quasar | 12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Size

348KB
MD5

222eb2520861357489b7a11a99656e3f
SHA1

fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf
SHA256

12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73
SHA512

991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb
SSDEEP

6144:+V6bPXhLApfpUw4qCgafQbX30nlIHh/m7vHdjz7iO:umhAp6lqKfq0GheLHd/iO

Score

10^/10

quasar forceop discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ForceOP

jordiek1d.ddns.net:4782

Mutex

QSR_MUTEX_Y1VQAwHslXRVvQkGHj

Attributes

encryption_key
3xJFlGvSDHRDtYnPg0qe
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDrivers
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
	2	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 17 IoCs

resource	yara_rule
behavioral1/memory/2980-1-0x0000000000A20000-0x0000000000A7E000-memory.dmp	family_quasar
behavioral1/files/0x0027000000015d6d-4.dat	family_quasar
behavioral1/memory/2204-9-0x00000000008B0000-0x000000000090E000-memory.dmp	family_quasar
behavioral1/memory/1832-31-0x0000000000A40000-0x0000000000A9E000-memory.dmp	family_quasar
behavioral1/memory/1072-50-0x0000000000060000-0x00000000000BE000-memory.dmp	family_quasar
behavioral1/memory/2300-69-0x00000000008A0000-0x00000000008FE000-memory.dmp	family_quasar
behavioral1/memory/864-88-0x0000000000A80000-0x0000000000ADE000-memory.dmp	family_quasar
behavioral1/memory/1240-107-0x0000000001140000-0x000000000119E000-memory.dmp	family_quasar
behavioral1/memory/2704-126-0x0000000001140000-0x000000000119E000-memory.dmp	family_quasar
behavioral1/memory/2012-144-0x0000000000350000-0x00000000003AE000-memory.dmp	family_quasar
behavioral1/memory/2328-154-0x00000000013D0000-0x000000000142E000-memory.dmp	family_quasar
behavioral1/memory/856-164-0x0000000000260000-0x00000000002BE000-memory.dmp	family_quasar
behavioral1/memory/2232-174-0x00000000009D0000-0x0000000000A2E000-memory.dmp	family_quasar
behavioral1/memory/476-184-0x0000000000DE0000-0x0000000000E3E000-memory.dmp	family_quasar
behavioral1/memory/2972-194-0x0000000001210000-0x000000000126E000-memory.dmp	family_quasar
behavioral1/memory/952-204-0x0000000001210000-0x000000000126E000-memory.dmp	family_quasar
behavioral1/memory/1692-214-0x00000000000A0000-0x00000000000FE000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2204	Client.exe
1832	Client.exe
1072	Client.exe
2300	Client.exe
864	Client.exe
1240	Client.exe
2704	Client.exe
2012	Client.exe
2328	Client.exe
856	Client.exe
2232	Client.exe
476	Client.exe
2972	Client.exe
952	Client.exe
1692	Client.exe

Loads dropped DLL 64 IoCs

pid	Process
2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2656	cmd.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1904	cmd.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
740	WerFault.exe
1660	cmd.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2088	cmd.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2168	cmd.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
476	cmd.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
2284	cmd.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2568	cmd.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
688	WerFault.exe
1776	cmd.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
2416	cmd.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2232	2204	WerFault.exe	33
1476	1832	WerFault.exe	41
740	1072	WerFault.exe	50
2688	2300	WerFault.exe	58
2736	864	WerFault.exe	66
2428	1240	WerFault.exe	74
564	2704	WerFault.exe	82
2000	2012	WerFault.exe	90
688	2328	WerFault.exe	98
1592	856	WerFault.exe	106
888	2232	WerFault.exe	114
2400	476	WerFault.exe	122
2216	2972	WerFault.exe	130
916	952	WerFault.exe	138
1856	1692	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2604	PING.EXE
2120	PING.EXE
620	PING.EXE
584	PING.EXE
976	PING.EXE
2152	PING.EXE
1732	PING.EXE
2068	PING.EXE
1240	PING.EXE
1684	PING.EXE
2592	PING.EXE
820	PING.EXE
2112	PING.EXE
2628	PING.EXE
1472	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2152	PING.EXE
820	PING.EXE
1684	PING.EXE
1240	PING.EXE
2628	PING.EXE
2592	PING.EXE
2604	PING.EXE
1732	PING.EXE
976	PING.EXE
2068	PING.EXE
2120	PING.EXE
584	PING.EXE
620	PING.EXE
1472	PING.EXE
2112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1872	schtasks.exe
2852	schtasks.exe
2432	schtasks.exe
860	schtasks.exe
2320	schtasks.exe
1816	schtasks.exe
688	schtasks.exe
2772	schtasks.exe
2796	schtasks.exe
2196	schtasks.exe
2996	schtasks.exe
1580	schtasks.exe
2280	schtasks.exe
1816	schtasks.exe
2848	schtasks.exe
2984	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	1832	Client.exe
Token: SeDebugPrivilege	1072	Client.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	1240	Client.exe
Token: SeDebugPrivilege	2704	Client.exe
Token: SeDebugPrivilege	2012	Client.exe
Token: SeDebugPrivilege	2328	Client.exe
Token: SeDebugPrivilege	856	Client.exe
Token: SeDebugPrivilege	2232	Client.exe
Token: SeDebugPrivilege	476	Client.exe
Token: SeDebugPrivilege	2972	Client.exe
Token: SeDebugPrivilege	952	Client.exe
Token: SeDebugPrivilege	1692	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2204	Client.exe
1832	Client.exe
1072	Client.exe
2300	Client.exe
864	Client.exe
1240	Client.exe
2704	Client.exe
2012	Client.exe
2328	Client.exe
856	Client.exe
2232	Client.exe
476	Client.exe
2972	Client.exe
952	Client.exe
1692	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2196	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2980 wrote to memory of 2196	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2980 wrote to memory of 2196	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2980 wrote to memory of 2196	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2980 wrote to memory of 2204	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2980 wrote to memory of 2204	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2980 wrote to memory of 2204	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2980 wrote to memory of 2204	2980	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2204 wrote to memory of 1872	2204	Client.exe	34
PID 2204 wrote to memory of 1872	2204	Client.exe	34
PID 2204 wrote to memory of 1872	2204	Client.exe	34
PID 2204 wrote to memory of 1872	2204	Client.exe	34
PID 2204 wrote to memory of 2656	2204	Client.exe	36
PID 2204 wrote to memory of 2656	2204	Client.exe	36
PID 2204 wrote to memory of 2656	2204	Client.exe	36
PID 2204 wrote to memory of 2656	2204	Client.exe	36
PID 2204 wrote to memory of 2232	2204	Client.exe	38
PID 2204 wrote to memory of 2232	2204	Client.exe	38
PID 2204 wrote to memory of 2232	2204	Client.exe	38
PID 2204 wrote to memory of 2232	2204	Client.exe	38
PID 2656 wrote to memory of 1944	2656	cmd.exe	39
PID 2656 wrote to memory of 1944	2656	cmd.exe	39
PID 2656 wrote to memory of 1944	2656	cmd.exe	39
PID 2656 wrote to memory of 1944	2656	cmd.exe	39
PID 2656 wrote to memory of 2592	2656	cmd.exe	40
PID 2656 wrote to memory of 2592	2656	cmd.exe	40
PID 2656 wrote to memory of 2592	2656	cmd.exe	40
PID 2656 wrote to memory of 2592	2656	cmd.exe	40
PID 2656 wrote to memory of 1832	2656	cmd.exe	41
PID 2656 wrote to memory of 1832	2656	cmd.exe	41
PID 2656 wrote to memory of 1832	2656	cmd.exe	41
PID 2656 wrote to memory of 1832	2656	cmd.exe	41
PID 1832 wrote to memory of 2852	1832	Client.exe	42
PID 1832 wrote to memory of 2852	1832	Client.exe	42
PID 1832 wrote to memory of 2852	1832	Client.exe	42
PID 1832 wrote to memory of 2852	1832	Client.exe	42
PID 1832 wrote to memory of 1904	1832	Client.exe	44
PID 1832 wrote to memory of 1904	1832	Client.exe	44
PID 1832 wrote to memory of 1904	1832	Client.exe	44
PID 1832 wrote to memory of 1904	1832	Client.exe	44
PID 1832 wrote to memory of 1476	1832	Client.exe	46
PID 1832 wrote to memory of 1476	1832	Client.exe	46
PID 1832 wrote to memory of 1476	1832	Client.exe	46
PID 1832 wrote to memory of 1476	1832	Client.exe	46
PID 1904 wrote to memory of 544	1904	cmd.exe	47
PID 1904 wrote to memory of 544	1904	cmd.exe	47
PID 1904 wrote to memory of 544	1904	cmd.exe	47
PID 1904 wrote to memory of 544	1904	cmd.exe	47
PID 1904 wrote to memory of 620	1904	cmd.exe	48
PID 1904 wrote to memory of 620	1904	cmd.exe	48
PID 1904 wrote to memory of 620	1904	cmd.exe	48
PID 1904 wrote to memory of 620	1904	cmd.exe	48
PID 1904 wrote to memory of 1072	1904	cmd.exe	50
PID 1904 wrote to memory of 1072	1904	cmd.exe	50
PID 1904 wrote to memory of 1072	1904	cmd.exe	50
PID 1904 wrote to memory of 1072	1904	cmd.exe	50
PID 1072 wrote to memory of 2280	1072	Client.exe	51
PID 1072 wrote to memory of 2280	1072	Client.exe	51
PID 1072 wrote to memory of 2280	1072	Client.exe	51
PID 1072 wrote to memory of 2280	1072	Client.exe	51
PID 1072 wrote to memory of 1660	1072	Client.exe	53
PID 1072 wrote to memory of 1660	1072	Client.exe	53
PID 1072 wrote to memory of 1660	1072	Client.exe	53
PID 1072 wrote to memory of 1660	1072	Client.exe	53

C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
"C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2196
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyZn20k6Nen1.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2592
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eTZ7By0kRjtX.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:544
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:620
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IPsNtm9Ds9jf.bat" "
        7⤵
        Loads dropped DLL
        
        PID:1660
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ljfpNh0DA7cV.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEf9XfGqFCi1.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMJdEfBQLUEZ.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ufyjORfxkieg.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGefYVo8eEaP.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KbR72Qf8wBUF.bat" "
        19⤵
        Loads dropped DLL
        
        PID:1776
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KDvnyDydMV7r.bat" "
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PLN1Sx3XybKJ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zimwWNFAIAcx.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQwESGRDYv5m.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R9tGBuoaJUFV.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ds3Y7n0dZEiK.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1448
        31⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1452
        29⤵
        Program crash
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1352
        27⤵
        Program crash
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 1448
        25⤵
        Program crash
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1432
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1444
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1440
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1456
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1432
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1436
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1444
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1452
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1444
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1428
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1452
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BQwESGRDYv5m.bat

Filesize
207B

MD5
5717772a4579c840dfaabcfc0e3e0aef

SHA1
a9efffe9d9576d2d2f238244ce5d7589b42ccc4a

SHA256
748255aebb95be750d1f5c68f6f7b6394d8aaf8d0edd400f453014d678645af6

SHA512
fb4302a27c4bacb0a3b169e0b8a2b7f4d5a556cdcaef94631492894554e2e434b4db69cbe4acae3d5374df33a8ddd15823d96a29d8ded1aca9535c8d42a29c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPsNtm9Ds9jf.bat

Filesize
207B

MD5
40de4e4bfacd55c6c14c1cbc9aa17474

SHA1
63283d2336cfb223a910017852c4287829841a92

SHA256
19366bc09dbb6fc05945bf44bb3233bb0ecad382804c914608760d72488cb9c5

SHA512
409b7a78782a448767a06caae43d145de466c815171ad2f4cc54399729ffcc097e75ab5f31b692230d0359c95b8024391abd83e93e5b15b2745eb63f4de94edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDvnyDydMV7r.bat

Filesize
207B

MD5
f7604132aa54319bdd4f3f9685451f86

SHA1
16646e55ab232278a3ced2bbdebb7eff72689dfc

SHA256
f64f574f1322a6899803fab8c665604be58223f6fb4989c25c68383d9cfa4791

SHA512
dddadde4cf6465a2b38886c06ec81546742e51e51b45d168e449cc0ec87f39c419ef96c7484f2e96e81be0b794b1d7e31f48457aae3aad67f6bd07a098ed9bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbR72Qf8wBUF.bat

Filesize
207B

MD5
96ef9207bbc0181474b9ea01c04364ac

SHA1
f6dad60fadf0391dd820b03cb29151a8fede6420

SHA256
517b2a65f1d75bafbea6417de7cf0669059179d81f466a8e68c12e60fe607c3c

SHA512
413581712ae2afc3f29eeec6f9e5448d8b049f4d7eceaaff2d6977ad206594757ede8d768e188e6ed025b67c451dc3308c151b649d04d331b675de3cd858f67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLN1Sx3XybKJ.bat

Filesize
207B

MD5
5d4a16f130638c91692b8ce6e0a5fa4f

SHA1
a4446b8b32a131d7e0fb014dbd95fdc17d2cacfa

SHA256
6e4651bf4851b87573998ee2625a683a4ad189d06d854b03e64b5055f1c7807b

SHA512
b08b113f5046c44797c11514a810ace2b63f546b2c650fc3fb85ee993f4ff72b19059dc5ff5b9d24de29ca1cd2fb499d8846f3ef3a477685c9af5e4c3b2f82da

Download Submit
C:\Users\Admin\AppData\Local\Temp\R9tGBuoaJUFV.bat

Filesize
207B

MD5
e173b491bf8172b800125b954e68d89d

SHA1
ecf9c29ef12536099f8d14db01f863c1b3186961

SHA256
b69d7cd44fa5f8f2de8eb50bb8d297dbb42c5169a939a6bcdc42166555554cdb

SHA512
7db835d7f55ea138b4e85175699bebb5a3991c7c8dcdcf328ff37390afc076ec006ac52d287d808c0d7b517795047068521e938dcc2fc66691502ecb2f85f9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEf9XfGqFCi1.bat

Filesize
207B

MD5
f222b62b47ec452079129bf45e0d699b

SHA1
6ade3bd46c9497d5e9e16701c2dfa613840b6512

SHA256
e695e5ce16b4671b00debdac14f1f58f3d8ebeb7f51b57854b6ca999e01bccac

SHA512
bc70d1e80d03070f4ae411ce7b5fe0cfaa75bde0f1df9662f85458cf1ea9882625450454ce8ef4f214cd6025bfc86a40d8d3034135c06d646c752c50e347cd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMJdEfBQLUEZ.bat

Filesize
207B

MD5
95f30205cdd8d4c9c70f5794d441291c

SHA1
8cda0a07239189a12f4741a34f9490002ee3ae76

SHA256
10a690d01ad5604fd4459d31d3d42b2cae97eb207302142efc31e6a57d1c6d56

SHA512
68d10318a7ced7ca3852cc0763cdfd6bd8f3b4d61a17c5f80a88c91b8b48159a1d3fb296b642dbdd57cef2a74d0d1b08ea705b8eaee13ae0eb8eb97ca9d00b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds3Y7n0dZEiK.bat

Filesize
207B

MD5
de799feec5ae09da12a995a9912f60f3

SHA1
6029552bafac805a8f6d34e240e59eda7eb18512

SHA256
5d1bfea6ca4262cfb4bb395c39dbb8cc7800a00d6ddf05ea05f87387882e9000

SHA512
8a10bb3bb3624bf9a8276af910915013a5db2e10aaac33051d39b9a32ea05834d5f8f4fac8c52ff63a5f80b3c7b9b22fa08be5d21af6ac2ea5a32d35c3d07af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTZ7By0kRjtX.bat

Filesize
207B

MD5
4572e989a014c4b42e583be93334d67c

SHA1
c933496787572a20a08da95bc4bf2099dd0a7369

SHA256
4bfb38372b5926a5107e57b3197be491ee9cc61ff9e671cdab52d5486b88219c

SHA512
946a46185b3facb98194a32d09b5dea2279f822bf2879e736d02b615497af52ac6a730f9bb71c87d168edca4891f1be4ddfff1835b634126ac2027413b12f92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljfpNh0DA7cV.bat

Filesize
207B

MD5
93f306b7f5f1f32c4c7993b265fb2d6a

SHA1
914b3eba36251988fbb7a438160180430b7ff9ab

SHA256
95508a3ca521b37a56f894f3627d4f312111f95ee658db9404ab877026e1c224

SHA512
4c66d4e2fbc7f183e89154adefffad032cf0298ae319781ef5f2cacfc97e2fc10643825a034b14b66ea8e9c12a9421250fd8518f02f307ffa119777c4a7723f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGefYVo8eEaP.bat

Filesize
207B

MD5
bf7e6be36225b13f8cd8043dcbbdb89e

SHA1
0f94ed7bbcbab1133acb8b2f002b052899b8d25a

SHA256
9a6e6056b1f1e1cec2863b39c1c3139772fc4dbf9c1277738bfd36de0edfd1b8

SHA512
85da36aa4e3f78715d89bca1c1e2229aaeef69210d9110a6f14e6d2804324189e30374e1eae1b8a82c7565334f4fe582b1b5517b432bb90a28603483e95d8ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufyjORfxkieg.bat

Filesize
207B

MD5
4d1f0eb82cd009758371d0ad0611c2ab

SHA1
10a1adb8a163f2a46e23f8630f562ef852997414

SHA256
b8497ea1ce47ce376b269fabbf223ea35ccf8e7d5ffadb586631b7e6805b8069

SHA512
30f62f7cc9661b0f4b039cf8c022f2cda2bb922a7b1119868b298834f27296fd8a101c7855d7710ca1ba63229144f5887562175f52aea8619df80baf8aaa9b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyZn20k6Nen1.bat

Filesize
207B

MD5
d60b67edcce37229cefbc5d11e785067

SHA1
cc48e749105ad175dfd0e166a3eb86e21b789f56

SHA256
a28c8678a572aca74ab81cbc20a1d1cb548b04fa3f45376696fc7a0cdaffa8bc

SHA512
cbc14887ceb0692c17afe6685bfb894ea3de593b30330955291223a78d0fa0139fb2ea1dfbd715293abcc8fc22c0945ed50a5dff3f9ec75f1f4424be4e0e15c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zimwWNFAIAcx.bat

Filesize
207B

MD5
232acd2b940b81c1defd07f81839705b

SHA1
c2dcf5b0547b3ccca6660ef0c9634a281265e8f5

SHA256
4adb0634ca7d5c529a95d2a14fbea784a30624d982f49ae3966aace386c469a8

SHA512
532790dcbe1e94ea6583cb911d19093947004b0cead57769478c89824b848b1df62e00c1cb44505524ba2c569799de00829799b0e70883654639e744f02c1183

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
5dfc212f263f24019afdbb92aac7eb94

SHA1
2cd08e2ac127f8a481e184f439af7f3d5436fd61

SHA256
5f1eb71a610495d2df133833b26bf6d4efa10fdb19a43bec074ffaf69e7ee95a

SHA512
af795af55b3afe231a46ccf41336c7e651b4b11eafe4bde65ab73095e7c9c9efd46f218dd1f02f63e7e0cd4b0d08c109f3ab2c57f23130c314e8801687296696

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
b619c30c568706d62dadaa3462a88cb3

SHA1
efd6e16a72a873ad918c020c1b806518a2c5e9a8

SHA256
07460adca4b91293498777c6bafba8ce530ef248d4c63262211c6e5c80ca3220

SHA512
c8f3fc67b97bedb1b8c1d1119835f87bc0c7383a2eb5157f8f5133a44e17815d3f411fce75b599b493c1dcf03715e604a70aadc8dfaff54a384dc2c3b93becde

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
bef7f84716d288f7c98c64ef6e35965a

SHA1
328be1928ac2a72d720c0fe93d471e49240f558d

SHA256
9255b1fe646f059390f76a324e4b0a70f295ad3abd07d7313ac4d65ee33a8b8e

SHA512
4a50bc65d03d83fedca034c7cfe14bfcfa997df5af8db9a6e385a2c79c61262561ec46bb5c03e3632d9124cb29ac4906e9193f27bdb16d0072842b882a119c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
08ae558b741006f35e74e02b4259af2b

SHA1
80852f0e51c75f919e44b0ba47212cd450d25a60

SHA256
f91cbc7bfc195bad561829b0db99b899fe586497408a7dc9093efff6deb043c3

SHA512
d435c8a492dedb6aa018e5e4e7dd3f62d1ec14615711c4156d43a08a65f1ee584d3836593ea70c7324f46616b6aa683ebd323bcf26d58a6757404a0a5405b71e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
0f5859c85e7bdf22866f2c9213d9a217

SHA1
4b35b94582ededed1ef6707fcf66c9f979c21e40

SHA256
adbca2a020e4e5bdda4a814588d072f695b2d7770fc2f115c3210faee74f6c7c

SHA512
30e2f69e8eb7c426f073ea013d4d79bae79e85425787f02624d330f995ecdb7dbd213f329964a644163e605d5ab0c60e7b33e6098fab32efdd44a3f9e015275b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
6daec89056e3931dc6f6ca74af7f4710

SHA1
a0b276409ba45a677e7d6782f1b58c84f11289cd

SHA256
5a0bbf09ee05058a12edd802a2afddbcc10531970cc2868f25541c19a3853067

SHA512
1caaef936a0411d1fc2a352a26baa6ecb35bfb6a4996bbc7c76423afe9bb167c76f1acd83a869dd6a2f3915864da7b7681c550a02951e85f9b5da951a2b29de5

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
348KB

MD5
222eb2520861357489b7a11a99656e3f

SHA1
fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf

SHA256
12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73

SHA512
991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb

Download Submit
memory/476-184-0x0000000000DE0000-0x0000000000E3E000-memory.dmp

Filesize
376KB

Download
memory/856-164-0x0000000000260000-0x00000000002BE000-memory.dmp

Filesize
376KB

Download
memory/864-88-0x0000000000A80000-0x0000000000ADE000-memory.dmp

Filesize
376KB

Download
memory/952-204-0x0000000001210000-0x000000000126E000-memory.dmp

Filesize
376KB

Download
memory/1072-50-0x0000000000060000-0x00000000000BE000-memory.dmp

Filesize
376KB

Download
memory/1240-107-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download
memory/1692-214-0x00000000000A0000-0x00000000000FE000-memory.dmp

Filesize
376KB

Download
memory/1832-31-0x0000000000A40000-0x0000000000A9E000-memory.dmp

Filesize
376KB

Download
memory/2012-144-0x0000000000350000-0x00000000003AE000-memory.dmp

Filesize
376KB

Download
memory/2204-11-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-10-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-9-0x00000000008B0000-0x000000000090E000-memory.dmp

Filesize
376KB

Download
memory/2204-28-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-174-0x00000000009D0000-0x0000000000A2E000-memory.dmp

Filesize
376KB

Download
memory/2300-69-0x00000000008A0000-0x00000000008FE000-memory.dmp

Filesize
376KB

Download
memory/2328-154-0x00000000013D0000-0x000000000142E000-memory.dmp

Filesize
376KB

Download
memory/2704-126-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download
memory/2972-194-0x0000000001210000-0x000000000126E000-memory.dmp

Filesize
376KB

Download
memory/2980-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/2980-12-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-2-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-1-0x0000000000A20000-0x0000000000A7E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads