quasar | 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Size

286KB
MD5

b988c49b9654ec30906a781cac1ebaaf
SHA1

85f7f7274e6a134870f309c2b3d06b71807e7626
SHA256

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
SHA512

c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5
SSDEEP

6144:EhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkCrrpo:+xT1tY4Idc1ybkCho

Score

10^/10

quasar fakecreal discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
	2	ip-api.com	Process not Found
	11	ip-api.com	Process not Found
	15	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 17 IoCs

resource	yara_rule
behavioral1/memory/1940-1-0x0000000000280000-0x00000000002CE000-memory.dmp	family_quasar
behavioral1/files/0x00080000000120ff-4.dat	family_quasar
behavioral1/memory/2220-11-0x00000000008D0000-0x000000000091E000-memory.dmp	family_quasar
behavioral1/memory/2600-25-0x00000000003A0000-0x00000000003EE000-memory.dmp	family_quasar
behavioral1/memory/1796-37-0x00000000000A0000-0x00000000000EE000-memory.dmp	family_quasar
behavioral1/memory/2476-49-0x0000000000B20000-0x0000000000B6E000-memory.dmp	family_quasar
behavioral1/memory/1876-61-0x0000000000B20000-0x0000000000B6E000-memory.dmp	family_quasar
behavioral1/memory/1944-73-0x0000000000E80000-0x0000000000ECE000-memory.dmp	family_quasar
behavioral1/memory/2480-85-0x0000000000E80000-0x0000000000ECE000-memory.dmp	family_quasar
behavioral1/memory/1180-97-0x0000000000ED0000-0x0000000000F1E000-memory.dmp	family_quasar
behavioral1/memory/1284-109-0x0000000000ED0000-0x0000000000F1E000-memory.dmp	family_quasar
behavioral1/memory/880-121-0x00000000000C0000-0x000000000010E000-memory.dmp	family_quasar
behavioral1/memory/1540-133-0x0000000000DF0000-0x0000000000E3E000-memory.dmp	family_quasar
behavioral1/memory/1228-145-0x00000000000F0000-0x000000000013E000-memory.dmp	family_quasar
behavioral1/memory/2716-157-0x0000000000E30000-0x0000000000E7E000-memory.dmp	family_quasar
behavioral1/memory/3036-169-0x0000000000150000-0x000000000019E000-memory.dmp	family_quasar
behavioral1/memory/896-181-0x0000000000DB0000-0x0000000000DFE000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2220	Client.exe
2600	Client.exe
1796	Client.exe
2476	Client.exe
1876	Client.exe
1944	Client.exe
2480	Client.exe
1180	Client.exe
1284	Client.exe
880	Client.exe
1540	Client.exe
1228	Client.exe
2716	Client.exe
3036	Client.exe
896	Client.exe

Loads dropped DLL 15 IoCs

pid	Process
1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
2704	cmd.exe
1712	cmd.exe
2904	cmd.exe
760	cmd.exe
2384	cmd.exe
2364	cmd.exe
1828	cmd.exe
1728	cmd.exe
2444	cmd.exe
1964	cmd.exe
2348	cmd.exe
2088	cmd.exe
2928	cmd.exe
2132	cmd.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2472	PING.EXE
2344	PING.EXE
2380	PING.EXE
568	PING.EXE
808	PING.EXE
756	PING.EXE
1292	PING.EXE
2424	PING.EXE
628	PING.EXE
2764	PING.EXE
1868	PING.EXE
1644	PING.EXE
2596	PING.EXE
3040	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1868	PING.EXE
2472	PING.EXE
1644	PING.EXE
2344	PING.EXE
2424	PING.EXE
2380	PING.EXE
808	PING.EXE
2764	PING.EXE
756	PING.EXE
1292	PING.EXE
3040	PING.EXE
2596	PING.EXE
568	PING.EXE
628	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2808	schtasks.exe
1472	schtasks.exe
3020	schtasks.exe
548	schtasks.exe
1316	schtasks.exe
2160	schtasks.exe
2852	schtasks.exe
700	schtasks.exe
1596	schtasks.exe
1588	schtasks.exe
1140	schtasks.exe
2204	schtasks.exe
1552	schtasks.exe
2076	schtasks.exe
2720	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Token: SeDebugPrivilege	2220	Client.exe
Token: SeDebugPrivilege	2600	Client.exe
Token: SeDebugPrivilege	1796	Client.exe
Token: SeDebugPrivilege	2476	Client.exe
Token: SeDebugPrivilege	1876	Client.exe
Token: SeDebugPrivilege	1944	Client.exe
Token: SeDebugPrivilege	2480	Client.exe
Token: SeDebugPrivilege	1180	Client.exe
Token: SeDebugPrivilege	1284	Client.exe
Token: SeDebugPrivilege	880	Client.exe
Token: SeDebugPrivilege	1540	Client.exe
Token: SeDebugPrivilege	1228	Client.exe
Token: SeDebugPrivilege	2716	Client.exe
Token: SeDebugPrivilege	3036	Client.exe
Token: SeDebugPrivilege	896	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2076	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 1940 wrote to memory of 2076	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 1940 wrote to memory of 2076	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 1940 wrote to memory of 2076	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	31
PID 1940 wrote to memory of 2220	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 1940 wrote to memory of 2220	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 1940 wrote to memory of 2220	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 1940 wrote to memory of 2220	1940	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	33
PID 2220 wrote to memory of 2808	2220	Client.exe	34
PID 2220 wrote to memory of 2808	2220	Client.exe	34
PID 2220 wrote to memory of 2808	2220	Client.exe	34
PID 2220 wrote to memory of 2808	2220	Client.exe	34
PID 2220 wrote to memory of 2704	2220	Client.exe	36
PID 2220 wrote to memory of 2704	2220	Client.exe	36
PID 2220 wrote to memory of 2704	2220	Client.exe	36
PID 2220 wrote to memory of 2704	2220	Client.exe	36
PID 2704 wrote to memory of 2872	2704	cmd.exe	38
PID 2704 wrote to memory of 2872	2704	cmd.exe	38
PID 2704 wrote to memory of 2872	2704	cmd.exe	38
PID 2704 wrote to memory of 2872	2704	cmd.exe	38
PID 2704 wrote to memory of 2764	2704	cmd.exe	39
PID 2704 wrote to memory of 2764	2704	cmd.exe	39
PID 2704 wrote to memory of 2764	2704	cmd.exe	39
PID 2704 wrote to memory of 2764	2704	cmd.exe	39
PID 2704 wrote to memory of 2600	2704	cmd.exe	41
PID 2704 wrote to memory of 2600	2704	cmd.exe	41
PID 2704 wrote to memory of 2600	2704	cmd.exe	41
PID 2704 wrote to memory of 2600	2704	cmd.exe	41
PID 2600 wrote to memory of 1472	2600	Client.exe	42
PID 2600 wrote to memory of 1472	2600	Client.exe	42
PID 2600 wrote to memory of 1472	2600	Client.exe	42
PID 2600 wrote to memory of 1472	2600	Client.exe	42
PID 2600 wrote to memory of 1712	2600	Client.exe	44
PID 2600 wrote to memory of 1712	2600	Client.exe	44
PID 2600 wrote to memory of 1712	2600	Client.exe	44
PID 2600 wrote to memory of 1712	2600	Client.exe	44
PID 1712 wrote to memory of 628	1712	cmd.exe	46
PID 1712 wrote to memory of 628	1712	cmd.exe	46
PID 1712 wrote to memory of 628	1712	cmd.exe	46
PID 1712 wrote to memory of 628	1712	cmd.exe	46
PID 1712 wrote to memory of 1868	1712	cmd.exe	47
PID 1712 wrote to memory of 1868	1712	cmd.exe	47
PID 1712 wrote to memory of 1868	1712	cmd.exe	47
PID 1712 wrote to memory of 1868	1712	cmd.exe	47
PID 1712 wrote to memory of 1796	1712	cmd.exe	48
PID 1712 wrote to memory of 1796	1712	cmd.exe	48
PID 1712 wrote to memory of 1796	1712	cmd.exe	48
PID 1712 wrote to memory of 1796	1712	cmd.exe	48
PID 1796 wrote to memory of 1596	1796	Client.exe	49
PID 1796 wrote to memory of 1596	1796	Client.exe	49
PID 1796 wrote to memory of 1596	1796	Client.exe	49
PID 1796 wrote to memory of 1596	1796	Client.exe	49
PID 1796 wrote to memory of 2904	1796	Client.exe	51
PID 1796 wrote to memory of 2904	1796	Client.exe	51
PID 1796 wrote to memory of 2904	1796	Client.exe	51
PID 1796 wrote to memory of 2904	1796	Client.exe	51
PID 2904 wrote to memory of 2444	2904	cmd.exe	53
PID 2904 wrote to memory of 2444	2904	cmd.exe	53
PID 2904 wrote to memory of 2444	2904	cmd.exe	53
PID 2904 wrote to memory of 2444	2904	cmd.exe	53
PID 2904 wrote to memory of 2472	2904	cmd.exe	54
PID 2904 wrote to memory of 2472	2904	cmd.exe	54
PID 2904 wrote to memory of 2472	2904	cmd.exe	54
PID 2904 wrote to memory of 2472	2904	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
"C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2076
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsggOlzEkgai.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nquiC2J95COW.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1868
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGMng34hDa8Z.bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WufCPbXW9iS5.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yjIq8KmRkhS1.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MY7k3Js3qtl3.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nvpzdgvU2vdY.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zdzHZZ7YIg6O.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqINHfvgEPS7.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bf7HCd1HKal9.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGnDLhATD6hs.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hx8mUqCCx3Tn.bat" "
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pfTKdzEwh0Fi.bat" "
        27⤵
        Loads dropped DLL
        
        PID:2928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAUenwUZl5LE.bat" "
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CsggOlzEkgai.bat

Filesize
210B

MD5
a90cdef87e6c764bbeb0fdf3a03316a8

SHA1
5b14de1f8233fb0f0395083282889791b1f23095

SHA256
496f5092710a41dbcc2fb681e4a2cf0b99844a3e8ed17d121029d553a346025e

SHA512
05fdaa541f4b221c1f5a9dd8632856ef2557c38e9235a3f803c8531b5edf1b0a6d7d724fb51a78de986203e8e80ffc505af20ada778c9f017483403dda85c907

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqINHfvgEPS7.bat

Filesize
210B

MD5
9e67213af02d2da7afca97574bae5940

SHA1
0c6bf25a082e72d3bd5381c836cbe75d14ea27a0

SHA256
f81ed4c84cfddad312b6b456cee4e8f42e63d985ade5cb330ce21b8df6e3ab95

SHA512
f273363b2897aba82ed19a2c64eb279be39131f8174db4d3f9a53b653fa39f0d1536b8e44d2481b892c753118b92687c173d10f597e4a55f74122668c74ee389

Download Submit
C:\Users\Admin\AppData\Local\Temp\MY7k3Js3qtl3.bat

Filesize
210B

MD5
e91f11c7f41fc5d78b1aa296e9f6465c

SHA1
549f78a810586bb3b98bb718ec6c15c849b94e0f

SHA256
84462e171ce98d910ce100c7a2d8c197cfff3294f6aae7814e75f845a526c961

SHA512
eb62cd09fd7a0562a49d1d994181ccac415cf5e098f11d2ac1750e4793315d40c58f3a35636906fccb75dc5e81b5f5fa6a3884d89b7c90f5ffd7f8deb9da5d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGMng34hDa8Z.bat

Filesize
210B

MD5
06765ae01e1c6d53784a52789cc82869

SHA1
c915876b4c42725e72641cf90720a4c3869e1c0c

SHA256
46a04da3f533aabc5e2c549335ac8e47731bbfe1b845d5c8f919525c02cc3dab

SHA512
238604de5b83e453cdefd91af4a0bab51c8b83bcc3fdbc2ff873df4f58d1b33c190a57599a92c35d3c580141ac1be63c2ad18a5f13dc34bee34ede035246c94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WufCPbXW9iS5.bat

Filesize
210B

MD5
4097c480c0169b0feee12c6a8acaf5dc

SHA1
808968b3a2a6e8ab50ad0547e62e2b80a20e671b

SHA256
81be0dce5f12d96658a00fa140830b4b86654473ac26f2e461bd96d2c2cdfc48

SHA512
c41cc89f48741a67fc00ae38786a693df2f2ed2a739040450c702f45d0e5d61a2b6ca54c3880b22a439df2e52ef8485d95228fbecd1b6ad967bec5661b61a3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGnDLhATD6hs.bat

Filesize
210B

MD5
c403b812ca4d2b6a710945c4f8571dd5

SHA1
1c615eb96be6e7a146b48ddc8205679dc0b7b988

SHA256
a24ee3818b4a49dcf7370cda730160434fd406bed602724096b08f660757e1b4

SHA512
e7622b9c29dc12e3c1a4e28896fefd75be4f65d5163e658edf30fc8bcebf51b1eb01432ab050442e74eff5ede9f0464f27c076ab0d0544c9cece788b39f3e94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAUenwUZl5LE.bat

Filesize
210B

MD5
9204f99653f18cdc9de072ae5320d576

SHA1
bb7b90f44d1f08f4ce6b23149b8ebc1970043286

SHA256
82e3ad1048a2e4b2d7250bc9546faf754cabbb6943fcebd8505eea8f8d142184

SHA512
03e089f663e6e4910943ab1c8279a6a0f53732723ab2a83c8d776e72e987504ffdf5d9610d6c3274dbc62b2838abb70e96b6eb8e7f356e6afc7d08d8408fa98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf7HCd1HKal9.bat

Filesize
210B

MD5
a640127c29dad27fd6487881ed0614fe

SHA1
8df0216e327065ad0155f0ab877e9406783bd735

SHA256
14d14a7772539ddded0177f8f4d5b7a656ebfedb70b4e2ab91225d72c9c5908d

SHA512
c8af7c75b303a715d3f3124e8da93eb32e1fd45686c265a05836180dbd009e23f3c61200c51fee3ef72166408c052ae08e7fe9e25ac785f8ba08054edac904ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hx8mUqCCx3Tn.bat

Filesize
210B

MD5
f6aca8369c5ae3de7edc03ef1a05164e

SHA1
5d9d649627cc3e10bcd19073511003727f837ab9

SHA256
681bc3f97040091371beb82d6f66a024dbece5e688285d7cf05afc654d2bfead

SHA512
1cdbc5f59161fde0028e4daad80f9ae5ca92e9fa1aec9dc16f30c416e948ecbe9ba28c20ebc1efcfa7f734bc9949ce9a95fcb64c06c005d4a5d63997268bb1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nquiC2J95COW.bat

Filesize
210B

MD5
d5da7eec46c6b9c9643f4cbc66594be0

SHA1
c72bb116fb789c4492b0bdb210d9d7ab9dc5abc8

SHA256
966eeea352d993004330aeab1203bc0704947cc9cd2865d2bfd9d25fa33ec4e9

SHA512
6316d816394e5c41cf9e9bef850b31e79e384fe4de30a219ec90dcb2579d6d7a066a8a35dc0942307c7e6a662b2d38fe5d97e0a183c84cecb3b4d12701d08759

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvpzdgvU2vdY.bat

Filesize
210B

MD5
d2fc5ca7299c6b6a8370f1228b173789

SHA1
59781c0d5e2dcad656c190116d16cd2947f7063a

SHA256
292a60872f1798014fd22d9db51b0b6e82202ddc68fc1052253d7d04beb24e81

SHA512
a5d6fd53eaedaf993eeffd8929b49e5455a0c630ac70c9ecec015da7a89ab1ebd9e3f9728311ab1d4c4b5f47f4cadb3645160d132df795312bb12fd20a05e00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfTKdzEwh0Fi.bat

Filesize
210B

MD5
cb455c017a651b7bd4b36e43cb6a8774

SHA1
5c0142e77c6e594ac61de41e5b1d23b479754b79

SHA256
d3794f32dc357ce4c6b007e62a0258bdfcfd93159445845ebcbf3eddd9882ad4

SHA512
22261049493ce6ed7d225fe7339e26f09202f0bdbf90290956ef97f15140cab924a113b87e3d71ec05c1ab07d2eee6572bdc4e89eaba16a28a338e2c24bb7d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjIq8KmRkhS1.bat

Filesize
210B

MD5
39b7f290d09bf946601aed0319c894fd

SHA1
a5187ccc656d67b277103fae43db7e9cf4856958

SHA256
dde9357be9b1650d88b541ff21978a85d86f6b421ff2e8d75c81bd1d6387484e

SHA512
009e6de76a445ab53e49fa0491940c4c0ab679d4ca920a31990328b80d42360c68d859f4cf3ca053d0f5e3ae6b27884092c6415eca1e0143a7e8852f9b54081f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdzHZZ7YIg6O.bat

Filesize
210B

MD5
65a9602abc805029ee9c789a9e1b94e8

SHA1
99a814e66411ee46fe936e59dc8840f9b4e0740c

SHA256
e3902257215ec99acbcc6fe1a50d90147d32648dc8176b4ecf19a2be71a06b59

SHA512
4682eb18bed7e552595d6a933d08f4038e300a54406876b1877216d322b5a851f4216e981b6a14e8cfe0e2e90d23cf496d277042c008b46e9331ccf3f023e12c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Client.exe

Filesize
286KB

MD5
b988c49b9654ec30906a781cac1ebaaf

SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626

SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5

Download Submit
memory/880-121-0x00000000000C0000-0x000000000010E000-memory.dmp

Filesize
312KB

Download
memory/896-181-0x0000000000DB0000-0x0000000000DFE000-memory.dmp

Filesize
312KB

Download
memory/1180-97-0x0000000000ED0000-0x0000000000F1E000-memory.dmp

Filesize
312KB

Download
memory/1228-145-0x00000000000F0000-0x000000000013E000-memory.dmp

Filesize
312KB

Download
memory/1284-109-0x0000000000ED0000-0x0000000000F1E000-memory.dmp

Filesize
312KB

Download
memory/1540-133-0x0000000000DF0000-0x0000000000E3E000-memory.dmp

Filesize
312KB

Download
memory/1796-37-0x00000000000A0000-0x00000000000EE000-memory.dmp

Filesize
312KB

Download
memory/1876-61-0x0000000000B20000-0x0000000000B6E000-memory.dmp

Filesize
312KB

Download
memory/1940-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/1940-9-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-1-0x0000000000280000-0x00000000002CE000-memory.dmp

Filesize
312KB

Download
memory/1944-73-0x0000000000E80000-0x0000000000ECE000-memory.dmp

Filesize
312KB

Download
memory/2220-21-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-12-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-11-0x00000000008D0000-0x000000000091E000-memory.dmp

Filesize
312KB

Download
memory/2220-10-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-49-0x0000000000B20000-0x0000000000B6E000-memory.dmp

Filesize
312KB

Download
memory/2480-85-0x0000000000E80000-0x0000000000ECE000-memory.dmp

Filesize
312KB

Download
memory/2600-25-0x00000000003A0000-0x00000000003EE000-memory.dmp

Filesize
312KB

Download
memory/2716-157-0x0000000000E30000-0x0000000000E7E000-memory.dmp

Filesize
312KB

Download
memory/3036-169-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads