quasar | b8a46aa74b7e451ca9ae336258971d7d46334b37c487da00a6039c1d146f6d62

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
Size

365KB
MD5

57e44c04fcf797cc96f11a5e539dcf45
SHA1

ccb1a5049980889cfe8d96ceba005c536d25e017
SHA256

b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc
SHA512

9caf54fb294cd085bbd0337d70a9bfc0b11351a9ea46b0a09fc6a5e869bd8b15a6ea514f758aed9169894c82f271611f1ecb10570f99a0b76a79e28b3b462c95
SSDEEP

6144:Yx6bPXhLApfpIcE/ckl2La1bz4uUYHD7XKj8lxfBA66Ec2KHv:4mhAp8Bl9N4lkmj8RA6pcL

Score

10^/10

quasar win_update_2023 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Win_Update_2023

butterflybourne.ddns.net:4782

Mutex

QSR_MUTEX_zD2aPCc6Z0MX6eOBsy

Attributes

encryption_key
JzQzojcImiy4nU59S0ns
install_name
custom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win_Update_2023
subdirectory
SubDir

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
	7	ip-api.com	Process not Found
	57	api.ipify.org	Process not Found
	81	ip-api.com	Process not Found
	99	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral12/memory/964-1-0x0000000000A50000-0x0000000000AB2000-memory.dmp	family_quasar
behavioral12/files/0x000a00000001e6c5-13.dat	family_quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	custom.exe

Executes dropped EXE 11 IoCs

pid	Process
3556	custom.exe
4492	custom.exe
3616	custom.exe
2968	custom.exe
4460	custom.exe
2004	custom.exe
3500	custom.exe
1360	custom.exe
4252	custom.exe
3564	custom.exe
3724	custom.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
57	api.ipify.org
81	ip-api.com
99	ip-api.com

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File created	C:\Windows\SysWOW64\SubDir\custom.exe	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\custom.exe	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	custom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
452	3556	WerFault.exe	94
4476	4492	WerFault.exe	107
4348	3616	WerFault.exe	127
988	2968	WerFault.exe	136
4704	4460	WerFault.exe	146
3816	2004	WerFault.exe	155
2360	3500	WerFault.exe	164
1304	1360	WerFault.exe	173
4864	4252	WerFault.exe	182
4320	3564	WerFault.exe	191
1684	3724	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	custom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3588	PING.EXE
1464	PING.EXE
828	PING.EXE
4252	PING.EXE
916	PING.EXE
1220	PING.EXE
2252	PING.EXE
864	PING.EXE
516	PING.EXE
628	PING.EXE
4076	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
4252	PING.EXE
916	PING.EXE
864	PING.EXE
516	PING.EXE
3588	PING.EXE
828	PING.EXE
1220	PING.EXE
2252	PING.EXE
628	PING.EXE
4076	PING.EXE
1464	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4956	schtasks.exe
4708	schtasks.exe
4320	schtasks.exe
3528	schtasks.exe
1100	schtasks.exe
2240	schtasks.exe
2996	schtasks.exe
4824	schtasks.exe
1484	schtasks.exe
4816	schtasks.exe
316	schtasks.exe
4696	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
Token: SeDebugPrivilege	3556	custom.exe
Token: SeDebugPrivilege	4492	custom.exe
Token: SeDebugPrivilege	3616	custom.exe
Token: SeDebugPrivilege	2968	custom.exe
Token: SeDebugPrivilege	4460	custom.exe
Token: SeDebugPrivilege	2004	custom.exe
Token: SeDebugPrivilege	3500	custom.exe
Token: SeDebugPrivilege	1360	custom.exe
Token: SeDebugPrivilege	4252	custom.exe
Token: SeDebugPrivilege	3564	custom.exe
Token: SeDebugPrivilege	3724	custom.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3556	custom.exe
4492	custom.exe
3616	custom.exe
2968	custom.exe
4460	custom.exe
2004	custom.exe
3500	custom.exe
1360	custom.exe
4252	custom.exe
3564	custom.exe
3724	custom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 2240	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe	92
PID 964 wrote to memory of 2240	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe	92
PID 964 wrote to memory of 2240	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe	92
PID 964 wrote to memory of 3556	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe	94
PID 964 wrote to memory of 3556	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe	94
PID 964 wrote to memory of 3556	964	b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe	94
PID 3556 wrote to memory of 2996	3556	custom.exe	95
PID 3556 wrote to memory of 2996	3556	custom.exe	95
PID 3556 wrote to memory of 2996	3556	custom.exe	95
PID 3556 wrote to memory of 4964	3556	custom.exe	98
PID 3556 wrote to memory of 4964	3556	custom.exe	98
PID 3556 wrote to memory of 4964	3556	custom.exe	98
PID 4964 wrote to memory of 1700	4964	cmd.exe	101
PID 4964 wrote to memory of 1700	4964	cmd.exe	101
PID 4964 wrote to memory of 1700	4964	cmd.exe	101
PID 4964 wrote to memory of 3588	4964	cmd.exe	103
PID 4964 wrote to memory of 3588	4964	cmd.exe	103
PID 4964 wrote to memory of 3588	4964	cmd.exe	103
PID 4964 wrote to memory of 4492	4964	cmd.exe	107
PID 4964 wrote to memory of 4492	4964	cmd.exe	107
PID 4964 wrote to memory of 4492	4964	cmd.exe	107
PID 4492 wrote to memory of 4956	4492	custom.exe	110
PID 4492 wrote to memory of 4956	4492	custom.exe	110
PID 4492 wrote to memory of 4956	4492	custom.exe	110
PID 4492 wrote to memory of 412	4492	custom.exe	112
PID 4492 wrote to memory of 412	4492	custom.exe	112
PID 4492 wrote to memory of 412	4492	custom.exe	112
PID 412 wrote to memory of 3768	412	cmd.exe	116
PID 412 wrote to memory of 3768	412	cmd.exe	116
PID 412 wrote to memory of 3768	412	cmd.exe	116
PID 412 wrote to memory of 1464	412	cmd.exe	117
PID 412 wrote to memory of 1464	412	cmd.exe	117
PID 412 wrote to memory of 1464	412	cmd.exe	117
PID 412 wrote to memory of 3616	412	cmd.exe	127
PID 412 wrote to memory of 3616	412	cmd.exe	127
PID 412 wrote to memory of 3616	412	cmd.exe	127
PID 3616 wrote to memory of 4824	3616	custom.exe	128
PID 3616 wrote to memory of 4824	3616	custom.exe	128
PID 3616 wrote to memory of 4824	3616	custom.exe	128
PID 3616 wrote to memory of 3500	3616	custom.exe	130
PID 3616 wrote to memory of 3500	3616	custom.exe	130
PID 3616 wrote to memory of 3500	3616	custom.exe	130
PID 3500 wrote to memory of 3888	3500	cmd.exe	133
PID 3500 wrote to memory of 3888	3500	cmd.exe	133
PID 3500 wrote to memory of 3888	3500	cmd.exe	133
PID 3500 wrote to memory of 828	3500	cmd.exe	135
PID 3500 wrote to memory of 828	3500	cmd.exe	135
PID 3500 wrote to memory of 828	3500	cmd.exe	135
PID 3500 wrote to memory of 2968	3500	cmd.exe	136
PID 3500 wrote to memory of 2968	3500	cmd.exe	136
PID 3500 wrote to memory of 2968	3500	cmd.exe	136
PID 2968 wrote to memory of 1484	2968	custom.exe	137
PID 2968 wrote to memory of 1484	2968	custom.exe	137
PID 2968 wrote to memory of 1484	2968	custom.exe	137
PID 2968 wrote to memory of 2392	2968	custom.exe	139
PID 2968 wrote to memory of 2392	2968	custom.exe	139
PID 2968 wrote to memory of 2392	2968	custom.exe	139
PID 2392 wrote to memory of 2516	2392	cmd.exe	142
PID 2392 wrote to memory of 2516	2392	cmd.exe	142
PID 2392 wrote to memory of 2516	2392	cmd.exe	142
PID 2392 wrote to memory of 4252	2392	cmd.exe	144
PID 2392 wrote to memory of 4252	2392	cmd.exe	144
PID 2392 wrote to memory of 4252	2392	cmd.exe	144
PID 2392 wrote to memory of 4460	2392	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe
"C:\Users\Admin\AppData\Local\Temp\b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe"
1⤵
- Quasar RAT
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2240
- C:\Windows\SysWOW64\SubDir\custom.exe
  "C:\Windows\SysWOW64\SubDir\custom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwvlMogu9gD.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3588
  - - C:\Windows\SysWOW64\SubDir\custom.exe
      "C:\Windows\SysWOW64\SubDir\custom.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ld55na1OA3V2.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
      - C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fdfrhPK2kuCR.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yn7kBi2arYDv.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4252
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSXCDyXXBxoD.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:916
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2vogSI54Kh2C.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaD8UYa1e7eU.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5u59q9Xt15Ak.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MFsHJe2Yoard.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SS31hbSDrZjd.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Windows\SysWOW64\SubDir\custom.exe
        
        "C:\Windows\SysWOW64\SubDir\custom.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Win_Update_2023" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\custom.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIhKOtLnx7Xc.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 2220
        23⤵
        Program crash
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 2248
        21⤵
        Program crash
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 2224
        19⤵
        Program crash
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1704
        17⤵
        Program crash
        
        PID:1304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2180
        15⤵
        Program crash
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2192
        13⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2224
        11⤵
        Program crash
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 2196
        9⤵
        Program crash
        
        PID:988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 2228
        7⤵
        Program crash
        
        PID:4348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 2228
        5⤵
        Program crash
        
        PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 2180
    3⤵
    - Program crash
    PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3556 -ip 3556
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4492 -ip 4492
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3616 -ip 3616
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2968 -ip 2968
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4460 -ip 4460
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2004 -ip 2004
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3500 -ip 3500
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1360 -ip 1360
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4252 -ip 4252
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3564 -ip 3564
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3724 -ip 3724
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2vogSI54Kh2C.bat

Filesize
196B

MD5
e148f26dc72d25788ef58bf3ff3bcd55

SHA1
b20f478e3496f388287b30540ef7ea48c7be3890

SHA256
171e460b4ac9c23d94e38eb38c53c81cd745f5f780814680f93e4eed83319e9d

SHA512
12ede0eef211c49102fbe32a84e3a100ec8bf02f61e41fc45c9082e290a7a381e226edd5ea7e9c17cff3d4da1cd22a5e7b8d36c0efddba80518a3755c71124c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5u59q9Xt15Ak.bat

Filesize
196B

MD5
dc61904cb8aa1f17a96c865ef16537db

SHA1
65d675ca9ae2de8f2f9292779b27c670e561f858

SHA256
fd9183e8eae728b8a9540ddb7247ada73e6f75d930872b65dd770d76837e73af

SHA512
4cc8c94014dcf1e741334198203ef97ab251a4c8e815181dfe816254d018b0c0e668813e74da051140b48ddb5268ef2f1d75a81a4c86e5dafa546ce4b1852e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYwvlMogu9gD.bat

Filesize
196B

MD5
4ccb00a576ff990d18a8956a703470f3

SHA1
a52b1ae2e0b94645fd7a2b8607449d830b751526

SHA256
ba37299fa4e7571044e0e508b13b1a7836f42492b7a6b4cfa3202f94bb945d01

SHA512
705ad42fa6834fc10f64bee0eb15512b97f2e597dfd44b8a5c8dcdefdfbb6810a58edcb18820c3434af24346b208b8f9c3c7e0ce19e0813074281d6cc1024b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFsHJe2Yoard.bat

Filesize
196B

MD5
fbd827c975881189f82d9740d8a95f95

SHA1
d5f2cbbf7379ffed299679bad2a96fcfe40430a1

SHA256
b455bc9ca90db07f8428eac689cd26699fd1b584895615eb3148ae42656ce77b

SHA512
c5dac31487326a6582572cc746d0b023c9513b14174779df4d5d205478a49ca8e4d516eea5135d82430117cdc9f68b15c23c229d47fddae441b39e1c90a34f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\SS31hbSDrZjd.bat

Filesize
196B

MD5
73490829303691e4f7bd473a9d50dfeb

SHA1
c2cbca4ad54dfa632166c81de9eaf93d3c3a458e

SHA256
0b4a6d23156323cb378bc38e8c30960851f50954a6415ef72d089929d88457ac

SHA512
155422c9d5e01f69581696eac413b2bb5ab77779e435495f5bca41fa03d6c54fad5b985a8365d5f0f3d79b10e50b55e6ad209c9e5070bdfe397e17512a42e205

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSXCDyXXBxoD.bat

Filesize
196B

MD5
630a77d5bb0ed13fccce7b4017e6b75f

SHA1
046bc337f7600ea54b33269fd648f73c1918136d

SHA256
fbf6132d46ebf0c40e82e3d7d5f57d588573b3c9f4a0d9c74eecf3e9eb3aad37

SHA512
f189ce1e222dd04f42d6ea6052024a02ffbfbf19d2478f462a6aeed34d01bc0723bff53c512d986ec91f50c0267860fe07a317373f3bc48f17ed346b7cbf2e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yn7kBi2arYDv.bat

Filesize
196B

MD5
8041fe9e732d4adaa3d0f6263dc1ba1f

SHA1
d5460d06aa310a53f0375f8c5d7c8ca8035f7687

SHA256
de60cf8dca54dd90390cdc5352f5f11f3704a11947c1e8429e1f0a46136a0caf

SHA512
31f3435e34219d993826b9b31af98597f99dc3a5bfd570fb260bc5c5a2f9c9e347935629ce192e8b4b9d9d97bed6231b1ae3135fa7ad49af9c7fb9354faeb52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdfrhPK2kuCR.bat

Filesize
196B

MD5
a435af0a4b2b49d6350afad6f26d767b

SHA1
50316a281554bead985ffd1065f4e990018eae92

SHA256
2a798752d8eceea130d3b99f5959ac4daac68bd852303ed67a5c7a19cc6c8d3f

SHA512
e4df8487444af11215f4087f5ce87090a453be903797bee8d20abb49e3f926d585c455291b59fa6ac84275438192fe11539ee87a9c035c68eaf449edba863797

Download Submit
C:\Users\Admin\AppData\Local\Temp\hIhKOtLnx7Xc.bat

Filesize
196B

MD5
6da0573bf612f462fd11f3297861ea86

SHA1
96c9cd2b733d2f3c24cadb88a5664d1e9338248f

SHA256
76ca1b64ad8cbfb1455ff0605cf403addc9da2a3c07ee20f914b2e6a761dea60

SHA512
47c87b90c3db1f1cb2ad16aaf9eafd87105f102b244a01d8eef983c0fb192021c695be935e85532d490ae530db4ed8fc9f8bf4704f42ff1ac9bcacecdd08562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ld55na1OA3V2.bat

Filesize
196B

MD5
11b668e68ea991504bd3234e1ff695fd

SHA1
1cec4e2f5a07d530f5df5a463ea4c31e9dff4403

SHA256
548a6ec1d8ea59ac905ed7e94a7d98b14ef5006bc7f3a4f6c80bd3cad956ce38

SHA512
e1a2a5f2d6e2e1f3ca4a6f58bf66aa4cf8997fa1a5acbb034eafbe03ca8fcdc8726490c37290d8fe9725e502e3c5ef2927098049c2b660a833293248e0799598

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaD8UYa1e7eU.bat

Filesize
196B

MD5
86f0884824b1a042c2a8d1c241a6d42e

SHA1
5ce1a420583b3c0ae680069a0d5f68e8e61e4466

SHA256
ff26160d1231d516c615d368c2b7386e96bf4f14bd79cb7f1648e1c3e5d03605

SHA512
12946600ea7bae9ad655cfdd2e0e1822f464918690917aab93bcca128240a9d5aed334cd3be83b51b948fbfc4bd110afc993bce3c445552256aa9debf041e6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
84281ae61f44fa93f9b85876287a3cfe

SHA1
e65ad7b053e1eabebbf6e43693925b45aa006d06

SHA256
f9795252f8d5cbb52be2a605a035c0532ecda059328512f2127a5fd0cc88f967

SHA512
b3b95b3561eaec6e0b144b2c24c007c2cfc79781b21951cde8b6fbfb6860fc76a8c5acc15185766d87f1ba54bdcd313978b95d584597170968130bfcfcfdad7c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
d080d11ce73183fd39677686c88c3d6a

SHA1
1bea8a9c2ab5283d505e768a3be1c56f3c0c84e7

SHA256
b45aad6c769d225680ea749fa22bbfd6c168d666225d4036aba45adf9477198b

SHA512
e7e204695d16c42dc435874f4707079e267e4b7044de9f7f0af6638d3e65e2ef151a3f44a254607f32239256510527614c525e6f10231251305bd5f476e03818

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
734a6f9ab1971196b6ad3fa541d8f867

SHA1
fc25427c259d4c357457a701036b6f8deae6fa23

SHA256
41e3baadf8f15f4c160f34fdca045998b6796d9b17daaaa7d4c297ecfc13f49c

SHA512
33813bca33577d9aed42934b564df808cba3013b8ce77196af8b700caeb59af0bbdaaa1a468d47108795f4fcb639a9bb9291ae9d91a7a9f23fdfa305f04e8a65

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
846398f0710098e1a986c23ab44fd1e0

SHA1
a10aca6fbe30525b6db1eff22db60e74aeb929fd

SHA256
8ac89456808d8cad8339b15d7049b8fa4caa8d81bbde13867641795719291823

SHA512
6099c2636775a0bb588cc0494d7c408ec2dbd5225199a93bd6746b815d9255602cd361636078c7c2d3289cf499a61c000015025d786ee2638ae860951caa4e35

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
f55aac851ff6c70713a5a46caec4c88b

SHA1
4916a7015428d9e1a1ccbbed4abcc42967256889

SHA256
04611be817a06aaf2ac0700327affa9555a98e5c949283b183cb07c50afbb9eb

SHA512
8d0935d27dfe292dc39336d8cc474e1a6a86141dc6df16c8d6b70bbba0bcac895220b1222a1e669d27fe9e79e118a86277478ced01902d3e650c16fb01bc2acf

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
ee949220f5f319eefee19f3ff1c39c8e

SHA1
85217554b1427dca384ba47a3778939d0067ca23

SHA256
671c699cb20169ef895a8566981ff5321a98ff683a6d7f86639255192b7b4c42

SHA512
fa9fce969d031633f6ffc27a716bb3fce7e84ae837e183ad93c60bcd46740ee78b45c1c1252bfe262c370737f59843f5a6d3c0ce068daed8275222ffd5b235e4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
1b61b0f07f3b8e123d8b0e6c8525d9c0

SHA1
c8ee80fac2ec60f7d3ec425a11194ce8ad251ca1

SHA256
b830f90d18a844fb2cc8f7c1044ec872e5a0a1d3f792852736597efb2dcfa7fe

SHA512
41f30b07b465c56c9a82f303e1797b80b9cc07b1907bc6a25449aa82c96242b282e3c0d734423bd92c5fd273cbe4b375ff23411a59e6dc14703666a28ba9eb5c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
67ef6c34cd7d3cd5751b1116fa9bc65f

SHA1
84b80380eeb6ef04e4ef2fec284e139ebe015345

SHA256
5347cbedd62a6c5ab943f922f575c128cc01b5dfb2763641fa7f7542a7478923

SHA512
61badd59afc7e5dbd15e695f017c4927f12e66833a75f6404bfe6c1f78de2ec2081d0f89471f5b0ddc1e726537f9f11bab5a78253f9bf37e2202c5444a55eb64

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
8a560c044ba4cd027ba54f5d53eb798c

SHA1
7d85e8d7ca463336c2d88c95f4b38aade4a7af47

SHA256
ec7d2c037690ca214b36b34c1eca09ef1302f668c92439ba63840c2da9d5e144

SHA512
49a56e2cab114ee33096fc39582b76bebeb5895b8a846a307bad56423b05f558c347d6b29535b1d53bc0f770b9b72eb39cf56d3abed017d1d052557cb673436e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-06-2025

Filesize
224B

MD5
19ffd8fbe3c2bfa797d2fab1a6086627

SHA1
c6cb1e13d47e76ca67d0d41e68f265b4b5b9b37c

SHA256
07fbaedd3d120459b7cb8e9bf281dd4db7345e3ca811962bf6bc6c38e678f43f

SHA512
f02476dd8456df2e5a9f755e483562f8e642a0af8110bdda8d4e7ec642fd607be2780e1d1110f476fc3bb0dae1c34c89d5feda346eb376f86db3edfd10cd3b5c

Download Submit
C:\Windows\SysWOW64\SubDir\custom.exe

Filesize
365KB

MD5
57e44c04fcf797cc96f11a5e539dcf45

SHA1
ccb1a5049980889cfe8d96ceba005c536d25e017

SHA256
b99dab26a9787a8361f75905fa34de2fc05e19f6d5d70bd70f045e0bab05f4fc

SHA512
9caf54fb294cd085bbd0337d70a9bfc0b11351a9ea46b0a09fc6a5e869bd8b15a6ea514f758aed9169894c82f271611f1ecb10570f99a0b76a79e28b3b462c95

Download Submit
memory/964-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/964-3-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/964-8-0x0000000006700000-0x000000000673C000-memory.dmp

Filesize
240KB

Download
memory/964-7-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/964-6-0x0000000005B10000-0x0000000005B22000-memory.dmp

Filesize
72KB

Download
memory/964-1-0x0000000000A50000-0x0000000000AB2000-memory.dmp

Filesize
392KB

Download
memory/964-5-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/964-2-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/964-4-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/964-17-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/964-10-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3556-18-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3556-16-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3556-20-0x0000000006820000-0x000000000682A000-memory.dmp

Filesize
40KB

Download
memory/3556-25-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads