quasar | 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Size

286KB
MD5

b988c49b9654ec30906a781cac1ebaaf
SHA1

85f7f7274e6a134870f309c2b3d06b71807e7626
SHA256

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
SHA512

c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5
SSDEEP

6144:EhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkCrrpo:+xT1tY4Idc1ybkCho

Score

10^/10

quasar fakecreal discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
	8	ip-api.com	Process not Found
	21	ip-api.com	Process not Found
	67	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3184-1-0x0000000000240000-0x000000000028E000-memory.dmp	family_quasar
behavioral2/files/0x000c000000023b8f-10.dat	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
4652	Client.exe
4056	Client.exe
2624	Client.exe
3528	Client.exe
2976	Client.exe
1164	Client.exe
3084	Client.exe
244	Client.exe
3640	Client.exe
736	Client.exe
4864	Client.exe
4544	Client.exe
1912	Client.exe
1528	Client.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
21	ip-api.com
67	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4652	PING.EXE
4572	PING.EXE
4856	PING.EXE
2992	PING.EXE
764	PING.EXE
392	PING.EXE
3284	PING.EXE
4556	PING.EXE
1652	PING.EXE
4572	PING.EXE
4588	PING.EXE
5056	PING.EXE
5036	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
4652	PING.EXE
4856	PING.EXE
1652	PING.EXE
4572	PING.EXE
5056	PING.EXE
3284	PING.EXE
4556	PING.EXE
4588	PING.EXE
4572	PING.EXE
2992	PING.EXE
764	PING.EXE
5036	PING.EXE
392	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
1592	schtasks.exe
1512	schtasks.exe
908	schtasks.exe
4480	schtasks.exe
2992	schtasks.exe
1368	schtasks.exe
4072	schtasks.exe
3532	schtasks.exe
4848	schtasks.exe
1956	schtasks.exe
1948	schtasks.exe
3428	schtasks.exe
3548	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
Token: SeDebugPrivilege	4652	Client.exe
Token: SeDebugPrivilege	4056	Client.exe
Token: SeDebugPrivilege	2624	Client.exe
Token: SeDebugPrivilege	3528	Client.exe
Token: SeDebugPrivilege	2976	Client.exe
Token: SeDebugPrivilege	1164	Client.exe
Token: SeDebugPrivilege	3084	Client.exe
Token: SeDebugPrivilege	244	Client.exe
Token: SeDebugPrivilege	3640	Client.exe
Token: SeDebugPrivilege	736	Client.exe
Token: SeDebugPrivilege	4864	Client.exe
Token: SeDebugPrivilege	4544	Client.exe
Token: SeDebugPrivilege	1912	Client.exe
Token: SeDebugPrivilege	1528	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3548	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	84
PID 3184 wrote to memory of 3548	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	84
PID 3184 wrote to memory of 3548	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	84
PID 3184 wrote to memory of 4652	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	86
PID 3184 wrote to memory of 4652	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	86
PID 3184 wrote to memory of 4652	3184	26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe	86
PID 4652 wrote to memory of 4848	4652	Client.exe	87
PID 4652 wrote to memory of 4848	4652	Client.exe	87
PID 4652 wrote to memory of 4848	4652	Client.exe	87
PID 4652 wrote to memory of 3128	4652	Client.exe	89
PID 4652 wrote to memory of 3128	4652	Client.exe	89
PID 4652 wrote to memory of 3128	4652	Client.exe	89
PID 3128 wrote to memory of 2960	3128	cmd.exe	91
PID 3128 wrote to memory of 2960	3128	cmd.exe	91
PID 3128 wrote to memory of 2960	3128	cmd.exe	91
PID 3128 wrote to memory of 392	3128	cmd.exe	92
PID 3128 wrote to memory of 392	3128	cmd.exe	92
PID 3128 wrote to memory of 392	3128	cmd.exe	92
PID 3128 wrote to memory of 4056	3128	cmd.exe	101
PID 3128 wrote to memory of 4056	3128	cmd.exe	101
PID 3128 wrote to memory of 4056	3128	cmd.exe	101
PID 4056 wrote to memory of 908	4056	Client.exe	103
PID 4056 wrote to memory of 908	4056	Client.exe	103
PID 4056 wrote to memory of 908	4056	Client.exe	103
PID 4056 wrote to memory of 1240	4056	Client.exe	108
PID 4056 wrote to memory of 1240	4056	Client.exe	108
PID 4056 wrote to memory of 1240	4056	Client.exe	108
PID 1240 wrote to memory of 3700	1240	cmd.exe	111
PID 1240 wrote to memory of 3700	1240	cmd.exe	111
PID 1240 wrote to memory of 3700	1240	cmd.exe	111
PID 1240 wrote to memory of 3284	1240	cmd.exe	112
PID 1240 wrote to memory of 3284	1240	cmd.exe	112
PID 1240 wrote to memory of 3284	1240	cmd.exe	112
PID 1240 wrote to memory of 2624	1240	cmd.exe	114
PID 1240 wrote to memory of 2624	1240	cmd.exe	114
PID 1240 wrote to memory of 2624	1240	cmd.exe	114
PID 2624 wrote to memory of 4480	2624	Client.exe	116
PID 2624 wrote to memory of 4480	2624	Client.exe	116
PID 2624 wrote to memory of 4480	2624	Client.exe	116
PID 2624 wrote to memory of 3924	2624	Client.exe	118
PID 2624 wrote to memory of 3924	2624	Client.exe	118
PID 2624 wrote to memory of 3924	2624	Client.exe	118
PID 3924 wrote to memory of 4792	3924	cmd.exe	120
PID 3924 wrote to memory of 4792	3924	cmd.exe	120
PID 3924 wrote to memory of 4792	3924	cmd.exe	120
PID 3924 wrote to memory of 4556	3924	cmd.exe	121
PID 3924 wrote to memory of 4556	3924	cmd.exe	121
PID 3924 wrote to memory of 4556	3924	cmd.exe	121
PID 3924 wrote to memory of 3528	3924	cmd.exe	126
PID 3924 wrote to memory of 3528	3924	cmd.exe	126
PID 3924 wrote to memory of 3528	3924	cmd.exe	126
PID 3528 wrote to memory of 2992	3528	Client.exe	128
PID 3528 wrote to memory of 2992	3528	Client.exe	128
PID 3528 wrote to memory of 2992	3528	Client.exe	128
PID 3528 wrote to memory of 2800	3528	Client.exe	130
PID 3528 wrote to memory of 2800	3528	Client.exe	130
PID 3528 wrote to memory of 2800	3528	Client.exe	130
PID 2800 wrote to memory of 2852	2800	cmd.exe	132
PID 2800 wrote to memory of 2852	2800	cmd.exe	132
PID 2800 wrote to memory of 2852	2800	cmd.exe	132
PID 2800 wrote to memory of 4652	2800	cmd.exe	133
PID 2800 wrote to memory of 4652	2800	cmd.exe	133
PID 2800 wrote to memory of 4652	2800	cmd.exe	133
PID 2800 wrote to memory of 2976	2800	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe
"C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3548
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:392
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rhTf1FP6ZUqx.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3284
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\960INwGXmtCQ.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sHlVNDqum0nl.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x4ybiGFXL8V1.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L4CJV7C7BC7r.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJpOhjVjVwrV.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:244
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryc284JhIHr2.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O2ic8F0WSycB.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Bf5LmQZwHVc.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PA53LsDqGXQZ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwN3Z35gP8yC.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v4VnzpKQNdAj.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Bf5LmQZwHVc.bat

Filesize
210B

MD5
87fdc92848f10d1259738608ee45daab

SHA1
8cbdef07dde72e4c54f103cee1740e5d872c40e8

SHA256
f9ad6783b98165bcfc2d1905b0ae50d664aff1f8357edae5a685bed87a49e76e

SHA512
c6e571247662cce1df142945f40ac001b8a66c48c09cd72f36d84a6e2d483c59cc8a98e45b047fabd1af7181913be0898fa7945aa84d3e70faa0d7f395b7e23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat

Filesize
210B

MD5
861ab2cbf2ec16158200507db856b1e3

SHA1
442c1394d3d4352f6c6c573a410f9aa731f07d80

SHA256
1e44b0a1c8e0051a3cc87f5dfbd70dbed1daab1e7905a315e2016353b374a990

SHA512
a7dad5659a76cb0343f4f24ddec70f7d7d5f416b208353a4e657858ae0e7ebc10813f9ea6819e12ca9434eb135a93b9e9cc42fd18e3fcc6c1b06c7425dd8432b

Download Submit
C:\Users\Admin\AppData\Local\Temp\960INwGXmtCQ.bat

Filesize
210B

MD5
3d4879bca579e6efa01c200e29f9d483

SHA1
28eac04314211e19dd6e8f724dd4a3d8862c8e0c

SHA256
6450e5898832100288301f1b60dceb81fe280affefb608cc554205e7c06f49c9

SHA512
e5d8cfe68df14fb960a2c24f0e1d97f7fc538147ec3471729184be51fef56b8e0752e44606655a029aa6d04674bbc3b0860bcba6ed875f10e3f7720d9221ff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJpOhjVjVwrV.bat

Filesize
210B

MD5
15fc013aba15a3f4f050feef337766e8

SHA1
3028f46b009c42a5d50e0de795083eea798f4b0d

SHA256
ba9fcf0d548594f81af75b23b1bec35ad949255d8c9318cfc6862e17ad5e8069

SHA512
9d98068a4cc4f5316bfed6288bb455c02645e0362624109ca10a1530258d0605f0ee8924886202acf64d3c0a1cb589697ed3bb04710b4e30c3edfd5d4978ce7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwN3Z35gP8yC.bat

Filesize
210B

MD5
b2de087da8b8dff1c962db9f697701bf

SHA1
941fcd9d17f15b707bc7e74766cf3098e4185117

SHA256
63bae435d9827db23663e21f8a20e7a2600add022f87116ea264cfea807b91fb

SHA512
d97044673ccdea00c6690faded01a110d5f0a427ec8a13d50a0ff2d75e26b928979d842c17901c4675526ebf91ea313eb763013790f0674251ae5d2fd7a2c3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4CJV7C7BC7r.bat

Filesize
210B

MD5
eaf89408493402791fd6cc50efc8bf6a

SHA1
0cb02461bd38d45b261cb6dec66673c6fc36fe83

SHA256
f0e69987378b6705cafaf88944a97573d52910876078a769548633ffe32a7cd3

SHA512
a391f2259344e79ea87f4cdd143994a02253994426295dcfac16ea6d299d0b6c011a0a02e9368a89d1753180b38208e9e036775758fcdca7d8c18948d286b4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2ic8F0WSycB.bat

Filesize
210B

MD5
55ba872fabe5071049aaa039bfc7ea55

SHA1
390af40e79dbc545b76e831bb0277d72610ca2ae

SHA256
f8fd196b0060c5af56bdceb48338db52e0da205a9695329d387a8db87dbbf177

SHA512
e622d9d1c2888cfc58aa10c0868b76194d6af4526a0a393812b184503acc15753b8ea9aceaf50fd3cd367b2cd212c45246423bb655c9e2841da880f21bb263da

Download Submit
C:\Users\Admin\AppData\Local\Temp\PA53LsDqGXQZ.bat

Filesize
210B

MD5
d29c2a017f7540e1d0b75f3f1e005cd8

SHA1
b076deb6702e87ae5c34b3d632a83ccbe3fdcb19

SHA256
d3970d7d92acb345b63d79e7e67f3f957c6569ef3ded49a7f3d73ccfed47d23c

SHA512
7b793b377e5a66c83aef74cfc69f8c6ba79c690b3d7b71095fc438eef07c1f0f99ab77824ad3ff7dcb80e16668d21ab75dd572cfd440a0026a3dd1615f0aaa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhTf1FP6ZUqx.bat

Filesize
210B

MD5
b6d5a65c7791e61929938259a58011e8

SHA1
8babc329e3cb6364d51db5f698b7debc73c70e99

SHA256
b032cf2efb1f347715e83320e7fce03d7796d1ed22bdb712214d4414bdabf330

SHA512
ff1ca60b716d1a68905b5b6c324d247161011f8b3059a6bcc1be80e43789c7d1c7bbe9ed4ef51ed3c32c319bf1befa517f8e9b03c4d27d635d8dccdcde685437

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryc284JhIHr2.bat

Filesize
210B

MD5
1413614bbfdb2b1c37117b388c27e5bd

SHA1
892e20da96d76415ef8ff12de208cb52aa3a35d4

SHA256
63dbf8edf4ca9963d159a25cf2cecaea38f5f53a1fe34be3a2297d9e9431ad04

SHA512
821efeae60c8db427c651ff916bcf65dba490035eb6f51d8cda6180cb20dbc5d5cf5b763ae3b58db8f06214c66094e76efc6193b563c2a31dd9b52f7415a5da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sHlVNDqum0nl.bat

Filesize
210B

MD5
102741a6edac7a97cc8ece8b62a3e5e7

SHA1
b6c81c2de3544705b82b536dd58212abef7572cc

SHA256
b8aa7a67951f7ac809581b47664ca85fe1632739a3c08c4816cdbc73368ef654

SHA512
a3cc77789e9ef458f94af78e3de3bf35dd5ee43db151226803f418c89cd48e44908eb6a49a19c1606b488b8a061cbabff4ab93263179be4fada0221dd7424120

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4VnzpKQNdAj.bat

Filesize
210B

MD5
819ca73f220c82be64fc5f713f961248

SHA1
60a750ba8961ed2c3234fb03ab6d2137a22396ea

SHA256
9e1eb233d8f816d16509256fb1b77b66cfe520bca72d801f2417ebeb8021067b

SHA512
5adfb5631b922e9e9b0460f662e8c56696c257c2ca927f66edf81e270b74b707cb094a527eeeb09dcceba957de35b2148363fb19db8f6aafb27e5d5c5738a065

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4ybiGFXL8V1.bat

Filesize
210B

MD5
ab1d819e5f8ad6a8123597c649f540fd

SHA1
d6fafe2f462f7337f75967266a36371635d7118f

SHA256
169939b9126291c0479fa2a5a2d7b8feedce239cc6b321bb7a1695d7b9cdc74e

SHA512
3f736f9d13a44200801e54a32ff811e00f89a8e1f87f42f77157dce4e02d472440914539570eea5f673ff7ac1fe650a137352862f146d923cb627142ad26d872

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe

Filesize
286KB

MD5
b988c49b9654ec30906a781cac1ebaaf

SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626

SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5

Download Submit
memory/3184-4-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/3184-14-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/3184-0-0x0000000074FDE000-0x0000000074FDF000-memory.dmp

Filesize
4KB

Download
memory/3184-7-0x0000000005EF0000-0x0000000005F2C000-memory.dmp

Filesize
240KB

Download
memory/3184-6-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/3184-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/3184-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/3184-2-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/3184-1-0x0000000000240000-0x000000000028E000-memory.dmp

Filesize
312KB

Download
memory/4652-13-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4652-15-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4652-21-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads