latentbot | a0afd97f96d8f8eae7f077296301e102a8e85a06daf09920c92e7b203c5e3236

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CACert/Credit Agricole Certification.exe
Size

968KB
MD5

6e1592f76cea09a8e35cb57f8f54c20f
SHA1

8af95927365234e401b235061c2b5c6d92dfbaf0
SHA256

7d492b7adaea0d7f7ce37d659b7fed9433338cd2acacba701f998350b06a5641
SHA512

a9fee5ab6645bc2b669240e0ad8ee6a023b266042042bb79799a13db7b8d523aaed18ba23a224d3779843205927208b3d8887eeb3774f5b146a46e235496e80e
SSDEEP

12288:DiacNrbNoAo5tv3PXxORQe01era+KfjCxiGC7tmImqNXpili3udAx0Eg5Wt7:maKrudv/hO9mtjII7XmMo0sEg5Y

Score

10^/10

latentbot quasar noah discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Noah

creditagricole.zapto.org:4444

Mutex

35b7f2fc-d3c2-4c55-949a-438b2c403cbf

Attributes

encryption_key
482EAF21E4E65641294432E5F419F7A5A916811B
install_name
CACert.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Credit Agricole Cert
subdirectory
SubDir

Extracted

Family

latentbot

creditagricole.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b94-56.dat	family_quasar
behavioral4/memory/3092-60-0x0000000000460000-0x0000000000784000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4416	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Credit Agricole Certification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CACert.exe

Executes dropped EXE 15 IoCs

pid	Process
3092	CACert.exe
2520	CACert.exe
2552	CACert.exe
2880	CACert.exe
2348	CACert.exe
720	CACert.exe
4108	CACert.exe
852	CACert.exe
3876	CACert.exe
996	CACert.exe
3920	CACert.exe
740	CACert.exe
3964	CACert.exe
3812	CACert.exe
4412	CACert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Credit Agricole Certification.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4316	PING.EXE
1588	PING.EXE
2764	PING.EXE
2388	PING.EXE
1556	PING.EXE
1888	PING.EXE
1008	PING.EXE
2896	PING.EXE
3752	PING.EXE
3704	PING.EXE
3928	PING.EXE
2084	PING.EXE
2992	PING.EXE
4712	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3928	PING.EXE
4712	PING.EXE
1008	PING.EXE
2896	PING.EXE
3752	PING.EXE
2388	PING.EXE
1588	PING.EXE
3704	PING.EXE
4316	PING.EXE
2992	PING.EXE
2764	PING.EXE
1556	PING.EXE
1888	PING.EXE
2084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4508	schtasks.exe
4020	schtasks.exe
232	schtasks.exe
2056	schtasks.exe
832	schtasks.exe
4416	schtasks.exe
4396	schtasks.exe
2348	schtasks.exe
2752	schtasks.exe
3964	schtasks.exe
4700	schtasks.exe
4756	schtasks.exe
408	schtasks.exe
3692	schtasks.exe
4108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	3092	CACert.exe
Token: SeDebugPrivilege	2520	CACert.exe
Token: SeDebugPrivilege	2552	CACert.exe
Token: SeDebugPrivilege	2880	CACert.exe
Token: SeDebugPrivilege	2348	CACert.exe
Token: SeDebugPrivilege	720	CACert.exe
Token: SeDebugPrivilege	4108	CACert.exe
Token: SeDebugPrivilege	852	CACert.exe
Token: SeDebugPrivilege	3876	CACert.exe
Token: SeDebugPrivilege	996	CACert.exe
Token: SeDebugPrivilege	3920	CACert.exe
Token: SeDebugPrivilege	740	CACert.exe
Token: SeDebugPrivilege	3964	CACert.exe
Token: SeDebugPrivilege	3812	CACert.exe
Token: SeDebugPrivilege	4412	CACert.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1948	1804	Credit Agricole Certification.exe	83
PID 1804 wrote to memory of 1948	1804	Credit Agricole Certification.exe	83
PID 1804 wrote to memory of 1948	1804	Credit Agricole Certification.exe	83
PID 1948 wrote to memory of 4416	1948	cmd.exe	86
PID 1948 wrote to memory of 4416	1948	cmd.exe	86
PID 1948 wrote to memory of 4416	1948	cmd.exe	86
PID 1948 wrote to memory of 3092	1948	cmd.exe	87
PID 1948 wrote to memory of 3092	1948	cmd.exe	87
PID 3092 wrote to memory of 408	3092	CACert.exe	90
PID 3092 wrote to memory of 408	3092	CACert.exe	90
PID 3092 wrote to memory of 2520	3092	CACert.exe	92
PID 3092 wrote to memory of 2520	3092	CACert.exe	92
PID 2520 wrote to memory of 4396	2520	CACert.exe	96
PID 2520 wrote to memory of 4396	2520	CACert.exe	96
PID 2520 wrote to memory of 2740	2520	CACert.exe	99
PID 2520 wrote to memory of 2740	2520	CACert.exe	99
PID 2740 wrote to memory of 2240	2740	cmd.exe	101
PID 2740 wrote to memory of 2240	2740	cmd.exe	101
PID 2740 wrote to memory of 3752	2740	cmd.exe	102
PID 2740 wrote to memory of 3752	2740	cmd.exe	102
PID 2740 wrote to memory of 2552	2740	cmd.exe	109
PID 2740 wrote to memory of 2552	2740	cmd.exe	109
PID 2552 wrote to memory of 232	2552	CACert.exe	110
PID 2552 wrote to memory of 232	2552	CACert.exe	110
PID 2552 wrote to memory of 4608	2552	CACert.exe	112
PID 2552 wrote to memory of 4608	2552	CACert.exe	112
PID 4608 wrote to memory of 2684	4608	cmd.exe	115
PID 4608 wrote to memory of 2684	4608	cmd.exe	115
PID 4608 wrote to memory of 4316	4608	cmd.exe	116
PID 4608 wrote to memory of 4316	4608	cmd.exe	116
PID 4608 wrote to memory of 2880	4608	cmd.exe	118
PID 4608 wrote to memory of 2880	4608	cmd.exe	118
PID 2880 wrote to memory of 3964	2880	CACert.exe	119
PID 2880 wrote to memory of 3964	2880	CACert.exe	119
PID 2880 wrote to memory of 2860	2880	CACert.exe	122
PID 2880 wrote to memory of 2860	2880	CACert.exe	122
PID 2860 wrote to memory of 1396	2860	cmd.exe	124
PID 2860 wrote to memory of 1396	2860	cmd.exe	124
PID 2860 wrote to memory of 1888	2860	cmd.exe	125
PID 2860 wrote to memory of 1888	2860	cmd.exe	125
PID 2860 wrote to memory of 2348	2860	cmd.exe	130
PID 2860 wrote to memory of 2348	2860	cmd.exe	130
PID 2348 wrote to memory of 3692	2348	CACert.exe	131
PID 2348 wrote to memory of 3692	2348	CACert.exe	131
PID 2348 wrote to memory of 2096	2348	CACert.exe	133
PID 2348 wrote to memory of 2096	2348	CACert.exe	133
PID 2096 wrote to memory of 4324	2096	cmd.exe	136
PID 2096 wrote to memory of 4324	2096	cmd.exe	136
PID 2096 wrote to memory of 2084	2096	cmd.exe	137
PID 2096 wrote to memory of 2084	2096	cmd.exe	137
PID 2096 wrote to memory of 720	2096	cmd.exe	139
PID 2096 wrote to memory of 720	2096	cmd.exe	139
PID 720 wrote to memory of 2056	720	CACert.exe	140
PID 720 wrote to memory of 2056	720	CACert.exe	140
PID 720 wrote to memory of 4984	720	CACert.exe	143
PID 720 wrote to memory of 4984	720	CACert.exe	143
PID 4984 wrote to memory of 2848	4984	cmd.exe	145
PID 4984 wrote to memory of 2848	4984	cmd.exe	145
PID 4984 wrote to memory of 1588	4984	cmd.exe	146
PID 4984 wrote to memory of 1588	4984	cmd.exe	146
PID 4984 wrote to memory of 4108	4984	cmd.exe	147
PID 4984 wrote to memory of 4108	4984	cmd.exe	147
PID 4108 wrote to memory of 832	4108	CACert.exe	148
PID 4108 wrote to memory of 832	4108	CACert.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CACert\Credit Agricole Certification.exe
"C:\Users\Admin\AppData\Local\Temp\CACert\Credit Agricole Certification.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z79E3570C\Credit Agricole Certification.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Add-MpPreference -ExclusionPath "$PWD\CACert.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\7z79E3570C\CACert.exe
    C:\Users\Admin\AppData\Local\Temp\7z79E3570C\CACert.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:408
  - - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mBOOI2T7a60r.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2240
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3752
      - C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3sLdLqZM0WI2.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4316
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkMNe6gBfxxy.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAKWpG0NgVPW.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAXjzZyCmvpI.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QJJyIXQRnxgC.bat" "
        15⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gDPKcGBvBoXA.bat" "
        17⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuP4kzkHMFpD.bat" "
        19⤵
        
        PID:3648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yVxmOSzx5dIr.bat" "
        21⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nk6lkmvrZQeK.bat" "
        23⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fHaYAC8BRpdt.bat" "
        25⤵
        
        PID:1116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsEFGpKy3kRO.bat" "
        27⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1SlA7VCRfOBj.bat" "
        29⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Credit Agricole Cert" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CACert.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\68dyCKHabJGP.bat" "
        31⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CACert.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\1SlA7VCRfOBj.bat

Filesize
207B

MD5
48b41cc33e9ac59c28a0bbaae908f9b8

SHA1
1e5d5ed26f03b6f749614a5c5606cb78c154e4df

SHA256
dc9d593d5706b73a104ed041a1162aa9d3e4d315d8e5ef65391f5dad94c447a5

SHA512
b4cb2b8c6641daad41e62884c21dfab828f1b6dfcc22ce43f22636210ea8429e70b307a4d572bea939c68ed874fe7d6f2b0dab9dec10c73d7a99f736438db848

Download Submit
C:\Users\Admin\AppData\Local\Temp\3sLdLqZM0WI2.bat

Filesize
207B

MD5
cc3f531c341801996278735ce41f64f0

SHA1
2dc6d6f7486ac3606a3d00c91de061bb7eada225

SHA256
5e2c5841d11c194d42066aaeb61164d63e114453fdc03349590bce11cc589051

SHA512
27e017b055b6028446e842bd83f84d532d6c73f8a30a6de5fd4b1e789b7d98a5f813be86b55a5f67f3704ab12f96e436bb17d36ed423d373e172def841337298

Download Submit
C:\Users\Admin\AppData\Local\Temp\68dyCKHabJGP.bat

Filesize
207B

MD5
4decaa8c4c4f24c452ff5bc2255cd74a

SHA1
d84d3096450b61b10307216d69a67602fccec1b0

SHA256
7fc7a51c40e37d9c9c510f3293ee2ad6c5253649b7d6f6517f4e7535ed253016

SHA512
23d8233c5c7c4eafc93a338b6a5a03d7dfce100d85b065260088c1f487d338ceb176d945ab7d05aae98858bba2608cc4a28fc2af3d0c88989af1be496f621fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z79E3570C\CACert.exe

Filesize
3.1MB

MD5
66c0c400c027e476edc8452c4355150c

SHA1
2212e14ea0ec4393046217f837b107d20274c618

SHA256
d4422da00365e99fb49c83f31d2ea50f1a041d7fdda218c6823ee26491221924

SHA512
10908a0bf8f29a5690e6d6626421516af61070bb5b12568f255318c066956dd9f36f98802a91e9ef03466f045873711c7d6e368221b7d67e36b7827559652a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z79E3570C\Credit Agricole Certification.bat

Filesize
90B

MD5
7eafc385f54ceb2e3f3167b11da4207e

SHA1
d8800e9730657105943714b98f5d5263fa75286b

SHA256
00b49116a97a2171cb0399ea050697153bcfb75b08c13105e0ccd769804bbc07

SHA512
4d446c40c9195b69f6eded2d23f315c55827036b12fdbaf309044ec4559664219b7f90ab00698953378c80a15ea6d96ed7f9d9cbc19f39347763967af40c55b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAXjzZyCmvpI.bat

Filesize
207B

MD5
1cd24868bf844602bc865ba6c2ab2d07

SHA1
a3400b1d5ea091cc60110417d28ac58b2409aaf0

SHA256
96cdb4a918ced178f6ee0e0e89a8797208dd8bbd23bd18fc949c5acd0831ecb9

SHA512
e77f09a28667d4f7d75d93f8aaa49a73f86f39d36e7eddeb73fbde71671a422e2410b56d1cde61caae5777840d4dc560d2f662de86227717ddcf58624bc2f54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkMNe6gBfxxy.bat

Filesize
207B

MD5
e43bd92e95d88d5ad3ea66d08c028f39

SHA1
6dee5fbb6828bb4d0772d68ae1c53158603b970a

SHA256
7cdabb536fe2132b5d5573d85801fbdc7513dac38928d4d79d4abde650164f8a

SHA512
b74c8c526cb05e62f0ccd946e699c1e9577e525fcdd2c15f7b13d9c6a1a0b9ed8feb58636195ec82e967eb391bffaba035468d96215cf59485232e934e692317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nk6lkmvrZQeK.bat

Filesize
207B

MD5
12c4c95ee795a9fc132379d873e468ee

SHA1
5eee250c142616e9c2bdfe621d674bd21cb06c6e

SHA256
733d9914c73fb93757a578f51562f604e6503c0ed8acf310f2b4fccaf5a51dd3

SHA512
6c9b42683fbaf6a8751ae2c5a0ddab4f70f26556b6bba848a9eaf77cd792151c51351ab4191bc82feb5e4313c3133f187094f786dd2bd960d85e280af08734b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OuP4kzkHMFpD.bat

Filesize
207B

MD5
85d79779a4857fc6bfe2a7341b30bb81

SHA1
1ef9a942929940378ebaf9f3a9c786ad9a465271

SHA256
ca6682643c8801b25172aa507ac78792be1fd455d3c4b9c7002bafb16e921c4b

SHA512
ecb8beecd1dd3e5569720a7d0efd4ee9dc4ccff0abee941f96738a45f83cd747dc331ff1246b203ad94cd0e7cc6fe2b5a79808ef0c88669b23a66aa2cd5ca246

Download Submit
C:\Users\Admin\AppData\Local\Temp\QJJyIXQRnxgC.bat

Filesize
207B

MD5
4e67b06c993f9d5e8c8294551031fbc1

SHA1
d06a50588a8cb1c8250fd449586c09ec1b1729a8

SHA256
ac1fb322aacf820258a2c0abb76bd68bc7fa7b00f0dcad0e1e82d867a6d721e9

SHA512
0165eda9e07e9396433392fa89c68d5aec49e2c1872f657f84e1f21418bdf0c1364d56145e9efb70215e5b094d6ad0c0b793d5a4580f70104eb0fd1fc493c74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0homzxs.3hy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHaYAC8BRpdt.bat

Filesize
207B

MD5
871f2bbee4a457afd4f801007dbaf93d

SHA1
700dc6323b6b23add7fccd7e8e21e5d341a52e4e

SHA256
da3b9b961921e4c41cf71e6476d76fa66afb0f88b6a12205a543672dab962b14

SHA512
a0c2f22fbeca486d488728ec12cd46a07b90fe77450a1e6ec55e8f0014574f0d2a8721a03ab4afe1893e7eb650f4fc196673326c832df6d9e30aab4c0f2c4927

Download Submit
C:\Users\Admin\AppData\Local\Temp\gDPKcGBvBoXA.bat

Filesize
207B

MD5
927608a4abce2d146fdb1892c9305a32

SHA1
3562ff2b33af4ecd585fce2b44b77585d0c018a0

SHA256
5a53ab3a9373438128a2127b4549f6d936f9d76bf2c880ba76c74ef8e125bd1e

SHA512
20a47848d10bbd38e45c72e79ef1f41ed083713cfd1d078bcfd4cab5c3f36b76e8921e6bd05eb7b1be71102c7baf983027099bbe6054524183528d302ad1e065

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAKWpG0NgVPW.bat

Filesize
207B

MD5
3f758da48bc26d8b2dea42d18e454ace

SHA1
4f9a29e18b31826f407ec843b5d4b0271efefdff

SHA256
bfe63495f97000624095df922d7449f86faf83bf70d7d0ba8e9c8a3fc1c19060

SHA512
19d4772a86b843fb77cb6a0501d53cf95d6a6e86f7cc28b5e069bdc89ca05e2c4f3dbc772b3d11fd8709b65deca0ab6f9e2a9113a6979841161ef0f02bcae7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\mBOOI2T7a60r.bat

Filesize
207B

MD5
72bf39f811f7c45d4282b0b720b23282

SHA1
cc139f7b2291645b29b7e8acd3706f1c98497bd6

SHA256
d4e240e4813fdc549d59fa86d96f18d42060447c54f43620c754566d071fcc9e

SHA512
20cb5051fd6d57673e863d3b6f33c81ffa1d40c781e6c61dbe0312eee72d8b5fbba5ce4990ed554c4f0ab4594eb16649e6d05625f0bdc323d1bd9f64f94c10aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsEFGpKy3kRO.bat

Filesize
207B

MD5
549a4f6ff0829b7e477591ed91af29ad

SHA1
1d726413ec9fdb0fd991fdf5a84653b12282f223

SHA256
0d66aa2d37333e06eb48f1c3a0bc3e399fb472fd5f4130c8cbe1485359e11fe6

SHA512
3e5900c7b62e66d0e567d88ed605d5716389b46098421fa8d40545887e1c0259e1e2cf1898a9d9368c8ce974ffcfbf400f62d02b264d1ed84d43b0fe932085bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yVxmOSzx5dIr.bat

Filesize
207B

MD5
ef30ab7878e455277c4f46b66c58b5ff

SHA1
c0fea2c22abf5ac8150bec412f467244cde253e5

SHA256
cd9fa4732d0282cef580480123e336d3679b69447c5970a852e4c68ab117938f

SHA512
b19bb835ba7f13078953a9458d7fdd8fcf628ea7fe1bf96c76a02053851dbe39a90afc307d8ef69a662127d28a67f2912d865699eaf44ed4296f97beed1f4b15

Download Submit
memory/2520-69-0x000000001C1D0000-0x000000001C282000-memory.dmp

Filesize
712KB

Download
memory/2520-68-0x000000001B800000-0x000000001B850000-memory.dmp

Filesize
320KB

Download
memory/3092-60-0x0000000000460000-0x0000000000784000-memory.dmp

Filesize
3.1MB

Download
memory/3092-59-0x00007FFA3C213000-0x00007FFA3C215000-memory.dmp

Filesize
8KB

Download
memory/4416-26-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/4416-30-0x0000000070280000-0x00000000705D4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-47-0x0000000007080000-0x0000000007116000-memory.dmp

Filesize
600KB

Download
memory/4416-48-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

Filesize
68KB

Download
memory/4416-49-0x0000000007010000-0x000000000701E000-memory.dmp

Filesize
56KB

Download
memory/4416-50-0x0000000007020000-0x0000000007034000-memory.dmp

Filesize
80KB

Download
memory/4416-51-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/4416-52-0x0000000007050000-0x0000000007058000-memory.dmp

Filesize
32KB

Download
memory/4416-55-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4416-45-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/4416-44-0x0000000007430000-0x0000000007AAA000-memory.dmp

Filesize
6.5MB

Download
memory/4416-43-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4416-40-0x0000000006A20000-0x0000000006A3E000-memory.dmp

Filesize
120KB

Download
memory/4416-42-0x0000000006CA0000-0x0000000006D43000-memory.dmp

Filesize
652KB

Download
memory/4416-41-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4416-46-0x0000000006E40000-0x0000000006E4A000-memory.dmp

Filesize
40KB

Download
memory/4416-29-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4416-27-0x0000000006A50000-0x0000000006A82000-memory.dmp

Filesize
200KB

Download
memory/4416-28-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4416-25-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/4416-24-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/4416-14-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/4416-12-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4416-13-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/4416-11-0x0000000004AF0000-0x0000000004B12000-memory.dmp

Filesize
136KB

Download
memory/4416-10-0x0000000073850000-0x0000000074000000-memory.dmp

Filesize
7.7MB

Download
memory/4416-9-0x0000000004EB0000-0x00000000054D8000-memory.dmp

Filesize
6.2MB

Download
memory/4416-8-0x0000000000AE0000-0x0000000000B16000-memory.dmp

Filesize
216KB

Download
memory/4416-7-0x000000007385E000-0x000000007385F000-memory.dmp

Filesize
4KB

Download