latentbot | a0afd97f96d8f8eae7f077296301e102a8e85a06daf09920c92e7b203c5e3236

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CACert/Credit Agricole Certification.exe
Size

968KB
MD5

6e1592f76cea09a8e35cb57f8f54c20f
SHA1

8af95927365234e401b235061c2b5c6d92dfbaf0
SHA256

7d492b7adaea0d7f7ce37d659b7fed9433338cd2acacba701f998350b06a5641
SHA512

a9fee5ab6645bc2b669240e0ad8ee6a023b266042042bb79799a13db7b8d523aaed18ba23a224d3779843205927208b3d8887eeb3774f5b146a46e235496e80e
SSDEEP

12288:DiacNrbNoAo5tv3PXxORQe01era+KfjCxiGC7tmImqNXpili3udAx0Eg5Wt7:maKrudv/hO9mtjII7XmMo0sEg5Y

Score

10^/10

latentbot quasar noah discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Noah

creditagricole.zapto.org:4444

Mutex

35b7f2fc-d3c2-4c55-949a-438b2c403cbf

Attributes

encryption_key
482EAF21E4E65641294432E5F419F7A5A916811B
install_name
CACert.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Credit Agricole Cert
subdirectory
SubDir

Extracted

Family

latentbot

creditagricole.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral3/files/0x0006000000019bf9-26.dat	family_quasar
behavioral3/memory/2848-30-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral3/memory/2984-36-0x0000000000260000-0x0000000000584000-memory.dmp	family_quasar
behavioral3/memory/1884-47-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar
behavioral3/memory/1952-58-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral3/memory/1912-69-0x0000000000A60000-0x0000000000D84000-memory.dmp	family_quasar
behavioral3/memory/1664-80-0x0000000000AE0000-0x0000000000E04000-memory.dmp	family_quasar
behavioral3/memory/1528-91-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar
behavioral3/memory/2988-102-0x0000000000AC0000-0x0000000000DE4000-memory.dmp	family_quasar
behavioral3/memory/2848-113-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral3/memory/1900-124-0x00000000013E0000-0x0000000001704000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2848	CACert.exe
2984	CACert.exe
1884	CACert.exe
1952	CACert.exe
1912	CACert.exe
1664	CACert.exe
1528	CACert.exe
2988	CACert.exe
2848	CACert.exe
1900	CACert.exe
1748	CACert.exe
520	CACert.exe
1020	CACert.exe
1472	CACert.exe

Loads dropped DLL 1 IoCs

pid	Process
1620	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Credit Agricole Certification.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2080	PING.EXE
2036	PING.EXE
1596	PING.EXE
2924	PING.EXE
2348	PING.EXE
2916	PING.EXE
2288	PING.EXE
976	PING.EXE
2372	PING.EXE
788	PING.EXE
1500	PING.EXE
1668	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2080	PING.EXE
976	PING.EXE
1596	PING.EXE
2372	PING.EXE
788	PING.EXE
1500	PING.EXE
2288	PING.EXE
2036	PING.EXE
2924	PING.EXE
2348	PING.EXE
2916	PING.EXE
1668	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
800	schtasks.exe
2076	schtasks.exe
3048	schtasks.exe
684	schtasks.exe
2984	schtasks.exe
1640	schtasks.exe
2140	schtasks.exe
1952	schtasks.exe
1912	schtasks.exe
2416	schtasks.exe
2908	schtasks.exe
236	schtasks.exe
1128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2848	CACert.exe
Token: SeDebugPrivilege	2984	CACert.exe
Token: SeDebugPrivilege	1884	CACert.exe
Token: SeDebugPrivilege	1952	CACert.exe
Token: SeDebugPrivilege	1912	CACert.exe
Token: SeDebugPrivilege	1664	CACert.exe
Token: SeDebugPrivilege	1528	CACert.exe
Token: SeDebugPrivilege	2988	CACert.exe
Token: SeDebugPrivilege	2848	CACert.exe
Token: SeDebugPrivilege	1900	CACert.exe
Token: SeDebugPrivilege	1748	CACert.exe
Token: SeDebugPrivilege	520	CACert.exe
Token: SeDebugPrivilege	1020	CACert.exe
Token: SeDebugPrivilege	1472	CACert.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1620	1236	Credit Agricole Certification.exe	30
PID 1236 wrote to memory of 1620	1236	Credit Agricole Certification.exe	30
PID 1236 wrote to memory of 1620	1236	Credit Agricole Certification.exe	30
PID 1236 wrote to memory of 1620	1236	Credit Agricole Certification.exe	30
PID 1620 wrote to memory of 2552	1620	cmd.exe	32
PID 1620 wrote to memory of 2552	1620	cmd.exe	32
PID 1620 wrote to memory of 2552	1620	cmd.exe	32
PID 1620 wrote to memory of 2552	1620	cmd.exe	32
PID 1620 wrote to memory of 2848	1620	cmd.exe	33
PID 1620 wrote to memory of 2848	1620	cmd.exe	33
PID 1620 wrote to memory of 2848	1620	cmd.exe	33
PID 1620 wrote to memory of 2848	1620	cmd.exe	33
PID 2848 wrote to memory of 3048	2848	CACert.exe	34
PID 2848 wrote to memory of 3048	2848	CACert.exe	34
PID 2848 wrote to memory of 3048	2848	CACert.exe	34
PID 2848 wrote to memory of 2984	2848	CACert.exe	36
PID 2848 wrote to memory of 2984	2848	CACert.exe	36
PID 2848 wrote to memory of 2984	2848	CACert.exe	36
PID 2984 wrote to memory of 2736	2984	CACert.exe	37
PID 2984 wrote to memory of 2736	2984	CACert.exe	37
PID 2984 wrote to memory of 2736	2984	CACert.exe	37
PID 2984 wrote to memory of 2352	2984	CACert.exe	39
PID 2984 wrote to memory of 2352	2984	CACert.exe	39
PID 2984 wrote to memory of 2352	2984	CACert.exe	39
PID 2352 wrote to memory of 1796	2352	cmd.exe	41
PID 2352 wrote to memory of 1796	2352	cmd.exe	41
PID 2352 wrote to memory of 1796	2352	cmd.exe	41
PID 2352 wrote to memory of 2080	2352	cmd.exe	42
PID 2352 wrote to memory of 2080	2352	cmd.exe	42
PID 2352 wrote to memory of 2080	2352	cmd.exe	42
PID 2352 wrote to memory of 1884	2352	cmd.exe	43
PID 2352 wrote to memory of 1884	2352	cmd.exe	43
PID 2352 wrote to memory of 1884	2352	cmd.exe	43
PID 1884 wrote to memory of 800	1884	CACert.exe	44
PID 1884 wrote to memory of 800	1884	CACert.exe	44
PID 1884 wrote to memory of 800	1884	CACert.exe	44
PID 1884 wrote to memory of 2900	1884	CACert.exe	46
PID 1884 wrote to memory of 2900	1884	CACert.exe	46
PID 1884 wrote to memory of 2900	1884	CACert.exe	46
PID 2900 wrote to memory of 2216	2900	cmd.exe	48
PID 2900 wrote to memory of 2216	2900	cmd.exe	48
PID 2900 wrote to memory of 2216	2900	cmd.exe	48
PID 2900 wrote to memory of 2288	2900	cmd.exe	49
PID 2900 wrote to memory of 2288	2900	cmd.exe	49
PID 2900 wrote to memory of 2288	2900	cmd.exe	49
PID 2900 wrote to memory of 1952	2900	cmd.exe	50
PID 2900 wrote to memory of 1952	2900	cmd.exe	50
PID 2900 wrote to memory of 1952	2900	cmd.exe	50
PID 1952 wrote to memory of 2076	1952	CACert.exe	51
PID 1952 wrote to memory of 2076	1952	CACert.exe	51
PID 1952 wrote to memory of 2076	1952	CACert.exe	51
PID 1952 wrote to memory of 2172	1952	CACert.exe	53
PID 1952 wrote to memory of 2172	1952	CACert.exe	53
PID 1952 wrote to memory of 2172	1952	CACert.exe	53
PID 2172 wrote to memory of 2180	2172	cmd.exe	55
PID 2172 wrote to memory of 2180	2172	cmd.exe	55
PID 2172 wrote to memory of 2180	2172	cmd.exe	55
PID 2172 wrote to memory of 976	2172	cmd.exe	56
PID 2172 wrote to memory of 976	2172	cmd.exe	56
PID 2172 wrote to memory of 976	2172	cmd.exe	56
PID 2172 wrote to memory of 1912	2172	cmd.exe	57
PID 2172 wrote to memory of 1912	2172	cmd.exe	57
PID 2172 wrote to memory of 1912	2172	cmd.exe	57
PID 1912 wrote to memory of 684	1912	CACert.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CACert\Credit Agricole Certification.exe
"C:\Users\Admin\AppData\Local\Temp\CACert\Credit Agricole Certification.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z7F7A64D4\Credit Agricole Certification.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Add-MpPreference -ExclusionPath "$PWD\CACert.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\7z7F7A64D4\CACert.exe
    C:\Users\Admin\AppData\Local\Temp\7z7F7A64D4\CACert.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3048
  - - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1cCdBGQK6xNY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1796
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
      - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:800
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NTpQjEOBdsUu.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UXhLfgIAUnDh.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fJcmNpwxwSMx.bat" "
        11⤵
        
        PID:472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwMO22Qf6rPW.bat" "
        13⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ua1xDZJS8Ab4.bat" "
        15⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B13AAtBSe7ZB.bat" "
        17⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9jECr6iAyunN.bat" "
        19⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMhd6M2Pj0zV.bat" "
        21⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIzFpKHc91ea.bat" "
        23⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZhpTJAQGN0pF.bat" "
        25⤵
        
        PID:772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:236
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIgMSFt6pbhn.bat" "
        27⤵
        
        PID:560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1128
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEps1E4pU1Qz.bat" "
        29⤵
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1cCdBGQK6xNY.bat

Filesize
207B

MD5
3b10a2620cdf6095c3182bbe565405ad

SHA1
44dfddd71b25a8a95af8e73559e37815bd5c93c6

SHA256
186f6059d4baecc86788f40d0c8267dbf68a745cf70b087431969463c70ed4bb

SHA512
52eb7272da50a172c335d46fde103961f3473cf8a5b682c9bdd8833c0129417c058e390fa9ee76ef38f359d746a78ab0204cfbb5da7f63701814c44b5dbd1fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7F7A64D4\Credit Agricole Certification.bat

Filesize
90B

MD5
7eafc385f54ceb2e3f3167b11da4207e

SHA1
d8800e9730657105943714b98f5d5263fa75286b

SHA256
00b49116a97a2171cb0399ea050697153bcfb75b08c13105e0ccd769804bbc07

SHA512
4d446c40c9195b69f6eded2d23f315c55827036b12fdbaf309044ec4559664219b7f90ab00698953378c80a15ea6d96ed7f9d9cbc19f39347763967af40c55b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9jECr6iAyunN.bat

Filesize
207B

MD5
e8a871ffe18da5f86d090646d5a99f1e

SHA1
cbc16d90ce2572bbee98459f18783c93965f9813

SHA256
8d3ff7b1b858ae6b50641b7c60acffa0c0c0a2c9933c338410b05dfc8370401c

SHA512
02b659467602839b1e7f86357e08f288eb3f25cee756cd74b5fc9c7e5e985c36ab50bd81501039d8c364f291a9c97c9fa04237d2e55a6955bb837d7275c80837

Download Submit
C:\Users\Admin\AppData\Local\Temp\B13AAtBSe7ZB.bat

Filesize
207B

MD5
8fcb83b12e6932e59a4d1efed7fd97ab

SHA1
fbcc6e9e8a9f197019c76e15f30763a8593dc294

SHA256
b3d598b23497c0d6a1a1b924577a8e1bfa42853b609cc26d5b969a93868ac3fb

SHA512
79013361677d454838bea87208c165d1c62877b0e129b329788da1d2a3922d10714d61be660e6d94743f29d924acdd5ada1d8968afd4ca9838249ce3f2637154

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIgMSFt6pbhn.bat

Filesize
207B

MD5
486f9abc2b43c50c45fc062fa5727d6b

SHA1
8684364557c969850d7d24d8b15493425fe1cc6d

SHA256
50ec842db4b00526cdc6368a142c943313cd4710eca1b7528c65d253123f5213

SHA512
52fa6f15f314865d9ad957e87db8e3b791fd8e42f9dd01ae6469662a013234b8c38d0a00dcade7d3e568c9d599b216d6e190e37132bb037455c91a7498da4fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTpQjEOBdsUu.bat

Filesize
207B

MD5
e03678c83661e257792b7aa96988485e

SHA1
6f64cf4ad0c8bdc2d133fb864b8e6451b048b043

SHA256
fd78846cf35e23a3f25f09ae0a6625dfe2dd65722259a0482e2053679f40ca2d

SHA512
1a09c0bf240532ce0efe0d0945b6e9c2cb701e7419526816479cc29db5ebac9bc1b27bf0c70927668d0143adc0986db5e57a2a47a6fa7026e79caa934e063339

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMhd6M2Pj0zV.bat

Filesize
207B

MD5
5f578f47dcc78e5df06a60fce053bb0f

SHA1
9750fee6a9fdef12ac41dd247805ab4c10fbc1c6

SHA256
d792b97bef9bd940f8fcc22af51135e5ad1c1d2a7878f288be8df05675f78b7c

SHA512
bdf79ded595b1da556013824dc5c9f05eb6fdae32ab2396926dcac16c0d101a43eced828b8b5880a64e6ce0ad4523daf2fd9067113bfe25ebd271785bd769443

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXhLfgIAUnDh.bat

Filesize
207B

MD5
6073b580e74874f95f41d8ac9c95babc

SHA1
a0cbb496a6df0075bad7cfadd5f02cc0066ed990

SHA256
a25315ba9de894da6a580099e5de64fbad088adb11d0f038a9f3d038da110c3f

SHA512
f50abc6a8aa2bb4659a1f0c3c2725924d562cddddcb0b7881af8482854707cd3f734440f6eb2ebd42767b1188fc50be3518090db316feea291c08522bebe7170

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZhpTJAQGN0pF.bat

Filesize
207B

MD5
7b1d6c4425c2634ada5f26f37cf8e9f6

SHA1
c23d6851965a9b6a55ce8361036af4667411da8e

SHA256
bab6d41fd6ea06e34bb88aafa56778b1bf868e9632c2deb079db505cc9231b2d

SHA512
9a43d157d35de088b15633652b2895882a0d80279ae4139b575fa7671db1178656bd452538a08d3d2c8a6e66b2587aaa7c7d8f39d39891a5ab88172c38593190

Download Submit
C:\Users\Admin\AppData\Local\Temp\fJcmNpwxwSMx.bat

Filesize
207B

MD5
8da1a4d18de362af702a99edb2a8b45e

SHA1
59b2c94cd535d87a7bcdb5f53b17bdc8313b299c

SHA256
d1ffe3f835c0b160135ff1e7b9e5e43780cf85a93c40d05fecdb7ae829496f7f

SHA512
bb69f9fe4c8744d19a997fb498063cf36c7b37e7c058fa4dc24a8586a4341343fa1c55f9d4c0a16326c372c4033648851d44fa1c64abadbf40717dfbb58decce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua1xDZJS8Ab4.bat

Filesize
207B

MD5
9f250bcbf33fc518b9738fb1db7c714e

SHA1
54cf5b126c58fef33d5b63ce9eeee310b53d0d0d

SHA256
d38efeb22731f9a66ab02b2c6a43e1846a6d69d56f1356a9670778344b8456b9

SHA512
b93b1dd4829b1486f144f3cb19ba68b72de49503847dce243a5abe30bc4949e46f9d89ca609b7461496fdf4b17be29c2420b8afa26d42118c357b44413055117

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwMO22Qf6rPW.bat

Filesize
207B

MD5
c0713cc76f4e6bf3fe06f87842cf33a9

SHA1
86475d9676e4d53b928bb82698cd72bfd3870d5a

SHA256
bbc8d905df18eac4e6df8695e04502723b7cbc66c891a7e2acc1958980d51840

SHA512
01b6ea22bdb581d19626b76c389ec750c1d5d3733eab70083f7b5c6b3e272d21aea284071f9087dd6400e140a95feae662f6a99d5dde7c7d268890c5a95577ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIzFpKHc91ea.bat

Filesize
207B

MD5
1136d13d938493a7787b784c30729a19

SHA1
0857e10ee2bd026414a48bfc5373a11677fbc91d

SHA256
f6df04c50b64fc93c87621101ce5e35fbd87bf319c47b365bf4df901ef28bbf3

SHA512
c7e29e47d2a0a078628dadb571acb652375680c9cff472556e6715a9e0ffc0655408b38cbcc00cb1db6e3fb55082eae9f1b943bdfa6fda25eb35a8a01b4e7691

Download Submit
\Users\Admin\AppData\Local\Temp\7z7F7A64D4\CACert.exe

Filesize
3.1MB

MD5
66c0c400c027e476edc8452c4355150c

SHA1
2212e14ea0ec4393046217f837b107d20274c618

SHA256
d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924

SHA512
10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53

Download Submit
memory/1528-91-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download
memory/1664-80-0x0000000000AE0000-0x0000000000E04000-memory.dmp

Filesize
3.1MB

Download
memory/1884-47-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/1900-124-0x00000000013E0000-0x0000000001704000-memory.dmp

Filesize
3.1MB

Download
memory/1912-69-0x0000000000A60000-0x0000000000D84000-memory.dmp

Filesize
3.1MB

Download
memory/1952-58-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/2552-23-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-25-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-24-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-22-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-21-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-20-0x0000000073B91000-0x0000000073B92000-memory.dmp

Filesize
4KB

Download
memory/2848-30-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/2848-113-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/2984-36-0x0000000000260000-0x0000000000584000-memory.dmp

Filesize
3.1MB

Download
memory/2988-102-0x0000000000AC0000-0x0000000000DE4000-memory.dmp

Filesize
3.1MB

Download