quasar | 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Size

286KB
MD5

b988c49b9654ec30906a781cac1ebaaf
SHA1

85f7f7274e6a134870f309c2b3d06b71807e7626
SHA256

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
SHA512

c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5
SSDEEP

6144:EhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkCrrpo:+xT1tY4Idc1ybkCho

Score

10^/10

quasar fakecreal discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
	2	ip-api.com	Process not Found
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2988-1-0x00000000013D0000-0x000000000141E000-memory.dmp	family_quasar
behavioral1/files/0x000f000000012245-4.dat	family_quasar
behavioral1/memory/2632-9-0x0000000000CC0000-0x0000000000D0E000-memory.dmp	family_quasar
behavioral1/memory/2600-25-0x00000000013D0000-0x000000000141E000-memory.dmp	family_quasar
behavioral1/memory/1076-37-0x00000000013D0000-0x000000000141E000-memory.dmp	family_quasar
behavioral1/memory/2072-49-0x0000000000150000-0x000000000019E000-memory.dmp	family_quasar
behavioral1/memory/1280-61-0x0000000000F40000-0x0000000000F8E000-memory.dmp	family_quasar
behavioral1/memory/904-73-0x0000000000F40000-0x0000000000F8E000-memory.dmp	family_quasar
behavioral1/memory/2320-118-0x0000000001310000-0x000000000135E000-memory.dmp	family_quasar
behavioral1/memory/1048-130-0x0000000000140000-0x000000000018E000-memory.dmp	family_quasar
behavioral1/memory/2476-142-0x0000000000EF0000-0x0000000000F3E000-memory.dmp	family_quasar
behavioral1/memory/2628-154-0x0000000000EF0000-0x0000000000F3E000-memory.dmp	family_quasar
behavioral1/memory/2804-166-0x00000000011C0000-0x000000000120E000-memory.dmp	family_quasar

Executes dropped EXE 14 IoCs

pid	Process
2632	Client.exe
2600	Client.exe
1076	Client.exe
2072	Client.exe
1280	Client.exe
904	Client.exe
2780	Client.exe
1892	Client.exe
2016	Client.exe
2320	Client.exe
1048	Client.exe
2476	Client.exe
2628	Client.exe
2804	Client.exe

Loads dropped DLL 14 IoCs

pid	Process
2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
2804	cmd.exe
1984	cmd.exe
2832	cmd.exe
628	cmd.exe
2180	cmd.exe
2752	cmd.exe
2828	cmd.exe
2660	cmd.exe
2432	cmd.exe
1636	cmd.exe
2404	cmd.exe
2816	cmd.exe
2092	cmd.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
18	ip-api.com
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2400	PING.EXE
2552	PING.EXE
2084	PING.EXE
2136	PING.EXE
560	PING.EXE
2472	PING.EXE
2576	PING.EXE
1608	PING.EXE
1484	PING.EXE
2152	PING.EXE
2716	PING.EXE
2584	PING.EXE
1100	PING.EXE
1528	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1484	PING.EXE
2400	PING.EXE
2584	PING.EXE
1608	PING.EXE
1100	PING.EXE
2152	PING.EXE
2552	PING.EXE
2136	PING.EXE
560	PING.EXE
2472	PING.EXE
2576	PING.EXE
2716	PING.EXE
2084	PING.EXE
1528	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1592	schtasks.exe
1528	schtasks.exe
2076	schtasks.exe
1164	schtasks.exe
1860	schtasks.exe
1644	schtasks.exe
1820	schtasks.exe
1112	schtasks.exe
1044	schtasks.exe
2632	schtasks.exe
1856	schtasks.exe
2772	schtasks.exe
2192	schtasks.exe
2172	schtasks.exe
1912	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Token: SeDebugPrivilege	2632	Client.exe
Token: SeDebugPrivilege	2600	Client.exe
Token: SeDebugPrivilege	1076	Client.exe
Token: SeDebugPrivilege	2072	Client.exe
Token: SeDebugPrivilege	1280	Client.exe
Token: SeDebugPrivilege	904	Client.exe
Token: SeDebugPrivilege	2780	Client.exe
Token: SeDebugPrivilege	1892	Client.exe
Token: SeDebugPrivilege	2016	Client.exe
Token: SeDebugPrivilege	2320	Client.exe
Token: SeDebugPrivilege	1048	Client.exe
Token: SeDebugPrivilege	2476	Client.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	2804	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1528	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 2988 wrote to memory of 1528	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 2988 wrote to memory of 1528	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 2988 wrote to memory of 1528	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 2988 wrote to memory of 2632	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 2988 wrote to memory of 2632	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 2988 wrote to memory of 2632	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 2988 wrote to memory of 2632	2988	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 2632 wrote to memory of 2772	2632	Client.exe	34
PID 2632 wrote to memory of 2772	2632	Client.exe	34
PID 2632 wrote to memory of 2772	2632	Client.exe	34
PID 2632 wrote to memory of 2772	2632	Client.exe	34
PID 2632 wrote to memory of 2804	2632	Client.exe	36
PID 2632 wrote to memory of 2804	2632	Client.exe	36
PID 2632 wrote to memory of 2804	2632	Client.exe	36
PID 2632 wrote to memory of 2804	2632	Client.exe	36
PID 2804 wrote to memory of 2728	2804	cmd.exe	38
PID 2804 wrote to memory of 2728	2804	cmd.exe	38
PID 2804 wrote to memory of 2728	2804	cmd.exe	38
PID 2804 wrote to memory of 2728	2804	cmd.exe	38
PID 2804 wrote to memory of 2584	2804	cmd.exe	39
PID 2804 wrote to memory of 2584	2804	cmd.exe	39
PID 2804 wrote to memory of 2584	2804	cmd.exe	39
PID 2804 wrote to memory of 2584	2804	cmd.exe	39
PID 2804 wrote to memory of 2600	2804	cmd.exe	41
PID 2804 wrote to memory of 2600	2804	cmd.exe	41
PID 2804 wrote to memory of 2600	2804	cmd.exe	41
PID 2804 wrote to memory of 2600	2804	cmd.exe	41
PID 2600 wrote to memory of 2076	2600	Client.exe	42
PID 2600 wrote to memory of 2076	2600	Client.exe	42
PID 2600 wrote to memory of 2076	2600	Client.exe	42
PID 2600 wrote to memory of 2076	2600	Client.exe	42
PID 2600 wrote to memory of 1984	2600	Client.exe	44
PID 2600 wrote to memory of 1984	2600	Client.exe	44
PID 2600 wrote to memory of 1984	2600	Client.exe	44
PID 2600 wrote to memory of 1984	2600	Client.exe	44
PID 1984 wrote to memory of 1640	1984	cmd.exe	46
PID 1984 wrote to memory of 1640	1984	cmd.exe	46
PID 1984 wrote to memory of 1640	1984	cmd.exe	46
PID 1984 wrote to memory of 1640	1984	cmd.exe	46
PID 1984 wrote to memory of 2084	1984	cmd.exe	47
PID 1984 wrote to memory of 2084	1984	cmd.exe	47
PID 1984 wrote to memory of 2084	1984	cmd.exe	47
PID 1984 wrote to memory of 2084	1984	cmd.exe	47
PID 1984 wrote to memory of 1076	1984	cmd.exe	48
PID 1984 wrote to memory of 1076	1984	cmd.exe	48
PID 1984 wrote to memory of 1076	1984	cmd.exe	48
PID 1984 wrote to memory of 1076	1984	cmd.exe	48
PID 1076 wrote to memory of 1164	1076	Client.exe	49
PID 1076 wrote to memory of 1164	1076	Client.exe	49
PID 1076 wrote to memory of 1164	1076	Client.exe	49
PID 1076 wrote to memory of 1164	1076	Client.exe	49
PID 1076 wrote to memory of 2832	1076	Client.exe	51
PID 1076 wrote to memory of 2832	1076	Client.exe	51
PID 1076 wrote to memory of 2832	1076	Client.exe	51
PID 1076 wrote to memory of 2832	1076	Client.exe	51
PID 2832 wrote to memory of 2120	2832	cmd.exe	53
PID 2832 wrote to memory of 2120	2832	cmd.exe	53
PID 2832 wrote to memory of 2120	2832	cmd.exe	53
PID 2832 wrote to memory of 2120	2832	cmd.exe	53
PID 2832 wrote to memory of 2136	2832	cmd.exe	54
PID 2832 wrote to memory of 2136	2832	cmd.exe	54
PID 2832 wrote to memory of 2136	2832	cmd.exe	54
PID 2832 wrote to memory of 2136	2832	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
"C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1528
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1VVVDkLWJwa1.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK89wTaRuwax.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pvo55WjdoSWf.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8uAUDwR13hoC.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\21gbbny8GGr0.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WLT45iq8YDkq.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xiBIf6tZlFcM.bat" "
        15⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xLfybtC5BaFz.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\620Wk2EouW1u.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWD77FK8ToPW.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\j8s3GJTJNKLF.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:908
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GTTFXyVdB5wz.bat" "
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\g8h2IIJEyQx0.bat" "
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkBiE5cjOlac.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1VVVDkLWJwa1.bat

Filesize
210B

MD5
495fa7c4ae685e99974cb52cd559c923

SHA1
98b4137f604b45f5152b444e4262602e7f66256f

SHA256
652ca75e24beb9270d2bcc9add29de4df65e39a978a499f6ca20f82accb4604e

SHA512
d12eddd13d59548512a47ab43834b00a5c3eae696da3e148c40129888042c0db2030a3214b514f8a894ac389d73679a67d827cefb485459a60b9ad10a7d524f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\21gbbny8GGr0.bat

Filesize
210B

MD5
73db3c4798ef9c6d68dc5fd214bb4218

SHA1
08e32dbe54f922df30d94dc758cd5e60c4d615a7

SHA256
555a257f07caa21fa266e13a5015ce66a476ca73b789d6aae344021c2e514dba

SHA512
5161b1dd0d2fe334d598f980e80206b47d4958a58c42c91c1e08289240d3f8a2c4f734f8a588236ed3aceaa82384d800b71bb5b04f43f3441b6109fd15ca1568

Download Submit
C:\Users\Admin\AppData\Local\Temp\620Wk2EouW1u.bat

Filesize
210B

MD5
635ce9233fd08baf92598d74e1aa48e5

SHA1
d0e7b809cf8db2c2fcaf690458153633e113fe3b

SHA256
3b57bf0eb303df555aa39b31dcdac38aa4512d8a127e75640e95194214a37f05

SHA512
76ad53e9599f44262948a273149fe06547996aefde034b6489e6027c2bbc43856421ead8ffd024ce4a20f4b03f40dedb56597060db614f67341ff067169d0838

Download Submit
C:\Users\Admin\AppData\Local\Temp\8uAUDwR13hoC.bat

Filesize
210B

MD5
3be2f9b0be5549b14222d0daf9af1f46

SHA1
f8297b9bf45fc36c8ea8c7d6aad4432c0ddc3e7e

SHA256
c677c4ac713a9753ae0456e6fbeab6573623d344c21ba6ee1d887babae33abca

SHA512
49082b1fc2916293366289a77f1f9468538ad4c677019334c06faac5cf68c49612a809ea19ba1068bfe02d322c11ab0d8f4b0bd84e0b9c867e3eb8c699070661

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTTFXyVdB5wz.bat

Filesize
210B

MD5
cc7a0521fa9900120308ffa979e24e3f

SHA1
56bf68fe8e944ae6eb4aa8c1b96a15425e734c55

SHA256
d0231546b1713fa49f6df89ff03e38d85013bda6350bda78c7ee5a1b9f350b8f

SHA512
9a46194455953f4c90f0ebafb050dda17081941c53227a12841c7c468222abe73cc5a5227d72f56a134d34f5bd744656ae2880d113833b997d137759d0fb55a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pvo55WjdoSWf.bat

Filesize
210B

MD5
0a8a580aff048976f5fa4bca3255824c

SHA1
9f3bf90f2cd1651efb465f22da2705486d5b390e

SHA256
3a652a28933a0481490bb1ba2a88ef3c6b23ff3853789aff1aa1769e03ae484c

SHA512
06ef05fc10a316f62caa6c660eccff4044de8c98d5f109af47532ac0ac3cfcaecdc8af7f269f8ef9c30c3e8ab3f60eb44e3c16137e5b525d80485e3e53547ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SK89wTaRuwax.bat

Filesize
210B

MD5
dcbcf2c96db70bdac9992774f30d5bf4

SHA1
27ba85f99d98d6e44d619f36398d2490971aa4b5

SHA256
073b25e7f49438ffb816caa221a5e8ba3541e4dd8ea9ef0e07fdc971ec88a8a2

SHA512
9d0cce22307610efebb0a7d00c55d8b604f75d74c3fe966f29dd5621878e43f6955fcfb0db56dfcd2e9d595fb2af775630f959b08724b00129aac753646fd7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WLT45iq8YDkq.bat

Filesize
210B

MD5
32e4eaff4878c68ae8b244b0533db424

SHA1
d27ae2fefcdcbc8e00405fa56173b30705ef91d3

SHA256
2ae5b49430df2c121a04d38b09e6726c0b5fab6a517631b9ff38c72b21a8cfd0

SHA512
155f72ed510974922fc903e41023b920e4f42e5ae981020bd9bc853ef4bb9848eebf783e3e6f5aaef16b4e5ecca4fe96f5bf56e034532ed7817bfc7a7ee9a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8h2IIJEyQx0.bat

Filesize
210B

MD5
64892252c49a2073a7f34789b0296ae7

SHA1
ae83ab494c710573d85e41a3d11442a38b5d972f

SHA256
905639d4ee3913d156f747cb8c9ae7d0f39a980f42faa5b29954df04ed4439f8

SHA512
3e51c8664d7ae87183813daf2832bd4d028c00e5c8cdb1db10ff1d7a12df5265b40977e445053dbb1a4152e7c84ed09c4c3eb097a63eeeb29402e5f2b96a116b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkBiE5cjOlac.bat

Filesize
210B

MD5
d172ba7e4d48f13d8be505594dc64f28

SHA1
9374bca2f0992ffd01f67aaa82917f7781692212

SHA256
d29bd349894b231969b5eb3c4471b6ae824a3c9517ae2cb1a132c2e47294caab

SHA512
f2001a681118e87f88f4efb2a4f7c49f5612ff220fb37b30af26d1df2518b6c894bb71247abac9892e56aca7c868da17b7fd3d7b6e4e756a5ed31248124bdc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8s3GJTJNKLF.bat

Filesize
210B

MD5
4edc940b7f0a0e0dd33d411ca39acd6d

SHA1
943ded4b8e5c9ac80ce6eac801bcb54f6c90c748

SHA256
831aa11e9415cf08d7284af6c50db84dea1568faf05431482a8e41837e1b2acc

SHA512
5ac03a8efc14c5ddb5233f94a3e1e3ec98d67d74718b4994cda2e54ea1114f347c7322650feea56719c281b962b24b62f2093fd40fdfc8d384965f976f87e09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nWD77FK8ToPW.bat

Filesize
210B

MD5
ea66b993f9eb1bb27c59c29fdaf0d6dd

SHA1
15eee4e9a399620ad83aad34fc5b485102e59c56

SHA256
d69ceaf6b0356dead3a5067047afec8f1d9357092688ad76d8729a65e588177f

SHA512
9c8ec111b10b52cb9b17ebfc1a25cf18b7ff63c484d162cefc93bc35dc71cb452977f05912580f8c86bd59bcfc6585a23c76367230dfe69149e8893eb848c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLfybtC5BaFz.bat

Filesize
210B

MD5
f0ef65a086ebeffdd2223ad61fa73165

SHA1
41290e7aef51ed9114f1571bda8b77df0a6d0005

SHA256
824c118e18df3720b077266af1dcf031961d26fe103bc76277e3f5937575f12c

SHA512
52014eb860b321801ecd0c3c8e9d2c02f12cf0658f19be079de1ee0d87d6b68b1c5404055d7ce11d4d54c242a2af070a5ac5ad1a74c230bff5835c6027f5c5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiBIf6tZlFcM.bat

Filesize
210B

MD5
2c0eebac29db61ee2679c68e3bdb5e5f

SHA1
d9bffde8890e97099cf7e2b6e2fd5505a56cce87

SHA256
0b71f635e1d03ac93f87c6274ae1603b1fa05e82ef4f72457e3d2f875f3cad2a

SHA512
a659cb1076caacc494b4c4f92a4f173a01e089c6f1a2f384015b22830fe284c700159b0157ca67267310e582e5565659b50f2f78cf5518231b606d14f7bcad4c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Client.exe

Filesize
286KB

MD5
b988c49b9654ec30906a781cac1ebaaf

SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626

SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5

Download Submit
memory/904-73-0x0000000000F40000-0x0000000000F8E000-memory.dmp

Filesize
312KB

Download
memory/1048-130-0x0000000000140000-0x000000000018E000-memory.dmp

Filesize
312KB

Download
memory/1076-37-0x00000000013D0000-0x000000000141E000-memory.dmp

Filesize
312KB

Download
memory/1280-61-0x0000000000F40000-0x0000000000F8E000-memory.dmp

Filesize
312KB

Download
memory/2072-49-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/2320-118-0x0000000001310000-0x000000000135E000-memory.dmp

Filesize
312KB

Download
memory/2476-142-0x0000000000EF0000-0x0000000000F3E000-memory.dmp

Filesize
312KB

Download
memory/2600-25-0x00000000013D0000-0x000000000141E000-memory.dmp

Filesize
312KB

Download
memory/2628-154-0x0000000000EF0000-0x0000000000F3E000-memory.dmp

Filesize
312KB

Download
memory/2632-9-0x0000000000CC0000-0x0000000000D0E000-memory.dmp

Filesize
312KB

Download
memory/2632-10-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-11-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-21-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-166-0x00000000011C0000-0x000000000120E000-memory.dmp

Filesize
312KB

Download
memory/2988-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/2988-12-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-2-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-1-0x00000000013D0000-0x000000000141E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads