quasar | 12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/01/2025, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Size

348KB
MD5

222eb2520861357489b7a11a99656e3f
SHA1

fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf
SHA256

12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73
SHA512

991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb
SSDEEP

6144:+V6bPXhLApfpUw4qCgafQbX30nlIHh/m7vHdjz7iO:umhAp6lqKfq0GheLHd/iO

Score

10^/10

quasar forceop discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ForceOP

jordiek1d.ddns.net:4782

Mutex

QSR_MUTEX_Y1VQAwHslXRVvQkGHj

Attributes

encryption_key
3xJFlGvSDHRDtYnPg0qe
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDrivers
subdirectory
SubDir

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
	2	ip-api.com	Process not Found
	6	ip-api.com	Process not Found
	13	ip-api.com	Process not Found
	20	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000DC0000-0x0000000000E1E000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015c9f-4.dat	family_quasar
behavioral1/memory/1744-10-0x00000000012C0000-0x000000000131E000-memory.dmp	family_quasar
behavioral1/memory/1816-31-0x0000000001310000-0x000000000136E000-memory.dmp	family_quasar
behavioral1/memory/2912-50-0x00000000000E0000-0x000000000013E000-memory.dmp	family_quasar
behavioral1/memory/1500-69-0x0000000000DA0000-0x0000000000DFE000-memory.dmp	family_quasar
behavioral1/memory/1048-88-0x0000000000DA0000-0x0000000000DFE000-memory.dmp	family_quasar
behavioral1/memory/1148-127-0x0000000000E50000-0x0000000000EAE000-memory.dmp	family_quasar
behavioral1/memory/2304-145-0x0000000000320000-0x000000000037E000-memory.dmp	family_quasar
behavioral1/memory/776-155-0x00000000003F0000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/944-165-0x0000000001360000-0x00000000013BE000-memory.dmp	family_quasar
behavioral1/memory/2992-175-0x0000000001360000-0x00000000013BE000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1744	Client.exe
1816	Client.exe
2912	Client.exe
1500	Client.exe
1048	Client.exe
2892	Client.exe
1148	Client.exe
2304	Client.exe
776	Client.exe
944	Client.exe
2992	Client.exe
2892	Client.exe
828	Client.exe
448	Client.exe
3064	Client.exe

Loads dropped DLL 64 IoCs

pid	Process
2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2896	cmd.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1860	cmd.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
860	cmd.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
2072	cmd.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2900	cmd.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
2800	cmd.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
2688	cmd.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2144	cmd.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2224	cmd.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
1716	cmd.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
6	ip-api.com
13	ip-api.com
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2972	1744	WerFault.exe	33
1908	1816	WerFault.exe	42
448	2912	WerFault.exe	50
808	1500	WerFault.exe	58
2424	1048	WerFault.exe	66
1744	2892	WerFault.exe	74
1680	1148	WerFault.exe	82
2852	2304	WerFault.exe	90
2164	776	WerFault.exe	98
2712	944	WerFault.exe	106
2616	2992	WerFault.exe	114
2096	2892	WerFault.exe	122
2336	828	WerFault.exe	130
2084	448	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2352	PING.EXE
1836	PING.EXE
316	PING.EXE
2236	PING.EXE
400	PING.EXE
1916	PING.EXE
2948	PING.EXE
2792	PING.EXE
1984	PING.EXE
2896	PING.EXE
1188	PING.EXE
1844	PING.EXE
1264	PING.EXE
1376	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2352	PING.EXE
1836	PING.EXE
2792	PING.EXE
2896	PING.EXE
1188	PING.EXE
1376	PING.EXE
2948	PING.EXE
1984	PING.EXE
1844	PING.EXE
1916	PING.EXE
1264	PING.EXE
316	PING.EXE
2236	PING.EXE
400	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2232	schtasks.exe
2004	schtasks.exe
2960	schtasks.exe
2520	schtasks.exe
2912	schtasks.exe
2776	schtasks.exe
2792	schtasks.exe
696	schtasks.exe
2840	schtasks.exe
1828	schtasks.exe
2120	schtasks.exe
1244	schtasks.exe
2424	schtasks.exe
1028	schtasks.exe
2756	schtasks.exe
1920	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
Token: SeDebugPrivilege	1744	Client.exe
Token: SeDebugPrivilege	1816	Client.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	1500	Client.exe
Token: SeDebugPrivilege	1048	Client.exe
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	1148	Client.exe
Token: SeDebugPrivilege	2304	Client.exe
Token: SeDebugPrivilege	776	Client.exe
Token: SeDebugPrivilege	944	Client.exe
Token: SeDebugPrivilege	2992	Client.exe
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	828	Client.exe
Token: SeDebugPrivilege	448	Client.exe
Token: SeDebugPrivilege	3064	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1744	Client.exe
1816	Client.exe
2912	Client.exe
1500	Client.exe
1048	Client.exe
2892	Client.exe
1148	Client.exe
2304	Client.exe
776	Client.exe
944	Client.exe
2992	Client.exe
2892	Client.exe
828	Client.exe
448	Client.exe
3064	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2424	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2552 wrote to memory of 2424	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2552 wrote to memory of 2424	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2552 wrote to memory of 2424	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	31
PID 2552 wrote to memory of 1744	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2552 wrote to memory of 1744	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2552 wrote to memory of 1744	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 2552 wrote to memory of 1744	2552	12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe	33
PID 1744 wrote to memory of 2776	1744	Client.exe	34
PID 1744 wrote to memory of 2776	1744	Client.exe	34
PID 1744 wrote to memory of 2776	1744	Client.exe	34
PID 1744 wrote to memory of 2776	1744	Client.exe	34
PID 1744 wrote to memory of 2896	1744	Client.exe	36
PID 1744 wrote to memory of 2896	1744	Client.exe	36
PID 1744 wrote to memory of 2896	1744	Client.exe	36
PID 1744 wrote to memory of 2896	1744	Client.exe	36
PID 1744 wrote to memory of 2972	1744	Client.exe	38
PID 1744 wrote to memory of 2972	1744	Client.exe	38
PID 1744 wrote to memory of 2972	1744	Client.exe	38
PID 1744 wrote to memory of 2972	1744	Client.exe	38
PID 2896 wrote to memory of 2880	2896	cmd.exe	39
PID 2896 wrote to memory of 2880	2896	cmd.exe	39
PID 2896 wrote to memory of 2880	2896	cmd.exe	39
PID 2896 wrote to memory of 2880	2896	cmd.exe	39
PID 2896 wrote to memory of 2792	2896	cmd.exe	40
PID 2896 wrote to memory of 2792	2896	cmd.exe	40
PID 2896 wrote to memory of 2792	2896	cmd.exe	40
PID 2896 wrote to memory of 2792	2896	cmd.exe	40
PID 2896 wrote to memory of 1816	2896	cmd.exe	42
PID 2896 wrote to memory of 1816	2896	cmd.exe	42
PID 2896 wrote to memory of 1816	2896	cmd.exe	42
PID 2896 wrote to memory of 1816	2896	cmd.exe	42
PID 1816 wrote to memory of 1828	1816	Client.exe	43
PID 1816 wrote to memory of 1828	1816	Client.exe	43
PID 1816 wrote to memory of 1828	1816	Client.exe	43
PID 1816 wrote to memory of 1828	1816	Client.exe	43
PID 1816 wrote to memory of 1860	1816	Client.exe	45
PID 1816 wrote to memory of 1860	1816	Client.exe	45
PID 1816 wrote to memory of 1860	1816	Client.exe	45
PID 1816 wrote to memory of 1860	1816	Client.exe	45
PID 1816 wrote to memory of 1908	1816	Client.exe	47
PID 1816 wrote to memory of 1908	1816	Client.exe	47
PID 1816 wrote to memory of 1908	1816	Client.exe	47
PID 1816 wrote to memory of 1908	1816	Client.exe	47
PID 1860 wrote to memory of 1536	1860	cmd.exe	48
PID 1860 wrote to memory of 1536	1860	cmd.exe	48
PID 1860 wrote to memory of 1536	1860	cmd.exe	48
PID 1860 wrote to memory of 1536	1860	cmd.exe	48
PID 1860 wrote to memory of 316	1860	cmd.exe	49
PID 1860 wrote to memory of 316	1860	cmd.exe	49
PID 1860 wrote to memory of 316	1860	cmd.exe	49
PID 1860 wrote to memory of 316	1860	cmd.exe	49
PID 1860 wrote to memory of 2912	1860	cmd.exe	50
PID 1860 wrote to memory of 2912	1860	cmd.exe	50
PID 1860 wrote to memory of 2912	1860	cmd.exe	50
PID 1860 wrote to memory of 2912	1860	cmd.exe	50
PID 2912 wrote to memory of 2120	2912	Client.exe	51
PID 2912 wrote to memory of 2120	2912	Client.exe	51
PID 2912 wrote to memory of 2120	2912	Client.exe	51
PID 2912 wrote to memory of 2120	2912	Client.exe	51
PID 2912 wrote to memory of 860	2912	Client.exe	53
PID 2912 wrote to memory of 860	2912	Client.exe	53
PID 2912 wrote to memory of 860	2912	Client.exe	53
PID 2912 wrote to memory of 860	2912	Client.exe	53

C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
"C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2424
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\b8kQH976qRvh.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2792
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B2FxCD6Gl34v.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:316
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwjT7I4PgfD9.bat" "
        7⤵
        Loads dropped DLL
        
        PID:860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p87TiULlDrPG.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwwNdTQMI2iI.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bklIZSWyOE1J.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zqa2UhHEyhqx.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcg6W3ej8YHR.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcpFRDWRtbGs.bat" "
        19⤵
        Loads dropped DLL
        
        PID:2224
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qPqQZRSjTys0.bat" "
        21⤵
        Loads dropped DLL
        
        PID:1716
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bvrkjPhMX4yW.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IP3K5cng5LN8.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ljpmaYfgNIGz.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqMuxPCmarJn.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1444
        29⤵
        Program crash
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1432
        27⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1428
        25⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1440
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1432
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1424
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1428
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1440
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 1412
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1408
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1432
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1432
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1432
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1472
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9A9MRK3msoCd.bat

Filesize
207B

MD5
c6c87f81b70fb5724e7bb1b8b6bb58be

SHA1
7621d542e7f9be4511694ec317aa9484d3ca607e

SHA256
45ac5526b0e7a0024cdfb9e8bb0006764e4f64af8eea909b94b37b881f9f64ea

SHA512
81d57e628271d6e718fd03437cf79ee6c542c45326c283fbe0ef44a8195f7d407a09bab8fb12c1201658d1c59ef2fb3e922cdb461942e86e3b48dec99be21d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2FxCD6Gl34v.bat

Filesize
207B

MD5
a15a821ae34f71113e94d4fd99ad394d

SHA1
6ae87bee5e52c13d7e39081161a6e2d99c94d11d

SHA256
97e132d50e0d1653d144daef822c305ac958908529b8207e530191161b560ade

SHA512
74beaf796e544adf2e1c0000dd99fd1bbf612f85ae05af431e5a6213667817b8acc8367fd12f556e68e57352af1b5617f979a8c069d86e1bf99fc9791785432d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwwNdTQMI2iI.bat

Filesize
207B

MD5
8a975d76df1c414e1fd77f56aca19e0b

SHA1
c2f4e0378b6debd129263c0df992636104c83fac

SHA256
2cc23cfa6f90ae659d7d583a51cd40dc665e6704e380619aaa1559fc85a75cf0

SHA512
7c6306feebbea15fe30e3cde681bbeaff86ec658f3ced576e694a4cf0d3bb770afc34a0c00da466e8fcb6fd2035a95bde1a394680fb7ed33321b722bc05f416b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IP3K5cng5LN8.bat

Filesize
207B

MD5
3b8a5cf27cd9259dbfbc8f6a412b921c

SHA1
09d5be3cf5cd843b72ae14cf4b092ab51c4fbfb5

SHA256
7487f803ee8766de21d56d6e46bde4f6c4f57f499eebf0e174a72bd3aaac8f33

SHA512
10a589bcff0a48919f40022bec7bfdd214b9f1fb35ac55853fac1a871a2d4a6dcb4259bcdbb559ab2a73d70a1e0a6d3234c5fa6e71b881385f4bbab48e3bd72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcpFRDWRtbGs.bat

Filesize
207B

MD5
b5fdbeec2744d9a212716d9a3ac40340

SHA1
c0b613f70210714e537c3e5ba80617799b62f2e7

SHA256
d10ed453406635be54fdd060756f658bd2f0adb00c439024a042d86b8b01439b

SHA512
1750d1ed45d8c8b22533a790c93741bf1fa8aa4f4beceb59b28366f7de4223861d98d50392229d77cf58b8c7abc2935a8f3252dec6d566b406a1bafdac8a1dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zqa2UhHEyhqx.bat

Filesize
207B

MD5
30af6ce5887e068511efbf40a5e2a850

SHA1
7c4ebd2238adc4897908681b99a148f2766dd7ab

SHA256
c068fb396e1f96b38701705496705f13af24f0e47f6c08da9e08ebc43e7996b9

SHA512
da5653de02d3487e7586472c1d89ba66153d9ad290edad5ff7d91d8bb7bd2b36a9cedad9f512473502e36bfcddab92ac318cb40ba4d21e6b075ef0a5b5f70715

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8kQH976qRvh.bat

Filesize
207B

MD5
b7a423955f1a42a2d091ab929f195eb3

SHA1
7f224c08c5884ea33d055ff7b8210344aa995383

SHA256
a13951da01d05119ce6c1400bbcb2314c8874a6740dc369d15a923d7890116fe

SHA512
d44437a9c39114d34b55e4eb451cff4351f89a2410bc5fe369a71932db106268d9fd8edba0ec26a7317427276c676a9fa3c456c26080041aacc528e285c38ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bklIZSWyOE1J.bat

Filesize
207B

MD5
d33ad1b68c0c5504b99ce4b06af30b88

SHA1
b7a1d399aa42798a31b3d033c77627937c1d06e2

SHA256
c223490a0e1d6d7807481ecb714d197ed565aadf2f57f3c206fa376bbb5e0d16

SHA512
35f8205db5a4d3a635fdf9c0d9145030610104162634d3464c4f90715ee0fc32482e6c0e48f88472106efc4c879e45d23ca4da9dcbdd7b7718fe17925ca7fd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvrkjPhMX4yW.bat

Filesize
207B

MD5
f316d72cc310c422ad1173eb33646292

SHA1
503af655c5e95d1c04e24792eb87d9ef6b5aea5f

SHA256
81f398345189c591d4fa8e2a7d6c53fd61ea93934dcd47270cc2df28a23ef997

SHA512
7dffd67a9eeaa158a59ae14526b77fd701b344fb87a55db5decb7acfee62a56a325599bcb4ff6f05bd9a35165036c7391f36ab9e0f4b1e6382eba5990e2818da

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqMuxPCmarJn.bat

Filesize
207B

MD5
6936a5d7e62f814b55d7078507b62c03

SHA1
2085c83d638881ef3fd7f8c789e7adf7f49116d8

SHA256
6cf04f109eabd496d5073dc6adca97f6063b7e25c9bea14887471889ea9987f4

SHA512
e95ddb8877b9323205badd98e0169085500786efb22aa124d709b39a24f36c7f5463e605a207ba1ffde83ad4e8f3fbc087864ebeac8f276b0496c5b3360800aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcg6W3ej8YHR.bat

Filesize
207B

MD5
a1b43a866593981f256d4cd07b66e956

SHA1
e54301d5f39b94039fd003f1b0d937fe6dc121fc

SHA256
a3ce25b886874f640c58c47c0b663a411604aab7d743023c02fb71161ee43bbe

SHA512
b741060a4ae7ef6c67108ae6576d381430dfe1a101db2b47516fd9d448ca098bde9b8c585e9d132610b225546d094cea2fcaf558181618b9b2c86e29f572f943

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljpmaYfgNIGz.bat

Filesize
207B

MD5
bed53e081ece8dad7a6cf45f0b394eef

SHA1
dcd3f3ec198255eb99d5398ae0454900a063c08a

SHA256
1863dccf93ae85667674ffb8b75be93ec8d79e6321ce8a5d3b4bb10640c04e14

SHA512
1f09a15d9fe16271cf5dc6a342bc1befed394e9562da76a1990611c20ee68891220b6efd135e81202564303124df6cf7ffc5794006a9715369f339f4ce5a1ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwjT7I4PgfD9.bat

Filesize
207B

MD5
ccc426c46fdfc8ae54ff07be33495903

SHA1
508616f35bf5bbdcd11d6bb6d66fe17146bb1be6

SHA256
a4858bf02e4612601d17a77630d4bcd21f6afbef10eaa43cb0f21bc1eab6a31c

SHA512
0e6bc90008671796eaef39d48c8fd137a62a75cc568592e40e4629bf8f205513ec5e3f7c756ac22a3990421b54883d30bca6528eef3147fe97c5eaf42661ae94

Download Submit
C:\Users\Admin\AppData\Local\Temp\p87TiULlDrPG.bat

Filesize
207B

MD5
8a9df7f0bb7551b2060c108da0bc9eb5

SHA1
21410418b5df3592f442b905aa8ab7d05ab5a657

SHA256
22497e061b8403ed54baf8aa6976d0cdaf8a1c6557997542bf9e19eda06cfc19

SHA512
f23d776d84376ced230f764d1ed3b9497ae0937b7bc19df7f5c26149f20cf39d945a7afdd140222de7c615ae65696f317dd09514710e33f132445cef81902aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qPqQZRSjTys0.bat

Filesize
207B

MD5
adb0b87e53d9b3c79b1c8f133f96fdf3

SHA1
7ba7da5e44d426ed138d6d691f0142ff4ddd0cde

SHA256
f89bd9aabc70e370dc05981a120a069b76d7360ac222261aaafe8c3be2f67a2c

SHA512
253b2c5f5cc2e05f1a177d35091ec1fa9f9b41403ae3c873bf3eb6f0c2203b7794680ff82b5e2a247b60657c30b3682a2b5360e3c97d11ac4263f98d976d59e7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
725d1a4fd1a4f99d75eaaea5f14fe4cf

SHA1
c3830675ccf80239c4b0a6512dfc11de9a869305

SHA256
092a98d29046e63c14e4e3d123e2bb14b99a4d0009ad576c26e8be61c692e846

SHA512
931185f491bdcc7844c47298a047810b34eb0b672ea6d3b222a4d5e202505698b4034b139706e4e50b097e15171560f72a8bba2118cef8e0ab40f2b3df394d28

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
933a86bfad401da7cf0884715bcb0b01

SHA1
fa8add3a5290205bee587a8d456993f893481d8b

SHA256
7fd67685d4887809e2e1d22720e65451658fd232c01c211ba0247fa1f902b42f

SHA512
f7bb091e57485da3b475b1bd3c2c9d6d03531e7850696465e83c170ac262f87b9c18105582fea47e1bbb85727ac213ad0fd7f6d6a52f37f753e31f2b52d95fce

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
d22166ab2701ed0b6e8b3dde965b5d2d

SHA1
70621cdf4dd84e3e07d75eeb045b76a94330fe18

SHA256
f362c881212637059a0d8458a5b449e89bc5ff3922fd69bfcf7c602aafe1aa12

SHA512
aa7626992c625087c168bd423ad0b1a7a6ca65daa199ce599683c23ca2d4851b0c9e9082737335dc1821f8574055665b47fedb2919e1f2bc2ad309c2fecfea78

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
141af645d287cd2d42c8a2af3a91a4d3

SHA1
d58e1c636174bcaa29d6afbf9ad7a075cd6a4b20

SHA256
5f81152d0e76b7fe911b132b54dc2fd527db8017d6152edec03952c80447b09d

SHA512
04a956969ff040069d3905dcb0df20a20321571fb046ab703a90f7b7a1b6e893ff317ff5b27de3bafa627701029159ee49865a2d17ad34e99de98001f91fd018

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
45b7e08e1174f58c7fec1b43cbd9472e

SHA1
46dd88875d838fd6c498573ddcb4166371f0ded6

SHA256
dea76c9dcc7f5dc861075281abfd194d43fc86f1c286296b1ba36e8a63279a77

SHA512
4e9724e443f636dc1b35d6db693e85e7c1975012b4cb7007ad9a8a387cd2429eb217b803e24c9f9e023366bfd847314e7de2c3dc80690a52977dadb9798b9b30

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-09-2025

Filesize
224B

MD5
515a14a82361158a2635f8e4dd2a9dc7

SHA1
56f439ec72b6f750a51e42dc1397e19af647cc63

SHA256
ad00ef9fecaf215c1ac3ac67e955c8f6f849848f4ac92074918dadc3005e9583

SHA512
da96150875b5574c8a90ff8e220462b73686773efa2c184783f3fe5cdd82c5735b7f20938a732c9a53cc7ae44abc188a24f57a3d5361a8eb4c6092a9d0a49455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
348KB

MD5
222eb2520861357489b7a11a99656e3f

SHA1
fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf

SHA256
12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73

SHA512
991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb

Download Submit
memory/776-155-0x00000000003F0000-0x000000000044E000-memory.dmp

Filesize
376KB

Download
memory/944-165-0x0000000001360000-0x00000000013BE000-memory.dmp

Filesize
376KB

Download
memory/1048-88-0x0000000000DA0000-0x0000000000DFE000-memory.dmp

Filesize
376KB

Download
memory/1148-127-0x0000000000E50000-0x0000000000EAE000-memory.dmp

Filesize
376KB

Download
memory/1500-69-0x0000000000DA0000-0x0000000000DFE000-memory.dmp

Filesize
376KB

Download
memory/1744-28-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-12-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-10-0x00000000012C0000-0x000000000131E000-memory.dmp

Filesize
376KB

Download
memory/1744-11-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1816-31-0x0000000001310000-0x000000000136E000-memory.dmp

Filesize
376KB

Download
memory/2304-145-0x0000000000320000-0x000000000037E000-memory.dmp

Filesize
376KB

Download
memory/2552-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2552-9-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-1-0x0000000000DC0000-0x0000000000E1E000-memory.dmp

Filesize
376KB

Download
memory/2912-50-0x00000000000E0000-0x000000000013E000-memory.dmp

Filesize
376KB

Download
memory/2992-175-0x0000000001360000-0x00000000013BE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads