quasar | 26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal.exe
Size

286KB
MD5

b988c49b9654ec30906a781cac1ebaaf
SHA1

85f7f7274e6a134870f309c2b3d06b71807e7626
SHA256

26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf
SHA512

c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5
SSDEEP

6144:EhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkCrrpo:+xT1tY4Idc1ybkCho

Score

10^/10

quasar fakecreal discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

flow	ioc	pid	Process
2	ip-api.com		Process not Found
11	ip-api.com		Process not Found
18	ip-api.com		Process not Found
20	ip-api.com		Process not Found
		2372	schtasks.exe

Quasar family
quasar

Quasar payload 17 IoCs

resource	yara_rule
behavioral1/memory/2472-1-0x00000000009E0000-0x0000000000A2E000-memory.dmp	family_quasar
behavioral1/memory/2124-9-0x00000000003C0000-0x000000000040E000-memory.dmp	family_quasar
behavioral1/files/0x0009000000012117-8.dat	family_quasar
behavioral1/memory/2572-25-0x00000000000F0000-0x000000000013E000-memory.dmp	family_quasar
behavioral1/memory/1968-37-0x0000000000290000-0x00000000002DE000-memory.dmp	family_quasar
behavioral1/memory/1644-49-0x0000000000060000-0x00000000000AE000-memory.dmp	family_quasar
behavioral1/memory/2012-61-0x0000000000D10000-0x0000000000D5E000-memory.dmp	family_quasar
behavioral1/memory/1512-73-0x0000000000D10000-0x0000000000D5E000-memory.dmp	family_quasar
behavioral1/memory/2772-85-0x00000000000E0000-0x000000000012E000-memory.dmp	family_quasar
behavioral1/memory/1392-97-0x00000000009B0000-0x00000000009FE000-memory.dmp	family_quasar
behavioral1/memory/1840-109-0x0000000000E20000-0x0000000000E6E000-memory.dmp	family_quasar
behavioral1/memory/3060-121-0x0000000000E60000-0x0000000000EAE000-memory.dmp	family_quasar
behavioral1/memory/1732-133-0x0000000001330000-0x000000000137E000-memory.dmp	family_quasar
behavioral1/memory/1780-145-0x00000000003F0000-0x000000000043E000-memory.dmp	family_quasar
behavioral1/memory/2880-157-0x0000000000280000-0x00000000002CE000-memory.dmp	family_quasar
behavioral1/memory/924-169-0x00000000013D0000-0x000000000141E000-memory.dmp	family_quasar
behavioral1/memory/1952-181-0x00000000013D0000-0x000000000141E000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2124	Client.exe
2572	Client.exe
1968	Client.exe
1644	Client.exe
2012	Client.exe
1512	Client.exe
2772	Client.exe
1392	Client.exe
1840	Client.exe
3060	Client.exe
1732	Client.exe
1780	Client.exe
2880	Client.exe
924	Client.exe
1952	Client.exe

Loads dropped DLL 15 IoCs

pid	Process
2472	Creal.exe
2568	cmd.exe
2292	cmd.exe
2628	cmd.exe
1084	cmd.exe
584	cmd.exe
2644	cmd.exe
2616	cmd.exe
1964	cmd.exe
2736	cmd.exe
1624	cmd.exe
2068	cmd.exe
1200	cmd.exe
2800	cmd.exe
2368	cmd.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Creal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1508	PING.EXE
2116	PING.EXE
2300	PING.EXE
2924	PING.EXE
2212	PING.EXE
984	PING.EXE
2224	PING.EXE
2776	PING.EXE
1824	PING.EXE
2620	PING.EXE
2404	PING.EXE
2656	PING.EXE
2088	PING.EXE
2568	PING.EXE
2024	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1824	PING.EXE
2620	PING.EXE
984	PING.EXE
2088	PING.EXE
2024	PING.EXE
2300	PING.EXE
2924	PING.EXE
2568	PING.EXE
2404	PING.EXE
1508	PING.EXE
2656	PING.EXE
2212	PING.EXE
2224	PING.EXE
2776	PING.EXE
2116	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
2936	schtasks.exe
2288	schtasks.exe
1360	schtasks.exe
1708	schtasks.exe
2576	schtasks.exe
2392	schtasks.exe
2728	schtasks.exe
1564	schtasks.exe
2372	schtasks.exe
2756	schtasks.exe
296	schtasks.exe
2524	schtasks.exe
316	schtasks.exe
1664	schtasks.exe
2652	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	Creal.exe
Token: SeDebugPrivilege	2124	Client.exe
Token: SeDebugPrivilege	2572	Client.exe
Token: SeDebugPrivilege	1968	Client.exe
Token: SeDebugPrivilege	1644	Client.exe
Token: SeDebugPrivilege	2012	Client.exe
Token: SeDebugPrivilege	1512	Client.exe
Token: SeDebugPrivilege	2772	Client.exe
Token: SeDebugPrivilege	1392	Client.exe
Token: SeDebugPrivilege	1840	Client.exe
Token: SeDebugPrivilege	3060	Client.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	1780	Client.exe
Token: SeDebugPrivilege	2880	Client.exe
Token: SeDebugPrivilege	924	Client.exe
Token: SeDebugPrivilege	1952	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2372	2472	Creal.exe	31
PID 2472 wrote to memory of 2372	2472	Creal.exe	31
PID 2472 wrote to memory of 2372	2472	Creal.exe	31
PID 2472 wrote to memory of 2372	2472	Creal.exe	31
PID 2472 wrote to memory of 2124	2472	Creal.exe	33
PID 2472 wrote to memory of 2124	2472	Creal.exe	33
PID 2472 wrote to memory of 2124	2472	Creal.exe	33
PID 2472 wrote to memory of 2124	2472	Creal.exe	33
PID 2124 wrote to memory of 2756	2124	Client.exe	34
PID 2124 wrote to memory of 2756	2124	Client.exe	34
PID 2124 wrote to memory of 2756	2124	Client.exe	34
PID 2124 wrote to memory of 2756	2124	Client.exe	34
PID 2124 wrote to memory of 2568	2124	Client.exe	82
PID 2124 wrote to memory of 2568	2124	Client.exe	82
PID 2124 wrote to memory of 2568	2124	Client.exe	82
PID 2124 wrote to memory of 2568	2124	Client.exe	82
PID 2568 wrote to memory of 2720	2568	cmd.exe	38
PID 2568 wrote to memory of 2720	2568	cmd.exe	38
PID 2568 wrote to memory of 2720	2568	cmd.exe	38
PID 2568 wrote to memory of 2720	2568	cmd.exe	38
PID 2568 wrote to memory of 2212	2568	cmd.exe	39
PID 2568 wrote to memory of 2212	2568	cmd.exe	39
PID 2568 wrote to memory of 2212	2568	cmd.exe	39
PID 2568 wrote to memory of 2212	2568	cmd.exe	39
PID 2568 wrote to memory of 2572	2568	cmd.exe	41
PID 2568 wrote to memory of 2572	2568	cmd.exe	41
PID 2568 wrote to memory of 2572	2568	cmd.exe	41
PID 2568 wrote to memory of 2572	2568	cmd.exe	41
PID 2572 wrote to memory of 2728	2572	Client.exe	42
PID 2572 wrote to memory of 2728	2572	Client.exe	42
PID 2572 wrote to memory of 2728	2572	Client.exe	42
PID 2572 wrote to memory of 2728	2572	Client.exe	42
PID 2572 wrote to memory of 2292	2572	Client.exe	44
PID 2572 wrote to memory of 2292	2572	Client.exe	44
PID 2572 wrote to memory of 2292	2572	Client.exe	44
PID 2572 wrote to memory of 2292	2572	Client.exe	44
PID 2292 wrote to memory of 1528	2292	cmd.exe	46
PID 2292 wrote to memory of 1528	2292	cmd.exe	46
PID 2292 wrote to memory of 1528	2292	cmd.exe	46
PID 2292 wrote to memory of 1528	2292	cmd.exe	46
PID 2292 wrote to memory of 1824	2292	cmd.exe	47
PID 2292 wrote to memory of 1824	2292	cmd.exe	47
PID 2292 wrote to memory of 1824	2292	cmd.exe	47
PID 2292 wrote to memory of 1824	2292	cmd.exe	47
PID 2292 wrote to memory of 1968	2292	cmd.exe	48
PID 2292 wrote to memory of 1968	2292	cmd.exe	48
PID 2292 wrote to memory of 1968	2292	cmd.exe	48
PID 2292 wrote to memory of 1968	2292	cmd.exe	48
PID 1968 wrote to memory of 1664	1968	Client.exe	49
PID 1968 wrote to memory of 1664	1968	Client.exe	49
PID 1968 wrote to memory of 1664	1968	Client.exe	49
PID 1968 wrote to memory of 1664	1968	Client.exe	49
PID 1968 wrote to memory of 2628	1968	Client.exe	51
PID 1968 wrote to memory of 2628	1968	Client.exe	51
PID 1968 wrote to memory of 2628	1968	Client.exe	51
PID 1968 wrote to memory of 2628	1968	Client.exe	51
PID 2628 wrote to memory of 2736	2628	cmd.exe	93
PID 2628 wrote to memory of 2736	2628	cmd.exe	93
PID 2628 wrote to memory of 2736	2628	cmd.exe	93
PID 2628 wrote to memory of 2736	2628	cmd.exe	93
PID 2628 wrote to memory of 2620	2628	cmd.exe	54
PID 2628 wrote to memory of 2620	2628	cmd.exe	54
PID 2628 wrote to memory of 2620	2628	cmd.exe	54
PID 2628 wrote to memory of 2620	2628	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Creal.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Creal.exe" /rl HIGHEST /f
  2⤵
  - Quasar RAT
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2372
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\kfWicq3oY0DP.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2212
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FVy67JS3gouF.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1824
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KeQKc3XwIu7g.bat" "
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Hh0ftStbbNCp.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cwwFB22MZhxM.bat" "
        11⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jt3EgaK9WvUO.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xoMUOPTdxMKX.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0Set7xwRtUe3.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LhZTOW4DroPb.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cvhJsM3eKLSE.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1CQcwgLjoTug.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DuausZXn3ENV.bat" "
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yhb51oT5dczd.bat" "
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hTg939qanSQ8.bat" "
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgzGkFfijAnr.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0Set7xwRtUe3.bat

Filesize
210B

MD5
a1e101dccb9a1cfd369d3812fddf9273

SHA1
7f6b6ed90497048f211c8f839e3d34fc5aa373a9

SHA256
ac4f9012acc1e961664cbd898f7a7a75db5c650dcc17e9c2470ca0eb02e30b91

SHA512
d3c98f2f661fa68f593b4a27292a35b6f992b3b1767e57cf538faa868e531f697781cc4501d70e3ce9862e40ec06aee7892ff9a7b372c1c546b7dbb072ccaf37

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CQcwgLjoTug.bat

Filesize
210B

MD5
ec1ae48a66274fe0ab24967bf3382e71

SHA1
69e6d36eaa53dadbc087132f95a7d68f96217b24

SHA256
595b3d2e47cfa0ccfed1f96a5b709f266c900c7c28221552ca4a91fa6a08eb7a

SHA512
73c8b24f6b02e499e86c58fdcc99238453d8dbaa5fff89473a30afcf3ebf97ec51a87580666f8f6b9d7a339c37d9100eba2d6f18cb6e1055768305d660f40cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DuausZXn3ENV.bat

Filesize
210B

MD5
ada48e2c609f15006465d553b0ebf390

SHA1
cb4386e220d758149fdd6d24a5d4ab41c7675612

SHA256
6f645dc2651444d8ecd89cf5c6cb671b796abeefc2007d88fe461efb79f0beee

SHA512
d9a46ff0532b16592ac778e81b05bd659befd0446bacff5e16957e799dfd5bbd91eecc16699e805101fa50e825a753ef3824177edfcbe2bcc6e5b7ab09cdcba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVy67JS3gouF.bat

Filesize
210B

MD5
6d59be929b56945df41b61a1661c2a4e

SHA1
f7ce29f89773b7974471a3ca830a0948283207dc

SHA256
63659026884cee9226ef289ea436587056757e25d9244caa03f517a68d89e02c

SHA512
3437a3cd4cf261d571b34e84e094eab9b4c6c900e0b104fb95474e8115d1fa58abe7198be4750ecb8bb7b4cbfc9d8d53ad82c4574cbb8a421759a9a5fd75a1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hh0ftStbbNCp.bat

Filesize
210B

MD5
1609e3f8da7c061b1157e8f7411d48ec

SHA1
c97aca1b5cecade885a1c5921ea2263066c9d4f7

SHA256
31dca7d4f8c84f33f74d97b5d9e331f216fb911211c9d24fa261380b4fa22452

SHA512
078a8ea20beffeb8b819dda6eb5639766a5ad02d3c5bcc7827f76e8c2d43878421f2ea7c44a9b04703445d3b68a3e7b9e4e9d0e08e794b7f03e3216de29c203f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jt3EgaK9WvUO.bat

Filesize
210B

MD5
ef3854676f86ef9588d43501dd065350

SHA1
bff0d662f8d7a95295f653da43a1bd43be6f22c9

SHA256
91f8c693f35c056821ad52ed9efca3fb6e22232a02de6df0e5ff363ff1f2918b

SHA512
79159856f4694933147ad91d5ce9ec172e5d89d8d73ea09f5857c3edcc83499f0d37a480a33c237f08bc3c9ae35e76df995fb7fe2ba9979d8da479b13a034ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeQKc3XwIu7g.bat

Filesize
210B

MD5
4b931d0605e7c26289408f656a494a34

SHA1
5317156384fb01587a9916aec3d0380c96192147

SHA256
a6385a4ee8ab0c27cdbe22d5374f5f8807ddbaa57dc37f60a778e67af3f2c282

SHA512
4ae843fcf3de3902bbba08a944e222f1fe0ab40742dec14e2f5ad851509fc6ea3c5965b2200094fa48f0f9bebbcdddd71e4b621d7ac437d3a9b6e1faddeed0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhZTOW4DroPb.bat

Filesize
210B

MD5
f27067678b89a0650848b980645bd3ab

SHA1
55eec947ccd707ad365959fb7ff8cab59a219892

SHA256
0913c26bfe912ee56d4e143dc7312f3ea70e1d32b9520bd2ba9e20177c64459b

SHA512
4cd2c78eb09b54af11dabf14ae8bf3587dcc3aaca089f98a58dfb0f7f950602d28e4b11cfd73ed2c197d726cedaa3c83654b27cce4c1d1176211caecba17f8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yhb51oT5dczd.bat

Filesize
210B

MD5
75abd5a438e41aa37ddce4f251a044f6

SHA1
87047e7a23f082c7169a63014ebdb32a4e8e6907

SHA256
ab767b230f22b46e5203d8a048e30ab62b7d3c1703b8501e115be760541fcba4

SHA512
91ff5263bf611463f020dda7641587f20a8e7510ba887f868c6c46890a70b1332e9e6b6a1d29b0306d65259ae743c750f5790d7acbbd1d8a9bb7411535d82471

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvhJsM3eKLSE.bat

Filesize
210B

MD5
ae0660f8a45de766533a12dd4a44183e

SHA1
1c3303ba3374c0b4277251b46943732156426e67

SHA256
0e42be70b96e1369c7ec5f28350668d9a2db33537a3382d6c0df24c07f5b275a

SHA512
36eb468757a566aa8f77221fa25eb02407b73c40ce039a7ff357499bda1b82f5052a63a0c7bbdb457f22b425685f1e2ff9d6c4135cc193094e6205166e068b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwwFB22MZhxM.bat

Filesize
210B

MD5
6039fc4b6706d4b47b42502d4d21989b

SHA1
7f2e9e9cedc9a67ef6996352f20f43ad0928529b

SHA256
592e89102bd6904e854dfd99aaeedfde4be1a61c011b71ef1810e8e1faedb986

SHA512
1962493000b223f45db73e677724cdf89f3390f2df8ea61b017af0b140907303a714fd8090cb7bfd9bb340aba0f5526501b985e034f6d9a13fc643d0b0c0b634

Download Submit
C:\Users\Admin\AppData\Local\Temp\hTg939qanSQ8.bat

Filesize
210B

MD5
fe22cb900b4f0dcdce02f52a6b447fda

SHA1
f9bc31d17f99c6fee070349a06f0fbc7948a7029

SHA256
6e58b4c24e7651746f05f621e452a4cef24c8b43f6e7db5e5025eb08356c3b4f

SHA512
7dd89b0fa3b1b8883231487365470f6065db0cd508b5fcec1e85aa1be14763a4ad3cd458a680503471f1e6dba79a3b2f2029be41949743a0401ef80ed8003bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfWicq3oY0DP.bat

Filesize
210B

MD5
10f191856689608a9884c25e81159907

SHA1
29132b4ffa590960f90c566baa7d52441b5ad662

SHA256
79a6d3f22e28c1091bcab0e1eefc2a64b743aba98259b0906bfcf1a9b98ab07f

SHA512
4fd332598dbed623a78fadf14913b34d1feaa8887f45c4ebea56c119c866cdeda58cc492a45d544a94440a08775298515e2442bc703816380e3f63dbff7185a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgzGkFfijAnr.bat

Filesize
210B

MD5
3be3091b3f9317589aa0b7226e817c45

SHA1
dc1cd2c5255fdabf371fdd1129b305a8109122cf

SHA256
927a5a6bea020a3b0300c80ded04f8c49c2240eafbb59553cf9cd794357b5037

SHA512
6d87defd9b8f8a684329d7eac7416290ac921acf8358919a833d04054a326fc08f35a061a2fff0dcfaa659f10d6705bb0d0530ed340d18029e40782b2e7fca33

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoMUOPTdxMKX.bat

Filesize
210B

MD5
0b258c6eb799c9fbf35e3b7994d430ec

SHA1
f8cb9deba71a72f5bf877fa8f78335a327326abc

SHA256
51084aa4204635afd5f59a38bbd4326bf31da398ba736689c2a1d6d9bdb5ce41

SHA512
2c56d952dddfc06752294f325485eb23c7516152d118090e6dfbcb987b973dc4491186cdb8f09dbc88393031c2d4a9a53a7326ce32435010d2b592446aa79746

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe

Filesize
286KB

MD5
b988c49b9654ec30906a781cac1ebaaf

SHA1
85f7f7274e6a134870f309c2b3d06b71807e7626

SHA256
26bad763d63a12a6fed9f54fd86ab34d6d4b88250e62d67ad8fc2d433c6dcbcf

SHA512
c4454fe6dff339982370a842133db79dba3fb641688d43a47ce4bdfb158a15eff3cad37c34ec4d881ca01e408af43e00f6f36c254f1bc7d93321b9d5f9028ad5

Download Submit
memory/924-169-0x00000000013D0000-0x000000000141E000-memory.dmp

Filesize
312KB

Download
memory/1392-97-0x00000000009B0000-0x00000000009FE000-memory.dmp

Filesize
312KB

Download
memory/1512-73-0x0000000000D10000-0x0000000000D5E000-memory.dmp

Filesize
312KB

Download
memory/1644-49-0x0000000000060000-0x00000000000AE000-memory.dmp

Filesize
312KB

Download
memory/1732-133-0x0000000001330000-0x000000000137E000-memory.dmp

Filesize
312KB

Download
memory/1780-145-0x00000000003F0000-0x000000000043E000-memory.dmp

Filesize
312KB

Download
memory/1840-109-0x0000000000E20000-0x0000000000E6E000-memory.dmp

Filesize
312KB

Download
memory/1952-181-0x00000000013D0000-0x000000000141E000-memory.dmp

Filesize
312KB

Download
memory/1968-37-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download
memory/2012-61-0x0000000000D10000-0x0000000000D5E000-memory.dmp

Filesize
312KB

Download
memory/2124-10-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-11-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-9-0x00000000003C0000-0x000000000040E000-memory.dmp

Filesize
312KB

Download
memory/2124-22-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-12-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-2-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-1-0x00000000009E0000-0x0000000000A2E000-memory.dmp

Filesize
312KB

Download
memory/2472-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2572-25-0x00000000000F0000-0x000000000013E000-memory.dmp

Filesize
312KB

Download
memory/2772-85-0x00000000000E0000-0x000000000012E000-memory.dmp

Filesize
312KB

Download
memory/2880-157-0x0000000000280000-0x00000000002CE000-memory.dmp

Filesize
312KB

Download
memory/3060-121-0x0000000000E60000-0x0000000000EAE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads