quasar | b85d366a889518edf0a9899e2120de042965a72fc60c8795a2f9bd6eee96d58c

System Information Discovery

Processes:

42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe42501e281de15d0331a70d0b34b94b8b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	42501e281de15d0331a70d0b34b94b8b.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{948E0F7C-2394-4BB2-A1FD-32F6F43ACF86}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9EDDF3BC-23CC-423C-9047-B994A9063C20}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4696	1152	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
3084	2960	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4788	4864	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4180	608	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4164	4304	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4204	2332	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
1892	1888	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4716	2052	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4484	2472	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
2320	3908	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
4080	4228	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe
1068	3816	WerFault.exe	42501e281de15d0331a70d0b34b94b8b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3696	schtasks.exe
2160	schtasks.exe
4292	schtasks.exe
4672	schtasks.exe
2212	schtasks.exe
808	schtasks.exe
1940	schtasks.exe
4064	schtasks.exe
4976	schtasks.exe
4108	schtasks.exe
4076	schtasks.exe
5056	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4996	PING.EXE
3820	PING.EXE
4604	PING.EXE
316	PING.EXE
1096	PING.EXE
2320	PING.EXE
2200	PING.EXE
2888	PING.EXE
4528	PING.EXE
2352	PING.EXE
3200	PING.EXE
2960	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1152	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	2960	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	4864	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	608	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	4304	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	2332	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	1888	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	2052	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	2472	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	3908	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	4228	42501e281de15d0331a70d0b34b94b8b.exe
Token: SeDebugPrivilege	3816	42501e281de15d0331a70d0b34b94b8b.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

pid	process
1152	42501e281de15d0331a70d0b34b94b8b.exe
2960	42501e281de15d0331a70d0b34b94b8b.exe
4864	42501e281de15d0331a70d0b34b94b8b.exe
608	42501e281de15d0331a70d0b34b94b8b.exe
4304	42501e281de15d0331a70d0b34b94b8b.exe
2332	42501e281de15d0331a70d0b34b94b8b.exe
1888	42501e281de15d0331a70d0b34b94b8b.exe
2052	42501e281de15d0331a70d0b34b94b8b.exe
2472	42501e281de15d0331a70d0b34b94b8b.exe
3908	42501e281de15d0331a70d0b34b94b8b.exe
4228	42501e281de15d0331a70d0b34b94b8b.exe
3816	42501e281de15d0331a70d0b34b94b8b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42501e281de15d0331a70d0b34b94b8b.execmd.exe42501e281de15d0331a70d0b34b94b8b.execmd.exe42501e281de15d0331a70d0b34b94b8b.execmd.exe42501e281de15d0331a70d0b34b94b8b.execmd.exe42501e281de15d0331a70d0b34b94b8b.exe

description	pid	process	target process
PID 1152 wrote to memory of 4064	1152	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 1152 wrote to memory of 4064	1152	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 1152 wrote to memory of 4064	1152	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 1152 wrote to memory of 5100	1152	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 1152 wrote to memory of 5100	1152	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 1152 wrote to memory of 5100	1152	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 5100 wrote to memory of 4852	5100	cmd.exe	chcp.com
PID 5100 wrote to memory of 4852	5100	cmd.exe	chcp.com
PID 5100 wrote to memory of 4852	5100	cmd.exe	chcp.com
PID 5100 wrote to memory of 2320	5100	cmd.exe	PING.EXE
PID 5100 wrote to memory of 2320	5100	cmd.exe	PING.EXE
PID 5100 wrote to memory of 2320	5100	cmd.exe	PING.EXE
PID 5100 wrote to memory of 2960	5100	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 5100 wrote to memory of 2960	5100	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 5100 wrote to memory of 2960	5100	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 2960 wrote to memory of 3696	2960	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 2960 wrote to memory of 3696	2960	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 2960 wrote to memory of 3696	2960	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 2960 wrote to memory of 4400	2960	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 2960 wrote to memory of 4400	2960	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 2960 wrote to memory of 4400	2960	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 4400 wrote to memory of 4384	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 4384	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 4384	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 2200	4400	cmd.exe	PING.EXE
PID 4400 wrote to memory of 2200	4400	cmd.exe	PING.EXE
PID 4400 wrote to memory of 2200	4400	cmd.exe	PING.EXE
PID 4400 wrote to memory of 4864	4400	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 4400 wrote to memory of 4864	4400	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 4400 wrote to memory of 4864	4400	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 4864 wrote to memory of 4976	4864	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 4864 wrote to memory of 4976	4864	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 4864 wrote to memory of 4976	4864	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 4864 wrote to memory of 4756	4864	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 4864 wrote to memory of 4756	4864	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 4864 wrote to memory of 4756	4864	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 4756 wrote to memory of 2736	4756	cmd.exe	chcp.com
PID 4756 wrote to memory of 2736	4756	cmd.exe	chcp.com
PID 4756 wrote to memory of 2736	4756	cmd.exe	chcp.com
PID 4756 wrote to memory of 4996	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 4996	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 4996	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 608	4756	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 4756 wrote to memory of 608	4756	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 4756 wrote to memory of 608	4756	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 608 wrote to memory of 4108	608	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 608 wrote to memory of 4108	608	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 608 wrote to memory of 4108	608	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 608 wrote to memory of 3104	608	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 608 wrote to memory of 3104	608	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 608 wrote to memory of 3104	608	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe
PID 3104 wrote to memory of 856	3104	cmd.exe	chcp.com
PID 3104 wrote to memory of 856	3104	cmd.exe	chcp.com
PID 3104 wrote to memory of 856	3104	cmd.exe	chcp.com
PID 3104 wrote to memory of 2888	3104	cmd.exe	PING.EXE
PID 3104 wrote to memory of 2888	3104	cmd.exe	PING.EXE
PID 3104 wrote to memory of 2888	3104	cmd.exe	PING.EXE
PID 3104 wrote to memory of 4304	3104	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 3104 wrote to memory of 4304	3104	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 3104 wrote to memory of 4304	3104	cmd.exe	42501e281de15d0331a70d0b34b94b8b.exe
PID 4304 wrote to memory of 2160	4304	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 4304 wrote to memory of 2160	4304	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 4304 wrote to memory of 2160	4304	42501e281de15d0331a70d0b34b94b8b.exe	schtasks.exe
PID 4304 wrote to memory of 1952	4304	42501e281de15d0331a70d0b34b94b8b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKCfE8RMjnBO.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4852

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2320

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvFcEHwEK85J.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4384

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2200

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKf2iGnBN9jy.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:2736

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4996

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZT37iZ8gdYk.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:2888

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
10⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\upI4V9M5y7OX.bat" "
10⤵
PID:1952

C:\Windows\SysWOW64\chcp.com
chcp 65001
11⤵
PID:3364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:3820

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
12⤵
- Creates scheduled task(s)
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmPsSjhX9FVX.bat" "
12⤵
PID:2320

C:\Windows\SysWOW64\chcp.com
chcp 65001
13⤵
PID:4916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4604

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
14⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q9hFd0XLoysQ.bat" "
14⤵
PID:620

C:\Windows\SysWOW64\chcp.com
chcp 65001
15⤵
PID:4064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:316

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
16⤵
- Creates scheduled task(s)
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zZXCVfEatqok.bat" "
16⤵
PID:4308

C:\Windows\SysWOW64\chcp.com
chcp 65001
17⤵
PID:4636

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:4528

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
18⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gLJlS4nvP6EL.bat" "
18⤵
PID:544

C:\Windows\SysWOW64\chcp.com
chcp 65001
19⤵
PID:4868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:1096

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wdscl8Hzdvve.bat" "
20⤵
PID:4896

C:\Windows\SysWOW64\chcp.com
chcp 65001
21⤵
PID:4844

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:2352

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
22⤵
- Creates scheduled task(s)
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c7dLjGAfdtqe.bat" "
22⤵
PID:4216

C:\Windows\SysWOW64\chcp.com
chcp 65001
23⤵
PID:544

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:3200

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "str" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe" /rl HIGHEST /f
24⤵
- Creates scheduled task(s)
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQ0wo5p2NXFr.bat" "
24⤵
PID:3040

C:\Windows\SysWOW64\chcp.com
chcp 65001
25⤵
PID:4760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
25⤵
- Runs ping.exe
PID:2960

C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe
"C:\Users\Admin\AppData\Local\Temp\42501e281de15d0331a70d0b34b94b8b.exe"
25⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 2240
24⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2216
22⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1680
20⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2232
18⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1644
16⤵
- Program crash
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 1704
14⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1660
12⤵
- Program crash
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1644
10⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1656
8⤵
- Program crash
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1660
6⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1664
4⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 2180
2⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1152 -ip 1152
1⤵
PID:3140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2960 -ip 2960
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4864 -ip 4864
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 608 -ip 608
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4304 -ip 4304
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2332 -ip 2332
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1888 -ip 1888
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2052 -ip 2052
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2472 -ip 2472
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3908 -ip 3908
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4228 -ip 4228
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3816 -ip 3816
1⤵
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery