quasar | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ogpayload.exe
Size

507KB
MD5

4e7b96fe3160ff171e8e334c66c3205c
SHA1

ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512

2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
SSDEEP

6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP

Score

10^/10

quasar school discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
	2	ip-api.com	Process not Found
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000D80000-0x0000000000E06000-memory.dmp	family_quasar
behavioral1/files/0x00080000000186cc-5.dat	family_quasar
behavioral1/memory/2728-10-0x0000000000050000-0x00000000000D6000-memory.dmp	family_quasar
behavioral1/memory/2660-31-0x0000000001340000-0x00000000013C6000-memory.dmp	family_quasar
behavioral1/memory/1456-49-0x0000000001340000-0x00000000013C6000-memory.dmp	family_quasar
behavioral1/memory/1792-67-0x0000000000100000-0x0000000000186000-memory.dmp	family_quasar
behavioral1/memory/1732-85-0x0000000000AB0000-0x0000000000B36000-memory.dmp	family_quasar
behavioral1/memory/2656-103-0x00000000010C0000-0x0000000001146000-memory.dmp	family_quasar
behavioral1/memory/2212-121-0x0000000001310000-0x0000000001396000-memory.dmp	family_quasar
behavioral1/memory/3044-139-0x0000000001310000-0x0000000001396000-memory.dmp	family_quasar
behavioral1/memory/2860-164-0x00000000002F0000-0x0000000000376000-memory.dmp	family_quasar
behavioral1/memory/2724-174-0x0000000000CF0000-0x0000000000D76000-memory.dmp	family_quasar
behavioral1/memory/1680-184-0x00000000011D0000-0x0000000001256000-memory.dmp	family_quasar
behavioral1/memory/1464-194-0x00000000011D0000-0x0000000001256000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2728	comctl32.exe
2660	comctl32.exe
1456	comctl32.exe
1792	comctl32.exe
1732	comctl32.exe
2656	comctl32.exe
2212	comctl32.exe
3044	comctl32.exe
2520	comctl32.exe
2860	comctl32.exe
2724	comctl32.exe
1680	comctl32.exe
1464	comctl32.exe
3056	comctl32.exe
996	comctl32.exe

Loads dropped DLL 64 IoCs

pid	Process
2504	ogpayload.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
1088	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2044	2728	WerFault.exe	33
2020	2660	WerFault.exe	41
448	1456	WerFault.exe	50
2532	1792	WerFault.exe	58
2880	1732	WerFault.exe	66
2616	2656	WerFault.exe	74
1132	2212	WerFault.exe	82
1612	3044	WerFault.exe	90
1088	2520	WerFault.exe	98
2056	2860	WerFault.exe	106
2876	2724	WerFault.exe	114
2508	1680	WerFault.exe	122
628	1464	WerFault.exe	130
1912	3056	WerFault.exe	138
800	996	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2892	PING.EXE
2232	PING.EXE
608	PING.EXE
1964	PING.EXE
860	PING.EXE
1192	PING.EXE
1272	PING.EXE
2604	PING.EXE
2320	PING.EXE
2540	PING.EXE
896	PING.EXE
1272	PING.EXE
2124	PING.EXE
1268	PING.EXE
1796	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1272	PING.EXE
2604	PING.EXE
1272	PING.EXE
2320	PING.EXE
1268	PING.EXE
2540	PING.EXE
2124	PING.EXE
1796	PING.EXE
608	PING.EXE
2892	PING.EXE
2232	PING.EXE
1964	PING.EXE
860	PING.EXE
1192	PING.EXE
896	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1736	schtasks.exe
2780	schtasks.exe
2812	schtasks.exe
588	schtasks.exe
1612	schtasks.exe
2796	schtasks.exe
2444	schtasks.exe
1808	schtasks.exe
880	schtasks.exe
2248	schtasks.exe
2136	schtasks.exe
304	schtasks.exe
996	schtasks.exe
1708	schtasks.exe
1900	schtasks.exe
2732	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	ogpayload.exe
Token: SeDebugPrivilege	2728	comctl32.exe
Token: SeDebugPrivilege	2660	comctl32.exe
Token: SeDebugPrivilege	1456	comctl32.exe
Token: SeDebugPrivilege	1792	comctl32.exe
Token: SeDebugPrivilege	1732	comctl32.exe
Token: SeDebugPrivilege	2656	comctl32.exe
Token: SeDebugPrivilege	2212	comctl32.exe
Token: SeDebugPrivilege	3044	comctl32.exe
Token: SeDebugPrivilege	2520	comctl32.exe
Token: SeDebugPrivilege	2860	comctl32.exe
Token: SeDebugPrivilege	2724	comctl32.exe
Token: SeDebugPrivilege	1680	comctl32.exe
Token: SeDebugPrivilege	1464	comctl32.exe
Token: SeDebugPrivilege	3056	comctl32.exe
Token: SeDebugPrivilege	996	comctl32.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2728	comctl32.exe
2660	comctl32.exe
1456	comctl32.exe
1792	comctl32.exe
1732	comctl32.exe
2656	comctl32.exe
2212	comctl32.exe
3044	comctl32.exe
2520	comctl32.exe
2860	comctl32.exe
2724	comctl32.exe
1680	comctl32.exe
1464	comctl32.exe
3056	comctl32.exe
996	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2796	2504	ogpayload.exe	31
PID 2504 wrote to memory of 2796	2504	ogpayload.exe	31
PID 2504 wrote to memory of 2796	2504	ogpayload.exe	31
PID 2504 wrote to memory of 2796	2504	ogpayload.exe	31
PID 2504 wrote to memory of 2728	2504	ogpayload.exe	33
PID 2504 wrote to memory of 2728	2504	ogpayload.exe	33
PID 2504 wrote to memory of 2728	2504	ogpayload.exe	33
PID 2504 wrote to memory of 2728	2504	ogpayload.exe	33
PID 2728 wrote to memory of 2732	2728	comctl32.exe	34
PID 2728 wrote to memory of 2732	2728	comctl32.exe	34
PID 2728 wrote to memory of 2732	2728	comctl32.exe	34
PID 2728 wrote to memory of 2732	2728	comctl32.exe	34
PID 2728 wrote to memory of 2836	2728	comctl32.exe	36
PID 2728 wrote to memory of 2836	2728	comctl32.exe	36
PID 2728 wrote to memory of 2836	2728	comctl32.exe	36
PID 2728 wrote to memory of 2836	2728	comctl32.exe	36
PID 2728 wrote to memory of 2044	2728	comctl32.exe	38
PID 2728 wrote to memory of 2044	2728	comctl32.exe	38
PID 2728 wrote to memory of 2044	2728	comctl32.exe	38
PID 2728 wrote to memory of 2044	2728	comctl32.exe	38
PID 2836 wrote to memory of 2648	2836	cmd.exe	39
PID 2836 wrote to memory of 2648	2836	cmd.exe	39
PID 2836 wrote to memory of 2648	2836	cmd.exe	39
PID 2836 wrote to memory of 2648	2836	cmd.exe	39
PID 2836 wrote to memory of 2604	2836	cmd.exe	40
PID 2836 wrote to memory of 2604	2836	cmd.exe	40
PID 2836 wrote to memory of 2604	2836	cmd.exe	40
PID 2836 wrote to memory of 2604	2836	cmd.exe	40
PID 2836 wrote to memory of 2660	2836	cmd.exe	41
PID 2836 wrote to memory of 2660	2836	cmd.exe	41
PID 2836 wrote to memory of 2660	2836	cmd.exe	41
PID 2836 wrote to memory of 2660	2836	cmd.exe	41
PID 2660 wrote to memory of 1808	2660	comctl32.exe	43
PID 2660 wrote to memory of 1808	2660	comctl32.exe	43
PID 2660 wrote to memory of 1808	2660	comctl32.exe	43
PID 2660 wrote to memory of 1808	2660	comctl32.exe	43
PID 2660 wrote to memory of 1744	2660	comctl32.exe	45
PID 2660 wrote to memory of 1744	2660	comctl32.exe	45
PID 2660 wrote to memory of 1744	2660	comctl32.exe	45
PID 2660 wrote to memory of 1744	2660	comctl32.exe	45
PID 2660 wrote to memory of 2020	2660	comctl32.exe	47
PID 2660 wrote to memory of 2020	2660	comctl32.exe	47
PID 2660 wrote to memory of 2020	2660	comctl32.exe	47
PID 2660 wrote to memory of 2020	2660	comctl32.exe	47
PID 1744 wrote to memory of 1480	1744	cmd.exe	48
PID 1744 wrote to memory of 1480	1744	cmd.exe	48
PID 1744 wrote to memory of 1480	1744	cmd.exe	48
PID 1744 wrote to memory of 1480	1744	cmd.exe	48
PID 1744 wrote to memory of 1272	1744	cmd.exe	49
PID 1744 wrote to memory of 1272	1744	cmd.exe	49
PID 1744 wrote to memory of 1272	1744	cmd.exe	49
PID 1744 wrote to memory of 1272	1744	cmd.exe	49
PID 1744 wrote to memory of 1456	1744	cmd.exe	50
PID 1744 wrote to memory of 1456	1744	cmd.exe	50
PID 1744 wrote to memory of 1456	1744	cmd.exe	50
PID 1744 wrote to memory of 1456	1744	cmd.exe	50
PID 1456 wrote to memory of 2444	1456	comctl32.exe	51
PID 1456 wrote to memory of 2444	1456	comctl32.exe	51
PID 1456 wrote to memory of 2444	1456	comctl32.exe	51
PID 1456 wrote to memory of 2444	1456	comctl32.exe	51
PID 1456 wrote to memory of 3036	1456	comctl32.exe	53
PID 1456 wrote to memory of 3036	1456	comctl32.exe	53
PID 1456 wrote to memory of 3036	1456	comctl32.exe	53
PID 1456 wrote to memory of 3036	1456	comctl32.exe	53

C:\Users\Admin\AppData\Local\Temp\ogpayload.exe
"C:\Users\Admin\AppData\Local\Temp\ogpayload.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ogpayload.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2796
- C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQ9uojWntJnp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2604
  - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGmYXSliVJnl.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
      - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1OEm1Cqb7O1C.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEAiGtxLbrbz.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GpqfPw6XVOXi.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkKBL15gQ0gw.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7yS1pq38tWja.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEhucO3ijK4z.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqMqmRCtdqzi.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0LNAvPSXhw5E.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hpZkIcYqGDUq.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XrXc0XasW4AB.bat" "
        25⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vfMWvVfTcGTD.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgKPdQhVt7AX.bat" "
        29⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0xN1DirOFjBr.bat" "
        31⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1440
        31⤵
        Program crash
        
        PID:800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1428
        29⤵
        Program crash
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1436
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1428
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1428
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1408
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1436
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1424
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1432
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1428
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1436
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1416
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1436
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1436
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1468
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0LNAvPSXhw5E.bat

Filesize
219B

MD5
40c0fa80057461b20e379274bbec2136

SHA1
a5c73ac9010b0520ea6edfa5c950ab643dc5bf15

SHA256
0751354f5186557f4e15f2435aa7276af35e28246c26272f6d547c84ff9cf447

SHA512
b7dadf382638f9fc6a3a1d06ccb131268cfa5fb5055a0d05dc7d4924a8c3b7f9dec1af98f44a8d41653544e6beda896075c731f68f45eba18a2f882de0ab26e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xN1DirOFjBr.bat

Filesize
219B

MD5
218f0275c29b4a770e336224d499d892

SHA1
24bea51a509ecfbbefdd99aa39efcbbfa2ba50e0

SHA256
dc3b6a7b43dfb4230610688606f79fe65e212a6818f506125f3a3d9539387fd3

SHA512
baf252d8df5e347f2bd87551c66fc1aa82bb23242025bb30532c1d61a2175900d08482986a2eb90cd045d2ca2894b77247ec37c934a317fa19d867b084dde940

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OEm1Cqb7O1C.bat

Filesize
219B

MD5
a3426d7b5e02b332ed518572c098396a

SHA1
1afcba622661546abdd8d4975f3d088438914ce8

SHA256
1f2517186d80a12ec63a0a6a67a758a7c9d54677ad9c507f3f5e188ebdb3eb7e

SHA512
1639ab01dc6ac6d72a7ae37fcc22e8275158ddf27d002de33a0e47cd3d2941f937e72443172723276f4a0ac276742d6ef6a8d19a2958169767aa9591a23c793d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7yS1pq38tWja.bat

Filesize
219B

MD5
9a9456029cde11a59301cfae422bc681

SHA1
aa08c9416341ec874eb1ff37edb5d0497497241f

SHA256
b048a8ab7a045d675852ebf8e96db5461b5bafb8d5486612e483a761b8e2b58e

SHA512
bae52c95ef0e0ffe10ff3dcf2e83997136f04c54f572528092579bf799744cd050b8bc46c2ce6507be123c3e89adc7b500d1c61467a6ac237cd40a43bccb5441

Download Submit
C:\Users\Admin\AppData\Local\Temp\GpqfPw6XVOXi.bat

Filesize
219B

MD5
b4adf411ae0ec40cfbadaf581866f32d

SHA1
ac5437c32da9a889b7fe4502fef84ed0a9c8d9c9

SHA256
52dc8b4e0ba3a6edbfb6f1a1f957465447ea9996faf9538b2a0d014dd9f04157

SHA512
d4038ee610f78b81e9d688314bcced684e2dd077e00688cf014d298347a4091cf7d5e4c4fecf7e007165cfee8d0a4e1a43746a80ba5efa1a29c2bf6668936982

Download Submit
C:\Users\Admin\AppData\Local\Temp\GqMqmRCtdqzi.bat

Filesize
219B

MD5
6845901839e36b4a9f46bd16207a6a28

SHA1
b51ab06744b74c5ab2ee9e30d0552ddd4855c132

SHA256
b95bcaf42d8d5903cedee091241f86307564c20761514df4133648a6bec2db5b

SHA512
f403bb3d67ff5f751786c44ccaaa18c1a8d7978a11647e1a14c35bf9a8a009ba5ca22c24b15ee62fdb749976c34aa2a61a26d20d1537eda0e9a38682d1b93da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEAiGtxLbrbz.bat

Filesize
219B

MD5
55191c0ff3ed391f6fa6fd03fcfa6212

SHA1
8201a0c65a1a2ef442eb3d06655eed31cb4893a7

SHA256
0dd18836a60b8b10ef109d0cea27d81478c9924b991c23ddb467586b236ae8d7

SHA512
d4d7e1c199b978be62a8efce30b03f03f03840b46c2f9e3e55806ef7b5ebfdd04d973cd6f16009e3aa1155581137ba2dec5da1108919804eedab03da421c037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEhucO3ijK4z.bat

Filesize
219B

MD5
75f1d32e5ee0574550a58c0dca2975de

SHA1
f428fa830324be7f0832b15d36f8df2674b76fde

SHA256
53706f4e97910c00cb0fb31f3076c61c2a681f096118c4e67f5968751c0ef13f

SHA512
8eaf9b3162fee35716319d58f2f5598adb822d04f65f9cc2efd88a90f64c3ce1e1c5b4e66960f5cca1dbf88e60f2386aaa2b4561400861d3bacb641d55efa8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ9uojWntJnp.bat

Filesize
219B

MD5
e2d419d1479184b6b1a6bbf8fe958307

SHA1
a11724fc39dd70fc59f53d2a4689e0c9bc5d6dc5

SHA256
6ada2c3133f7c31d00d63a54730188eae571df95afd36d9b87a7e5fbed976e99

SHA512
55f7871f89b7dea73d28d68b523442b2655edb51deb7fe66e91ea998e434eb647490b510fd26eeb5666fedc8fd458610b34370e33a1e0033e02ae72945ef8a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XrXc0XasW4AB.bat

Filesize
219B

MD5
67a5f46e69b1c5a3beb1ee0e1d51aed6

SHA1
4a4e912a9c524efb6fab7e532bc22ed761fa36c0

SHA256
aa2c9b664d4fb09710568ba0a5e3b2e893d2bb9e63a1ed4b6e6113f5d8cb8ddd

SHA512
07f21f8885128ebb3a5c56b100fab04f394dcf6db3c28c0f19174a6fc727d1843be594078bf8b8da4b4e07c8d388651d73271531c5737ffa34c0852c3f53e6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpZkIcYqGDUq.bat

Filesize
219B

MD5
51fd5f6db4c7fabfe39fc2f03209b207

SHA1
22580aac36ea8ccf40fa1c68064df6e1a5338095

SHA256
460518833a74593fc393afebd5bc030ba0806cab3cb761db069aba7666e06d28

SHA512
2039c3a069f56b90e95c385e5a4583b8e0d19f9c331c4a9f478eb0f6025804617d4eccea1a7cdd05fd2f640bfe6c2295e39039ed2ad5d884d7665ecdb0d8fe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgKPdQhVt7AX.bat

Filesize
219B

MD5
bc2821703c079f489e1c0eaf76a5c0d4

SHA1
91a0762c9155a715ef8271553be18a055b7aaff9

SHA256
6b046b245d16a9422d8b0fa9d761ec5d6504d60fd5921c667c70732ea2ffed38

SHA512
fa1156b3a7fc657cb1424dd23795af128aadb72d3aa932a673a2a0027381565dd0102449c5090450abb1c11444846d01500006db517b9bf042c45d6e0b9400d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkKBL15gQ0gw.bat

Filesize
219B

MD5
d9d29908bb7582297fa474876881d0ff

SHA1
d28ee2d633800a15dabc53071e445807b4402ce8

SHA256
8383c53ab897ead6ac12375e95eb06f32bcf6b8003396364f3dce86db701d5ae

SHA512
1e9c87bed5298a568dee50c48803f596328c368461931fbde86ab18ba6f6090f63205f08e2ae95f8ab5b04f59426ef0fe1c7ec425b91cf88eec09999e19a2bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGmYXSliVJnl.bat

Filesize
219B

MD5
5e0b1314c6159f55883628809e45db20

SHA1
920298fb28514383fd397883dd21e3f77bfcd61f

SHA256
086470025f5783c734bfeefab4aabb021f038d57b830d529768eb2d2551b4b20

SHA512
bf95df462bf669dae6cd66a2ea2b51f972cab6c65bf6f9572d7030b729f44d8d7760e8ae21e7356d7bb1392309e1c9c007a641af673c13eed9784f0998982df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfMWvVfTcGTD.bat

Filesize
219B

MD5
e73f3c079b8263777c2f1ab091e52c52

SHA1
9c03154114c65dd6eb28d73527346cc656be0828

SHA256
62a11d9b651798fe9abb4327f1d060930cf4568ca415d789e0949b20cee065b4

SHA512
d03270512438fc1552e883aa51ecda18d468a15ba771bc8bce3c9f1e960a43e559ee627eacd7ec8df11127fd8bb5105be377a0f154deca22bae704de355fb184

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
8dab4ced399830a2806278e53b16d55a

SHA1
faa9c8785908878713ae83758c3c07ac8697e679

SHA256
d12ec68f02612c9c97e2accf6aa27c470fe3e21a75f92c3fc76c94ce3c33f1ba

SHA512
b1f45811457c2695c428567e29934041070c5e35373517908eab0536af52969ce0dbbfd2fe503716a3bfe3b784a654d9ecc981892503c7dcf060aa135492640b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
650340775d12ae41b77c7c8f07286f2a

SHA1
b73032c29a01f7e678791a1917fbfda15dbac0c8

SHA256
f9035734e557b67335c265dd49bfb58196f94fc9542f23b21ab3db8b1d3d144d

SHA512
6d7d0ec9f82ccfb0c66202b7342255afff5a4d7f0bad2c854743f4f1b3885f084fedb993ac9249f81fd2a2da541c4ded60a298a4cfe84b7a3f9b1e580f60a11b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
97ea017f438ffff54db44eb84c2ef4d7

SHA1
841eea43caba2d9fe5235fb6a24699b9f72a1130

SHA256
98ff9ba860782dafb9de46ea102fcfedca3f4cfcc82958bfc3b4d51b4adec35a

SHA512
4d2b565e09f6f05202f597e101c0f822c0ceb01aa3f4d72a38aa6e5ed3a4934ddac8ad7450bb9295ac4330d4f111c37cf837e160f6e4b8a63d339ef19f5675a2

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
caeb98847976cab855c11b8782e417f8

SHA1
759a4acbbd506dbcf175b93ee6e1be3bfd89053f

SHA256
2bba35a0c4761955b34c9041e77d31fbe78d6124853954629660272ad40c8ddd

SHA512
cedfc2e31af29c4012bfdfa1a78da7e428b9372d81b9b1b89c11d1eb1f71803bcd5e323c80a2b0090460f5d1bef006f11d3179bbb9627bdfbd02f7d898f7c6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
4974070f50ac7cccf4c2b084a7390554

SHA1
9ca68d900f69341ef59d0d72489ae6b2cce083bb

SHA256
8d106ef0e5a6a8a5618b2d7fc6d49f59714c87b7693fe5f03c94649d08aa97fe

SHA512
e80c0a3ca5fc7999ef8ce2947c2c84c87a1fa1d2f62f40044e8d3ca88c5720249ae85ca2ad6ad973263213f85b47cc3a10ed53e91f85bf0289115d526639f447

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
d5d253633ca3387d6e0dcf16358a71c8

SHA1
fca8b75afc1c1ebc06f7c0a1020e4aa75b03cb70

SHA256
bf9ecf550ee0ef930780bb8005abf7c3feb1a99bdbea192cfb614a933af46035

SHA512
386e68ceda275218edd314efc63b1b5796bef1b391854403f07bbeeebd2954c607df8bc2d0bb6118024b7d46a92f2c3bdb17dfc76765a765318b3c6cb47e5ad6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
9c7e8a4829751784511c17f697604569

SHA1
a7604de1e809160f2e6e5ad6a4d8ca999b3ebc12

SHA256
d2163e511143d638218a4ca46c01959dc592c012d4c4f44b80283ec0c9f0ace5

SHA512
ffc1ff8bf83c0d86f63d6776661529b28b93449a848f175e0658be38c48021ed09188622397aa22af69759cbaa826e119bcbb1439036cf1003022ace23323238

Download Submit
\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
memory/1456-49-0x0000000001340000-0x00000000013C6000-memory.dmp

Filesize
536KB

Download
memory/1464-194-0x00000000011D0000-0x0000000001256000-memory.dmp

Filesize
536KB

Download
memory/1680-184-0x00000000011D0000-0x0000000001256000-memory.dmp

Filesize
536KB

Download
memory/1732-85-0x0000000000AB0000-0x0000000000B36000-memory.dmp

Filesize
536KB

Download
memory/1792-67-0x0000000000100000-0x0000000000186000-memory.dmp

Filesize
536KB

Download
memory/2212-121-0x0000000001310000-0x0000000001396000-memory.dmp

Filesize
536KB

Download
memory/2504-1-0x0000000000D80000-0x0000000000E06000-memory.dmp

Filesize
536KB

Download
memory/2504-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-13-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2656-103-0x00000000010C0000-0x0000000001146000-memory.dmp

Filesize
536KB

Download
memory/2660-31-0x0000000001340000-0x00000000013C6000-memory.dmp

Filesize
536KB

Download
memory/2724-174-0x0000000000CF0000-0x0000000000D76000-memory.dmp

Filesize
536KB

Download
memory/2728-11-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-10-0x0000000000050000-0x00000000000D6000-memory.dmp

Filesize
536KB

Download
memory/2728-12-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-29-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-164-0x00000000002F0000-0x0000000000376000-memory.dmp

Filesize
536KB

Download
memory/3044-139-0x0000000001310000-0x0000000001396000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads