quasar | 12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2025, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Size

348KB
MD5

222eb2520861357489b7a11a99656e3f
SHA1

fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf
SHA256

12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73
SHA512

991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb
SSDEEP

6144:+V6bPXhLApfpUw4qCgafQbX30nlIHh/m7vHdjz7iO:umhAp6lqKfq0GheLHd/iO

Score

10^/10

quasar forceop discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ForceOP

jordiek1d.ddns.net:4782

Mutex

QSR_MUTEX_Y1VQAwHslXRVvQkGHj

Attributes

encryption_key
3xJFlGvSDHRDtYnPg0qe
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDrivers
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	67	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
	12	ip-api.com	Process not Found
	50	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1952-1-0x0000000000620000-0x000000000067E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023ca1-10.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
4632	Client.exe
3884	Client.exe
4724	Client.exe
3408	Client.exe
3764	Client.exe
2304	Client.exe
4212	Client.exe
4092	Client.exe
536	Client.exe
4428	Client.exe
3932	Client.exe
4364	Client.exe
4596	Client.exe
2340	Client.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
50	ip-api.com
67	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3560	4632	WerFault.exe	85
4764	3884	WerFault.exe	99
1536	4724	WerFault.exe	110
4300	3408	WerFault.exe	121
4184	3764	WerFault.exe	130
4224	2304	WerFault.exe	139
3788	4212	WerFault.exe	148
2604	4092	WerFault.exe	157
4896	536	WerFault.exe	166
3756	4428	WerFault.exe	175
3292	3932	WerFault.exe	184
968	4364	WerFault.exe	193
4932	4596	WerFault.exe	202
4316	2340	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2040	PING.EXE
1536	PING.EXE
3560	PING.EXE
2420	PING.EXE
3368	PING.EXE
1120	PING.EXE
4360	PING.EXE
4312	PING.EXE
4624	PING.EXE
1136	PING.EXE
3404	PING.EXE
1432	PING.EXE
1820	PING.EXE
4540	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2040	PING.EXE
4360	PING.EXE
3368	PING.EXE
1120	PING.EXE
2420	PING.EXE
1136	PING.EXE
3404	PING.EXE
4312	PING.EXE
4624	PING.EXE
1432	PING.EXE
1820	PING.EXE
4540	PING.EXE
1536	PING.EXE
3560	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
3864	schtasks.exe
1988	schtasks.exe
5036	schtasks.exe
656	schtasks.exe
1788	schtasks.exe
5068	schtasks.exe
1136	schtasks.exe
3760	schtasks.exe
4456	schtasks.exe
1244	schtasks.exe
1796	schtasks.exe
4224	schtasks.exe
1000	schtasks.exe
2528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Token: SeDebugPrivilege	4632	Client.exe
Token: SeDebugPrivilege	3884	Client.exe
Token: SeDebugPrivilege	4724	Client.exe
Token: SeDebugPrivilege	3408	Client.exe
Token: SeDebugPrivilege	3764	Client.exe
Token: SeDebugPrivilege	2304	Client.exe
Token: SeDebugPrivilege	4212	Client.exe
Token: SeDebugPrivilege	4092	Client.exe
Token: SeDebugPrivilege	536	Client.exe
Token: SeDebugPrivilege	4428	Client.exe
Token: SeDebugPrivilege	3932	Client.exe
Token: SeDebugPrivilege	4364	Client.exe
Token: SeDebugPrivilege	4596	Client.exe
Token: SeDebugPrivilege	2340	Client.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4632	Client.exe
3884	Client.exe
4724	Client.exe
3408	Client.exe
3764	Client.exe
2304	Client.exe
4212	Client.exe
4092	Client.exe
536	Client.exe
4428	Client.exe
3932	Client.exe
4364	Client.exe
4596	Client.exe
2340	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1136	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	83
PID 1952 wrote to memory of 1136	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	83
PID 1952 wrote to memory of 1136	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	83
PID 1952 wrote to memory of 4632	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	85
PID 1952 wrote to memory of 4632	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	85
PID 1952 wrote to memory of 4632	1952	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	85
PID 4632 wrote to memory of 3760	4632	Client.exe	86
PID 4632 wrote to memory of 3760	4632	Client.exe	86
PID 4632 wrote to memory of 3760	4632	Client.exe	86
PID 4632 wrote to memory of 2400	4632	Client.exe	88
PID 4632 wrote to memory of 2400	4632	Client.exe	88
PID 4632 wrote to memory of 2400	4632	Client.exe	88
PID 2400 wrote to memory of 1360	2400	cmd.exe	91
PID 2400 wrote to memory of 1360	2400	cmd.exe	91
PID 2400 wrote to memory of 1360	2400	cmd.exe	91
PID 2400 wrote to memory of 4624	2400	cmd.exe	93
PID 2400 wrote to memory of 4624	2400	cmd.exe	93
PID 2400 wrote to memory of 4624	2400	cmd.exe	93
PID 2400 wrote to memory of 3884	2400	cmd.exe	99
PID 2400 wrote to memory of 3884	2400	cmd.exe	99
PID 2400 wrote to memory of 3884	2400	cmd.exe	99
PID 3884 wrote to memory of 656	3884	Client.exe	100
PID 3884 wrote to memory of 656	3884	Client.exe	100
PID 3884 wrote to memory of 656	3884	Client.exe	100
PID 3884 wrote to memory of 3736	3884	Client.exe	102
PID 3884 wrote to memory of 3736	3884	Client.exe	102
PID 3884 wrote to memory of 3736	3884	Client.exe	102
PID 3736 wrote to memory of 4364	3736	cmd.exe	106
PID 3736 wrote to memory of 4364	3736	cmd.exe	106
PID 3736 wrote to memory of 4364	3736	cmd.exe	106
PID 3736 wrote to memory of 2420	3736	cmd.exe	107
PID 3736 wrote to memory of 2420	3736	cmd.exe	107
PID 3736 wrote to memory of 2420	3736	cmd.exe	107
PID 3736 wrote to memory of 4724	3736	cmd.exe	110
PID 3736 wrote to memory of 4724	3736	cmd.exe	110
PID 3736 wrote to memory of 4724	3736	cmd.exe	110
PID 4724 wrote to memory of 4456	4724	Client.exe	111
PID 4724 wrote to memory of 4456	4724	Client.exe	111
PID 4724 wrote to memory of 4456	4724	Client.exe	111
PID 4724 wrote to memory of 2604	4724	Client.exe	113
PID 4724 wrote to memory of 2604	4724	Client.exe	113
PID 4724 wrote to memory of 2604	4724	Client.exe	113
PID 2604 wrote to memory of 1000	2604	cmd.exe	116
PID 2604 wrote to memory of 1000	2604	cmd.exe	116
PID 2604 wrote to memory of 1000	2604	cmd.exe	116
PID 2604 wrote to memory of 1432	2604	cmd.exe	118
PID 2604 wrote to memory of 1432	2604	cmd.exe	118
PID 2604 wrote to memory of 1432	2604	cmd.exe	118
PID 2604 wrote to memory of 3408	2604	cmd.exe	121
PID 2604 wrote to memory of 3408	2604	cmd.exe	121
PID 2604 wrote to memory of 3408	2604	cmd.exe	121
PID 3408 wrote to memory of 2680	3408	Client.exe	122
PID 3408 wrote to memory of 2680	3408	Client.exe	122
PID 3408 wrote to memory of 2680	3408	Client.exe	122
PID 3408 wrote to memory of 4904	3408	Client.exe	124
PID 3408 wrote to memory of 4904	3408	Client.exe	124
PID 3408 wrote to memory of 4904	3408	Client.exe	124
PID 4904 wrote to memory of 2572	4904	cmd.exe	128
PID 4904 wrote to memory of 2572	4904	cmd.exe	128
PID 4904 wrote to memory of 2572	4904	cmd.exe	128
PID 4904 wrote to memory of 1136	4904	cmd.exe	129
PID 4904 wrote to memory of 1136	4904	cmd.exe	129
PID 4904 wrote to memory of 1136	4904	cmd.exe	129
PID 4904 wrote to memory of 3764	4904	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
"C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1136
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAGaEReTIl5L.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1360
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4624
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5U8ca3bLgjba.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eVIQUm6ivKO4.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQyscfYDphdQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kziiepAcKgOW.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sojYmdjZObog.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GnyFZTg9EfQW.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qp84TDCWUGC0.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1exdNlvm40J4.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X7E7d5TJDkX3.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3404
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fvFxkt2GHgwD.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vH25DNXv4Bd6.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4596
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UICt762IKmQZ.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bu4lTzfoD3SR.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2200
        29⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1920
        27⤵
        Program crash
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 2196
        25⤵
        Program crash
        
        PID:968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 2224
        23⤵
        Program crash
        
        PID:3292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2224
        21⤵
        Program crash
        
        PID:3756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 2188
        19⤵
        Program crash
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2224
        17⤵
        Program crash
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 2172
        15⤵
        Program crash
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 2224
        13⤵
        Program crash
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 2224
        11⤵
        Program crash
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2196
        9⤵
        Program crash
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 2228
        7⤵
        Program crash
        
        PID:1536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 2228
        5⤵
        Program crash
        
        PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 2208
    3⤵
    - Program crash
    PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4632 -ip 4632
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3884 -ip 3884
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4724 -ip 4724
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3408 -ip 3408
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3764 -ip 3764
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2304 -ip 2304
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4212 -ip 4212
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 536 -ip 536
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4428 -ip 4428
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3932 -ip 3932
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4364 -ip 4364
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4596 -ip 4596
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2340 -ip 2340
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1exdNlvm40J4.bat

Filesize
207B

MD5
c98a05e3256ec2f2ef079d00ffb41dcc

SHA1
faac2f19144c90e1d4fae955680dc857db2595e8

SHA256
cb1af309237ba981035bf37d7bdee97a11117a7967f4c2fff3e0bedf500c3fdd

SHA512
a30eaf3ca6cc5e2111049546a4c289e483a5ca2271b8973ab94fbccbe98d106eb02a87e85a68b12530a79135e4e08cfbb5700ad74337c911fa57f368dcb34007

Download Submit
C:\Users\Admin\AppData\Local\Temp\5U8ca3bLgjba.bat

Filesize
207B

MD5
78fc1652d0857af5cb58c96ec0f2c568

SHA1
7873fa07fe4a29a86f3d4ff8cd9ced2f4b010967

SHA256
a0a889e7da625b32cf5127e0ac73a051985d547e9c34643c98d95328989552ba

SHA512
f96fdd6087b284bc04e63c50ec1524c960ff48b26b839a9b3ee0920fd7f58e32b704902bf72311fe24d036caf037cb364c635c3e5c3982f5d11f4ef48c64df9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bu4lTzfoD3SR.bat

Filesize
207B

MD5
2cb0bf9c2a4546c67c7a63791086444a

SHA1
a593f972c1643e7b21c3d7d54d90961eee1f465f

SHA256
3d776579c28b4e32f2e00007c1c6b35a631db2bb066d8a2b583e8af3efe89d01

SHA512
cd055458d5873c727c33d1ab498c21551c33761dcac680dea2d9c61bbc1a7ef7983d63f7d8e5b4a2274bd5a1c634519ff08dd93cb979099991a0974329a53ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GnyFZTg9EfQW.bat

Filesize
207B

MD5
12b36af2dc3924bc64d6a61d559370ba

SHA1
76e9141e5e3c6cab2b91ffcb28f815959b825b8a

SHA256
f11a0714edd5d3487e949ecbfb5dbc0b26232fceed988295632878ba2a7dfe18

SHA512
bbc8187a0313c14653de55dd11e2d9d0a32e9fc17386f4f66bc4a72fed56afd568dd3c06428a2d0d92358ac78b02623c6504e470183e3472a73badc0c11b8e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\UICt762IKmQZ.bat

Filesize
207B

MD5
7952e17e70a149a6cdd84cc06b723945

SHA1
a75ce55a40af88e41bcea22da913333199db2c75

SHA256
a5f67a40b02d64b3f2af501f9d702c5b1340097da17ace338df378a51175150a

SHA512
98d4699e46461f58c791abd0df6c1aa7a808844eb689f090fe0773ed25c1b7b4e6b82fb335c507c0f24261f4072ff7fc9a5b1498e9325f6a42c87906f65e7c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X7E7d5TJDkX3.bat

Filesize
207B

MD5
20b6bd0eef9a1d6eb25569551a1c608b

SHA1
4af9fc937952c765d3e7c996cc7f2cf062aeab15

SHA256
8739534a8c36f4bf0d08f149c7458e70a5ac82928365be85a6c4880881bbae54

SHA512
d0f079ee5f039a428fa18d21274f6274a95073918134da25fd20d192e1b89950b3fdd4978c64074daac8a0e5fb0951f9e1d182bdbde8ef242822954ea5323560

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVIQUm6ivKO4.bat

Filesize
207B

MD5
8968949e95919ae66323250397b1973c

SHA1
f7f071cb78588abda6538441ea96d75317838e27

SHA256
af2821768084fd8dad60bfbb8ca6a4bc9d822fa15a86fc92e8000a10748f0a38

SHA512
8e9c66e268eb7ca192308417e0a9b031aaa20b3b39be3737ebbd0568239373f753d40d94e42add0b4401c5af8f885afb12ea789deb46b8661131194c5740ab4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvFxkt2GHgwD.bat

Filesize
207B

MD5
61cfa9c1fc393aa9faac79ab8e8ad729

SHA1
2a5aa8c00d0eb17dbe791890f97ba81c1e511ac5

SHA256
02813953b92c2292299f505f4ef958ad3809460bb53b6398088124eb2a6c6efd

SHA512
a30df1ba571c5246d187e2a2ed6db0c3a68328e7ec5481a4d0166c4ef11ebf63a3c88319f02bbf23e7d1dafb0e30b6e54e4f69d4598d73126faa069bfb55b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kziiepAcKgOW.bat

Filesize
207B

MD5
1fc5f32dff39832060c7ac92829259ea

SHA1
3216d8d1e8ef7c1e4e0bc92da25e19faf55119a1

SHA256
3c4af2784083f941605be0cef139374970cef220eae78ee2d377b23d533c790a

SHA512
4690ea64526b75d7d23f567a434c0ccf10b5839862e67e1604a4b83150cfdb1629e8e84f7bc3f2953207041c75244e46b9209852abe9c1ff44de39167eaab7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qp84TDCWUGC0.bat

Filesize
207B

MD5
e80161d119397acdd5787a71dedd1f4c

SHA1
3684666521ca5e98535a967abdfd355b5fdf1339

SHA256
c2407a52dd2e7518192b7b3765884735f682be3b546d0a3274f6b44d79bf761a

SHA512
0644e7a461222fe0e827b59e5f3cd0637fc7a693468d3a96d2e2da43caa0734280cb413dbb217acea1425e95a1708b4829de608b4d024b9b8f74fa0c3c91b426

Download Submit
C:\Users\Admin\AppData\Local\Temp\sojYmdjZObog.bat

Filesize
207B

MD5
dd50246b2c975e91ff776256b5fd1c78

SHA1
c289c9771c50be2928edbec1b5bdfcfe1e134a41

SHA256
dfe8520812f83792dd44bbc830f11b27f598a2d0967326c230d37b43425806e5

SHA512
a1a65f2eb92166c4770d2aad8afb6c8458b2c3c2fd6c6bb37f355dfa71e1b7bad6c43a6f3adfac2720350fcef06b647f2c055af611fee833819fef0939cd9f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vH25DNXv4Bd6.bat

Filesize
207B

MD5
d257544e95fa908781a428096c22f51f

SHA1
f29b49bf49847cc2b2789eb933ae65cf30cefe6a

SHA256
35a01cc499b02609d7b81641767639b751df90732385bc69be397abcfff68e6d

SHA512
f5b27635b8ce1e160dde7527c578d5aef21343b4b4e451fe18f02da697dca2a91e90c310178db44a0a1b312633b07fce33afdea8a17e0eec0c238c692b2bd3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQyscfYDphdQ.bat

Filesize
207B

MD5
ed66762ec01953cdc901b4cc28295f8d

SHA1
1b52798c365b826713e0efeedd9ed2b8332d3bf6

SHA256
f4702906c6bafec5f1a56cb1a4895444eebee6e62cafa0d58328264bab5fde6f

SHA512
bf9be1787b771cd1ef43853a618f484c38779c93b2ae6e4a9af2c17461f31d28b5e6a56438e512c0ea9dfaea95db6d0153c43599ef493d78365bc116165caa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAGaEReTIl5L.bat

Filesize
207B

MD5
04e03df655f101aeffff05564507755c

SHA1
eff388433eae6c52a731b17f3aec3166d3447d39

SHA256
2febd6a2cc56b06acf912187e866b6f296ee7a6f4fe0dc7307e203d7fce1e0c7

SHA512
9441d203114dfcefdfd150abd413f724d0b0eb0562a61c3d63b6a001506fe9c26bd8027d13733aff961b3ef6ed0ca66adc5cae22e1390e3b4d02f77799903aef

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
d0add75b9e42a51eb6dc0b55a9e38adf

SHA1
e85bf1da4a1ffcfaec7bcd6a6621396c48244b0a

SHA256
44f37df769de6064dbb1c4db75ece46b84f259dbc184dea1d36aa68e0280a40f

SHA512
528adc9915ac663d60e52a82234392670d0409d43805b289664c6c4ecc5a0764fc43c6da78add7aaa9828a81978a1884be64f7c7836af8b50b1e63b093619f6b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
b0290a3bbac7009eefbe164c39e579ef

SHA1
1103e43bd7d5dc53b674de3917128b43ae63556f

SHA256
0741e5cb6fbc8513b5aff2cc08c4f88d0b9cc850f792e1701625585049b67694

SHA512
cb2e8d0131a1c2e16fbe2d33a255bb461de95eccecb732282b4880c43c006cbe251f17c6243f95ad81d6efab302d4ee3078ee2296b583791b7bed7e44def1de6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
a508be548f1939044c79a467f0683f2f

SHA1
b996920a92a25f2bd8680c31ce89e398b99c0deb

SHA256
33bd6fbe82f9725a2e5610a911e78b4cfb4bda4c56eb127185eb9f7970f4bde7

SHA512
3f678c895ad7113f260e42c68134b4afcc3bfe5360f29b8b3d88b3307c23e3335c63f2c2f14c5c86dbacd4c729c130d1df7d93c6a934e695b5af20a8f3bd2e94

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
6eedeb04830ac8d623f703663ac48572

SHA1
348e7eb98d9c6da5991d801132550c9d26aa28a5

SHA256
5e360985d64378805706c7d4331bb80c760956ace00eba0b6e1312fe5b19028d

SHA512
99e28aa4683b44abd82545bb503e55e6aee2ebb7732fdeda74148a46731fc2075bf6ca17ee8a3f26f2d567e1142021397d74dd13a61978eb54f1bb6e90b24785

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
1af65beb4061e1eefa0f7004d84c650b

SHA1
0f1278dc501b8d3330207a1fbccc803690104e37

SHA256
9c8ae8d4a5c2ff03c83c692f312e8133a1ce4e3b416abcdc2fec154c79afabc6

SHA512
a114dbfbb390cb868bc87c3d6bfc249114e0cd554825da1e5478a829a548e8076d39472a5e39b487bb8c69e10903ceaac15e62fd06e38c5126572fa148f3d47d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
07fffe1ad6f0ed5a2509b521b4ab2762

SHA1
f522176bcdf2cef08975ee5b05e8bdec31bbb17c

SHA256
de1c1a92f7b990057e64825b98033784ddaeee510a3e28330433c1bb4cd782bf

SHA512
9c6507c58f79e7329745981fcbf8687f3499feacda4c2f032a9d5023eaacac8554710bca9dde78be49fb63ad511c02edae9ecb0493de1f979f9af0efeadab46e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
e6ce2d056af018b9a66cd80cad44a339

SHA1
c0f226a7f3ddb17dc05eff6da883fa70d0eebe9f

SHA256
3b6ec8fd05c921d3a6e9bf448fe16b1e01d1dadf465a54b9f600e427a47f7108

SHA512
d702e61e3e580b0ea1140679181ae89425e1d65f5a6a8659041a8a4592848f767eaa4f23e80517981043819bde38da5ffcc0f29717ac68d8a4f4cc5a39586b92

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
c69675aaace696f1ceadcf92ae0f5af0

SHA1
b232705e6b208fa6ca69d08b491b0f5f489aa712

SHA256
6993ef7ada6334556ca33f8918c11976efc02e7146ecc0ad8f719e8245769929

SHA512
8d1038946a966d8f50c72cea8360fa027946a5ab394ad42b9763e59189fe0b36c7975eb543f679f877c10ce0689a695c630cfd37b73722bbbc6b0b67c2e8ce27

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
0d11d2f1a5b3dc434709db7647858568

SHA1
86dfe365d56b2a7dccd0eef0ee625f544cc38563

SHA256
a52a14c9cc16e903de1cf633c78aef93420e245947e1fd46d510c7a073b2081e

SHA512
83c016e279eb0c5f25398c3914397d31c4620f53499e1118fd9e63b4b50e7de38ae8cf8c09453233de3770c41bed494a03f5c3ef9654a934d94f7af006178af6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
8f6d581a220f915218ef477151b00a2a

SHA1
2272558a8c367e3bfaa77f86ea65dcfa7e55515d

SHA256
3705a30b97b7c3e6fae758fba71a5713f70e7cd4937fc606f565262895da5628

SHA512
74dd51866e7c2177710263c1c35d95525fe79702085a5833a198078ed2dca414853167406f44259247ad640580ce89f33d58f992aacff2cfc0fdcbbb709aefba

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
11ae0d1852f1c70d11da57bf6986fda0

SHA1
503a0955680532ac6dfd3cce1d89be0ac0d0b62b

SHA256
d2242f97d2659f5055cbc7842500f441af22a909c3528138d03f03cee001f9e8

SHA512
8206ceffc1efcdc44400f65c32d74fd0e74b344c92792fdf694eda0e344d216a1b8a68721ea1776f523a9a0c5923ce8a64719ae90abf502ac62e1d258d17c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
c92484a2ffc528879ba89e3a963fa4c8

SHA1
5fb711239b2939540ceb5333fc2f2d609a59d128

SHA256
ceefd59aa18c68ef1c85daecfdf65d595f4ed7e41a14a4bb0794fe92ef5644dc

SHA512
f09a89d3c39703d3251e62c48305333a1bb54003c924a5aa20ad78a2bd6730252f51a37ea7d41247b8ef45851634d74a0569e66863ec74ed950f20032e8c0a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
8b5f5f7c545d95b993f3d11c8745f392

SHA1
8c32e191095e87e413990e2bed878989df7c0e1c

SHA256
5aba19b661157efed0c6ae949c0e1c7e189f52db23c2ae93ac4a5fbf7e450a45

SHA512
390938c558eeeb648bcb0eeeaac3f5f501d942dc6d95071a89d6ee7915c27801ebb147657604ae48615ebf123026fd5c24890640339f90fc7bc20f6c2441e429

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
348KB

MD5
222eb2520861357489b7a11a99656e3f

SHA1
fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf

SHA256
12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73

SHA512
991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb

Download Submit
memory/1952-0-0x000000007543E000-0x000000007543F000-memory.dmp

Filesize
4KB

Download
memory/1952-7-0x00000000062D0000-0x000000000630C000-memory.dmp

Filesize
240KB

Download
memory/1952-6-0x0000000005D90000-0x0000000005DA2000-memory.dmp

Filesize
72KB

Download
memory/1952-5-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/1952-14-0x0000000075430000-0x0000000075BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1952-4-0x0000000075430000-0x0000000075BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1952-3-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/1952-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/1952-1-0x0000000000620000-0x000000000067E000-memory.dmp

Filesize
376KB

Download
memory/4632-13-0x0000000075430000-0x0000000075BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-15-0x0000000075430000-0x0000000075BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-17-0x0000000006590000-0x000000000659A000-memory.dmp

Filesize
40KB

Download
memory/4632-22-0x0000000075430000-0x0000000075BE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads