Nu.bat

Filesize
261B

MD5
7cbd7a0f3713a6bbcc60df91944874f8

SHA1
d7d11e1710147782e7e41c1f52b7067ac719fae6

SHA256
7186af45cbf86b7ab9f65826c0fbea82353fbd135b1de80acadfa6b70b12f7b0

SHA512
c75a03ac951ba2d1b10b77fb4b05a47888cbbda89857df9f7a0e51ece030d601fc1ac36d87994d5cab7b36c86645e1ee6013c948d1041eaf308b714e061987aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zE8gVr3SPB0A.bat

Filesize
261B

MD5
a56cc3f22e97975c514585ea6826e5c6

SHA1
100476fd19733602ca796fdc4c67e4740b8370cb

SHA256
1838b78e0c3bae8b26ee31ebcdf19b488d7ac041eeed8ace3e8e3cc653d77465

SHA512
5460f52bf7f58a1a37a79054a2370e8260b3a9b10b844e77c3b5eb016b4423e6f16abfce7b03612d3ea09114d1f90c461c442d59d4a293dde869bc90fba02585

Download Submit
memory/4596-0-0x00007FFC6E593000-0x00007FFC6E595000-memory.dmp

Filesize
8KB

Download
memory/4596-10-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/4596-4-0x000000001BB70000-0x000000001BC22000-memory.dmp

Filesize
712KB

Download
memory/4596-3-0x000000001BA60000-0x000000001BAB0000-memory.dmp

Filesize
320KB

Download
memory/4596-2-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/4596-1-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads