Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 20:32
General
-
Target
12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe
-
Size
348KB
-
MD5
222eb2520861357489b7a11a99656e3f
-
SHA1
fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf
-
SHA256
12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73
-
SHA512
991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb
-
SSDEEP
6144:+V6bPXhLApfpUw4qCgafQbX30nlIHh/m7vHdjz7iO:umhAp6lqKfq0GheLHd/iO
Malware Config
Extracted
quasar
1.3.0.0
ForceOP
jordiek1d.ddns.net:4782
QSR_MUTEX_Y1VQAwHslXRVvQkGHj
-
encryption_key
3xJFlGvSDHRDtYnPg0qe
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsDrivers
-
subdirectory
SubDir
Signatures
-
Quasar RAT 5 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 14 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 14 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe"C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe"1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\12d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NebXkShEkaWQ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAon6FRDnPi5.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4UFD8tihmxR.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiya8VpsceO6.bat" "9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jpo02KEnhg1m.bat" "11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DL0GO6ymkWDR.bat" "13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tws8jzaIdmFI.bat" "15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOLtCZyWGimN.bat" "17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XDAS67hmqSsS.bat" "19⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3gQwMRGJzC6R.bat" "21⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L5xai86jCaTt.bat" "23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PL55BXiq9fKZ.bat" "25⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2N3ds0NWv4nw.bat" "27⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsDrivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AC4TzowTz0D7.bat" "29⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 220829⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 219227⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 222425⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 222423⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 222421⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 220019⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 222417⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 221615⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 217213⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 216411⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 21809⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 22247⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 21925⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 21963⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 20081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2104 -ip 21041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1332 -ip 13321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1088 -ip 10881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3412 -ip 34121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2032 -ip 20321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1224 -ip 12241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1048 -ip 10481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3212 -ip 32121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4552 -ip 45521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1884 -ip 18841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4516 -ip 45161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 548 -ip 5481⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD561ef6a7638c42bd0904446f2ea0d4f79
SHA12f54c29168c27c64b84966f4a12bd598cde1673c
SHA256bd8f1714585dabcd9168451d08d4335eb140be82712aedea8a13b2a0c9c3cb7d
SHA512a8f29c611bc6a12c314d37b70442b9adf4b3e13b05593567f422d164dddd04ee3fa9cbaf1d17f44c9b47af0c9af3cacbe1cc4ab60cfebc4e9357e1ec1eb5732b
-
Filesize
207B
MD5ebfd132dfa747d303ff9d99176bcc744
SHA18274fb22255e21df0a8110f08b9148054c053d6d
SHA256695041f69f4ec4e186d8f84df6ac9279d80d9dfdc4c91253f27fa04e46e64cb9
SHA512ce7f6159ede363bc4e6ba4b4a23511e270b2b5f24150de0dc6f6fb88888f5d68bd582858eb7bd56894ddb08a21e822937aa89d3d4aba6d65965691be9570413f
-
Filesize
207B
MD577a2cf63e86dd086b22d7c21bd6b620f
SHA15d7c9878712a2204f9fef6ab5037154a21ef72fb
SHA2564e2ebb8ea6d28b15f10a5889de015f1c0b35ee8e5893b05b990874930cd5959b
SHA512c4fc1a8a86f403f070ad8270c0dd618ddf365f16f9203387afcdbc29a8f3f1ba48c1b3615b66ed587a18cbd55b68a6a2f0768f3cc29a17cf743e64a4dbc529f1
-
Filesize
207B
MD5cbbf1a68264a9a685cb59cada36096b8
SHA1008565d80cafe4b32bf75dfd5721ce18e5122757
SHA256621caaeb7768601f31370dc2925f92c2cb0233334f63ed23307973e9ed57d955
SHA512c1500e76a27052adeb93b91dd88f2dbc087289d9c000f1ef779c2a446d2568092a1841a488010530d0e6e6b287f6136c8ae5e0f1bda0fc141058fe5a077723ed
-
Filesize
207B
MD5a44d122a958524521bc5c9735aaf9c06
SHA1b56e78525b0e59b2f7bd85e3bac7556e0a6e51c6
SHA256db3e50e18ab2a564e7e06662ed9166664f4c8103266bfc51bccc6b18bcb58ee2
SHA512f52960112ced77e13698a7d3b9dadef0e033a7bdb10c798f9f8cbf259e3ec0025be1c026ad7abdaf5bfc70551eb14c5603c52027bc09069d9b04d765f55a9708
-
Filesize
207B
MD5a60f4fc46329ee6e2416f86cd0b3f6b4
SHA12beb72646c951068496755f2187b4d0136141cb0
SHA2562bcbb70af1db68a03c42cfdeba1270e1b3bfa6a9f340db6e65ee215c38f6d155
SHA5125da5253b174bf19c57559981630ad5dfe8b71692d14a15b7b46b6ae5a811f00c39ce79185dc5903c1e70c0cced8dd40fd0d4b918c1c2115794d8ff353cbc1b2a
-
Filesize
207B
MD575c54097bf4c0e9de408ef304ddf0f7d
SHA1afea771efca11c0dc3938721e2f5f869ea8f3de5
SHA256e3e4a61cfde3737ccfc6467050dac2f586fb6d52c049bd517f394d800fffa11f
SHA512cca09cc5629908e06ba58494189f5efadea4a309946a03a0d0eaa790fb3fcf18e947bae2316264a2e1a410ed6e204f85ef541b75906aa487241ee2f9eb3caeb1
-
Filesize
207B
MD508fdb79eed7508e3e9ef5dd5c47a673d
SHA16191ecf0b9643f2f207952438288c14dcf1c8b5c
SHA256c7e974378bb5f04a99b40c8b9d7c5e636d4bc7af8b2793eaff20d85bc50fa161
SHA512c998f2848a8f71b3a4ba5640a89478e31e6f25c67ba81511db928ea826896e41b6cf64c6eba699b5771467c4879145b0003e8b2cdb8d8a92419d42d5cfe8a76e
-
Filesize
207B
MD56c850edf253d2c811b4fe4b7c8ab9625
SHA1264ab84a26cbd06d85274bf1e7e06076d7a5f949
SHA25688e721e12fa481ade740d2b15316645e1879ff5e66db874e0e6023f7b5270496
SHA512198b889cdc142fd6fdfff5fa9595cf78835a27d75cfddcd7bdcd1a315f2cb9ae008e393b5aea5f9d0d4fc0314729cc938bf6714625dc4cf97a44b0db997a55e5
-
Filesize
207B
MD5e3b7235d639ed8428a654056f68b2e93
SHA12d8d43d3e32b4e70a9683113f69e35ebc487f906
SHA25696f27249779b63eee451281ec9a2ffb5a95b3c9f0b6880ecf58b59e8448a2e4c
SHA512d1416a0293ae4434bd2b4f291c3ce15b29df8eb645362f23716d0c62be0768886d5e2f547cee59f3a5ad8b099cbc6842005addd0588affd93856d61ca064ceb4
-
Filesize
207B
MD5ea9d0bb8a7653f435da8e99b9ba56865
SHA1bef3c13a64afb485937eecd75354b5d2fdcfc60d
SHA256f9b33bab8fff6e08cb31ec8cabfeb0a906f2f3a3ea03033b8da1b6c0bb740a90
SHA51288d31429395ef278431b7aed8863d39016cd9b55383fa49a1e0d4f84057e679d0c77539ce0c4068009571d694e4d0d2e9f11cc99ad077af75c86d0d96aca287a
-
Filesize
207B
MD507562201490da5ae243142b8150fed69
SHA108d27c1b0b56555e9c3f07220297a5210aae810e
SHA25626b79cffd4362b0121eac044c2fd82ffd848e4924f79c5b4212c3d5930ff4906
SHA51206653be30cbea173a0eaf65df5141c8d6aa97fc3b6b499b2133cb5e0fb9990009d79de4c4c4cdc087eb3b44f80269cb9e3e487326821dc06af92ab49fda10788
-
Filesize
207B
MD5cac2d1ae530dc3f4676643d98d34dd6f
SHA1df80c34df46741ef45f866f09106a0d4ad2b1a86
SHA25674985c44581a0de8e26839faec915e8ae92f11667b14e5433a81e9df1e5ade00
SHA512c3df10fd620ab51bbb8d25b2b26ec8563feaced8e72aea85bfdc4ede1e3a3aa55b8bc8e3c03282727fcf97516635090acb778437696693ed72e410529c7093f7
-
Filesize
207B
MD589fb3c73e546784efa5179e83f179aba
SHA19deeea0b90cced761f33013fe79cb8c9e2f2fb88
SHA256f7e1d8e4d617039d917bebf8020e6e9920a69c50fb5b04e4db1df1e3293d90d7
SHA5127c0ced238f78abc85c6abaabaa8961344956a6b23a94a22d956eea73997e7dc7ad3f0be14faa190f8cf66c1ff02c5864feddb64e695a9dc3238cee24fe604d04
-
Filesize
224B
MD5b83d6b7d9370c6121f312ecdcf782021
SHA19366951a23d423b3bfbd8edc2339259ca23391d8
SHA256465165d74d4c7c2c38e69dada382ffc62a2c8258d679146b3069497164df588b
SHA51234d6bcab6aaa9a078c3fd9fb1ddf3b821345308039e3c5c34c917d1cc058ea8b10aad70d4b2d467d0970cc359a6001321e7e5a13a9e5b052fd718350b531e0e7
-
Filesize
224B
MD5d4013130828a56583243974a3c191b5c
SHA107b110179bd268390ca0da4d839a4a6e4afbfe62
SHA2567da61aea9cfede974ceaea0ca9c4def92824ca0ff5ad1e0c07272f3bcaa4f585
SHA512a7c95c5156bc8edd1712d7740cafc96abd9273bce52c2df2cd45ac6be95444d6f1eafdc73f2fba1e49168f596841cc67c6d234a2e86356a79253aec8971aed61
-
Filesize
224B
MD5b0aded51ef3356a370e46306c110a5f8
SHA1c9f20e1ed54514e390b72a415b66b9d76fa2330c
SHA2564c659f05db175bac695991a43a605b7de080823fe6251855e6b5de6c17229fc1
SHA5124a3934bf100623bae7b01235874c5d528a7d807d9fbc784cb44b269421f1f4d80443a58192fee0125990f24babf7a8189c3264656894c4d5284356a6232ae0cf
-
Filesize
224B
MD5ba0bd869f0dc5408daabf58b01464c5c
SHA140e93f1c09d23fb504bbd0a446456f80698a9c05
SHA2562b3bbabe85a59d2822c283685ebe4e51f2fa699317e2d1198e3df8cf472c207f
SHA5121f2c692b223d9e904d5e8535e0189c36e29809e2bfe8737fbd534fa0a3a1958d0477ca9ce43e08adf608e5148f5f87d54047f9c5580d62578a8344a88e9024d6
-
Filesize
224B
MD52705a5c74d86fb71a9230058456c835c
SHA100663bd97d5eeb32a4b54ef2972c34d828c314f8
SHA2565f1a87e1005a5f9931e9f1e85f3e9dabd01214164328c7f03095fde76b2d146f
SHA51261c07c9d36de8ecc4526ae53932c652b7ef41ee1ec55cc7194f39036b714e4ce9580bdb97f3ddbc4cadebadffc2d16b3caed1196d50b460ef9a9fd60cde16d9d
-
Filesize
224B
MD58fff84a1b8217222b8cecec95ef66a82
SHA17f129fbd383cecae6dde0b72451890a205f621c3
SHA25668393bce828dc977ddbd49ca9fb55275273b9b143071d5facfdcfa7c675e8c95
SHA51219f82e78db5d70fe7783526ec0e46fa7f0b9813c3fa6cf8d96a154f13116cba97877f99d8c84fd28dd34c373fd98fb84d6711475c75066b21ff84332349a43c4
-
Filesize
224B
MD5178b02ac764b24a495275d66665ca14c
SHA1e8f87d7798659dfa00c0b55e1843e90d5ca2acb2
SHA2566348158e0cca305d62f55fc9e7c41eeb6dfc4e4172ad43422820fb613de2093e
SHA512c8b438c0cf24be2cf36b1162adfde75a6706d57ef9ff9642c4e7d3302a1c44be5d25270674d7a0cbc3d9113752a792592a16e8d298e8af977614eee7b7f60f64
-
Filesize
224B
MD51113d087fafa88a6f6d10d83158ffb70
SHA10df72420518fdac99ea0af60fce7a009400eab5f
SHA256ca5407aab71c88ba3d33712b00dfdfa4d311547ff8ef9dd075a0c286a7029a47
SHA512758aa4879b5eb0c2b2b89bfc14ce17200240ba985604dde56abb472939e645aec80abd01607c35ad033b44b067fe0633cd52e45130a786745962b8d15f3159e6
-
Filesize
224B
MD54e9db6a94c3840b4130055ea4d41e47c
SHA103e3c34c9d321f3ad1c02ad967d190ab26124315
SHA256842c89a6f51fe4cc94f61f1b0bd00642f4767bc8f0872237b129f4dd6ba45bb9
SHA51205641136e824377e44a7d6bf4988fd2f22fa8c094dbcf114c9e53fe4b61900d8aa8719aa27f9230fd1ea635ec8ee306e877f265c5dbe10b0cd4d9e9ec66a074c
-
Filesize
224B
MD54d182d3942a82cdaacf77366e20f4ca9
SHA12394bdc6587eb0ef8ce3f0550196bb2c2dc04c84
SHA25601904d2f2517605fbcdb1de7a8d2a33987118d8f0bad13c8489abfcfd837eaca
SHA512a9deeea0f584635b2093fa21842747937509aaab141799f1bd363c7dcd934f70faabc36c7d773063b2d58233115296ae0dd1fa64b7e8bda1744af60f6442e9c0
-
Filesize
224B
MD5164202bfd7b6615e2ccac196efbfc8f0
SHA1cc34a18dfb9d7ed422120c9a6da2013e034eb6f6
SHA2567126206f7b447dc003ec40edaef40191c4ffb47629d2e3a0a828f9723400b42a
SHA51218e708942d68b3052579efefbab710c099756dd18e426c7e5a2682bfdfdbe364a50982e9f64ebe3bb9b2a59d0af99c7d2efd09d43d05bfdf0c6a617802aaf29a
-
Filesize
224B
MD52b4d3e1a79057e25bbd723a225ac1921
SHA1ee7be9b1ae0869adaba9706ab734b06626ea7d7f
SHA256aa542f83c963e923b67d1b7b877c8b1978e44c0150283076cc16ce8fe891c07f
SHA5121adedd9559cedf826fc091c81f5b1b728d21a683a6a1193771765b959c856a6371dfc1a4960d3c7311c868234818af3c6237f1824fa59b3ece326f6a5a673895
-
Filesize
224B
MD52751377094d433bb9956a686762452f3
SHA1bf2b6e331f18f71660be27aa98c29e0694e44887
SHA256cc82ab3c61d42ee5ccebf9043d901e84ac8ddfc27d5ac839f822ef44fcdd111b
SHA5124bc05e1579664c577e2a8aefa44c36c76022f944b067067eca6121b6019f37e0ee6ca347b33df45a22e227f107e033275ce02b12f845883ce0bd11afbf9bfe4e
-
Filesize
348KB
MD5222eb2520861357489b7a11a99656e3f
SHA1fb21802a64e6bbc3a9746e5ee5e4f92c2dc8bfcf
SHA25612d3a5848962353e0799964d9774bbbbf63c8d77a924f3cc14df49039c2ecb73
SHA512991d90dda45c324e4b15a3cf3d0f5209d2f71c4d3145169215737c448d8ce0da494f32a2187e5bddb4eac488a48e18b061ff7bd42d1a28458e472359af798ecb
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
376KB