quasar | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ogpayload.exe
Size

507KB
MD5

4e7b96fe3160ff171e8e334c66c3205c
SHA1

ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512

2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
SSDEEP

6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP

Score

10^/10

quasar school discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	6	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
	49	ip-api.com	Process not Found
	71	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5004-1-0x00000000005A0000-0x0000000000626000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023cba-11.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	comctl32.exe

Executes dropped EXE 14 IoCs

pid	Process
3152	comctl32.exe
4436	comctl32.exe
4308	comctl32.exe
1276	comctl32.exe
2128	comctl32.exe
5036	comctl32.exe
2148	comctl32.exe
672	comctl32.exe
4872	comctl32.exe
1916	comctl32.exe
3508	comctl32.exe
3492	comctl32.exe
1160	comctl32.exe
4124	comctl32.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
49	ip-api.com
71	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
864	3152	WerFault.exe	87
4512	4436	WerFault.exe	97
2904	4308	WerFault.exe	112
3480	1276	WerFault.exe	123
3928	2128	WerFault.exe	132
1892	5036	WerFault.exe	141
4064	2148	WerFault.exe	150
4656	672	WerFault.exe	159
4784	4872	WerFault.exe	168
4740	1916	WerFault.exe	177
2548	3508	WerFault.exe	186
3724	3492	WerFault.exe	195
2460	1160	WerFault.exe	204
3876	4124	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1052	PING.EXE
2248	PING.EXE
1748	PING.EXE
3952	PING.EXE
3724	PING.EXE
668	PING.EXE
3512	PING.EXE
2248	PING.EXE
3520	PING.EXE
3516	PING.EXE
1836	PING.EXE
4116	PING.EXE
5100	PING.EXE
3080	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3512	PING.EXE
2248	PING.EXE
668	PING.EXE
3952	PING.EXE
4116	PING.EXE
5100	PING.EXE
3516	PING.EXE
3080	PING.EXE
2248	PING.EXE
3520	PING.EXE
1748	PING.EXE
1836	PING.EXE
1052	PING.EXE
3724	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1652	schtasks.exe
4000	schtasks.exe
1848	schtasks.exe
1384	schtasks.exe
2248	schtasks.exe
1848	schtasks.exe
4596	schtasks.exe
3188	schtasks.exe
1544	schtasks.exe
1192	schtasks.exe
4892	schtasks.exe
540	schtasks.exe
4528	schtasks.exe
4428	schtasks.exe
672	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	ogpayload.exe
Token: SeDebugPrivilege	3152	comctl32.exe
Token: SeDebugPrivilege	4436	comctl32.exe
Token: SeDebugPrivilege	4308	comctl32.exe
Token: SeDebugPrivilege	1276	comctl32.exe
Token: SeDebugPrivilege	2128	comctl32.exe
Token: SeDebugPrivilege	5036	comctl32.exe
Token: SeDebugPrivilege	2148	comctl32.exe
Token: SeDebugPrivilege	672	comctl32.exe
Token: SeDebugPrivilege	4872	comctl32.exe
Token: SeDebugPrivilege	1916	comctl32.exe
Token: SeDebugPrivilege	3508	comctl32.exe
Token: SeDebugPrivilege	3492	comctl32.exe
Token: SeDebugPrivilege	1160	comctl32.exe
Token: SeDebugPrivilege	4124	comctl32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3152	comctl32.exe
4436	comctl32.exe
4308	comctl32.exe
1276	comctl32.exe
2128	comctl32.exe
5036	comctl32.exe
2148	comctl32.exe
672	comctl32.exe
4872	comctl32.exe
1916	comctl32.exe
3508	comctl32.exe
3492	comctl32.exe
1160	comctl32.exe
4124	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4528	5004	ogpayload.exe	85
PID 5004 wrote to memory of 4528	5004	ogpayload.exe	85
PID 5004 wrote to memory of 4528	5004	ogpayload.exe	85
PID 5004 wrote to memory of 3152	5004	ogpayload.exe	87
PID 5004 wrote to memory of 3152	5004	ogpayload.exe	87
PID 5004 wrote to memory of 3152	5004	ogpayload.exe	87
PID 3152 wrote to memory of 4000	3152	comctl32.exe	88
PID 3152 wrote to memory of 4000	3152	comctl32.exe	88
PID 3152 wrote to memory of 4000	3152	comctl32.exe	88
PID 3152 wrote to memory of 4056	3152	comctl32.exe	90
PID 3152 wrote to memory of 4056	3152	comctl32.exe	90
PID 3152 wrote to memory of 4056	3152	comctl32.exe	90
PID 4056 wrote to memory of 4836	4056	cmd.exe	93
PID 4056 wrote to memory of 4836	4056	cmd.exe	93
PID 4056 wrote to memory of 4836	4056	cmd.exe	93
PID 4056 wrote to memory of 2248	4056	cmd.exe	95
PID 4056 wrote to memory of 2248	4056	cmd.exe	95
PID 4056 wrote to memory of 2248	4056	cmd.exe	95
PID 4056 wrote to memory of 4436	4056	cmd.exe	97
PID 4056 wrote to memory of 4436	4056	cmd.exe	97
PID 4056 wrote to memory of 4436	4056	cmd.exe	97
PID 4436 wrote to memory of 1192	4436	comctl32.exe	98
PID 4436 wrote to memory of 1192	4436	comctl32.exe	98
PID 4436 wrote to memory of 1192	4436	comctl32.exe	98
PID 4436 wrote to memory of 3368	4436	comctl32.exe	100
PID 4436 wrote to memory of 3368	4436	comctl32.exe	100
PID 4436 wrote to memory of 3368	4436	comctl32.exe	100
PID 3368 wrote to memory of 5016	3368	cmd.exe	104
PID 3368 wrote to memory of 5016	3368	cmd.exe	104
PID 3368 wrote to memory of 5016	3368	cmd.exe	104
PID 3368 wrote to memory of 3520	3368	cmd.exe	105
PID 3368 wrote to memory of 3520	3368	cmd.exe	105
PID 3368 wrote to memory of 3520	3368	cmd.exe	105
PID 3368 wrote to memory of 4308	3368	cmd.exe	112
PID 3368 wrote to memory of 4308	3368	cmd.exe	112
PID 3368 wrote to memory of 4308	3368	cmd.exe	112
PID 4308 wrote to memory of 1848	4308	comctl32.exe	113
PID 4308 wrote to memory of 1848	4308	comctl32.exe	113
PID 4308 wrote to memory of 1848	4308	comctl32.exe	113
PID 4308 wrote to memory of 4844	4308	comctl32.exe	115
PID 4308 wrote to memory of 4844	4308	comctl32.exe	115
PID 4308 wrote to memory of 4844	4308	comctl32.exe	115
PID 4844 wrote to memory of 728	4844	cmd.exe	119
PID 4844 wrote to memory of 728	4844	cmd.exe	119
PID 4844 wrote to memory of 728	4844	cmd.exe	119
PID 4844 wrote to memory of 5100	4844	cmd.exe	120
PID 4844 wrote to memory of 5100	4844	cmd.exe	120
PID 4844 wrote to memory of 5100	4844	cmd.exe	120
PID 4844 wrote to memory of 1276	4844	cmd.exe	123
PID 4844 wrote to memory of 1276	4844	cmd.exe	123
PID 4844 wrote to memory of 1276	4844	cmd.exe	123
PID 1276 wrote to memory of 4596	1276	comctl32.exe	124
PID 1276 wrote to memory of 4596	1276	comctl32.exe	124
PID 1276 wrote to memory of 4596	1276	comctl32.exe	124
PID 1276 wrote to memory of 3352	1276	comctl32.exe	126
PID 1276 wrote to memory of 3352	1276	comctl32.exe	126
PID 1276 wrote to memory of 3352	1276	comctl32.exe	126
PID 3352 wrote to memory of 3976	3352	cmd.exe	129
PID 3352 wrote to memory of 3976	3352	cmd.exe	129
PID 3352 wrote to memory of 3976	3352	cmd.exe	129
PID 3352 wrote to memory of 1052	3352	cmd.exe	131
PID 3352 wrote to memory of 1052	3352	cmd.exe	131
PID 3352 wrote to memory of 1052	3352	cmd.exe	131
PID 3352 wrote to memory of 2128	3352	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\ogpayload.exe
"C:\Users\Admin\AppData\Local\Temp\ogpayload.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ogpayload.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4528
- C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JY3KB3lVrep3.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2248
  - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5gtl4sAQwgSj.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3368
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
      - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hirIlLp6i5w6.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ixA4S0Hu9M5s.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oo7hfG1I8NTi.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKJx13lHBDfN.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\llmhTd9Uo9CS.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3724
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IImgcA2mMm51.bat" "
        17⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwOOrgNPBOzP.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgXMm8D7vhGG.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3080
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaEot1fdp3Vd.bat" "
        23⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYLTN9b4Hqqi.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCxBcfwi5Rk6.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11y1kTVfANAG.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 2192
        29⤵
        Program crash
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 2224
        27⤵
        Program crash
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 2192
        25⤵
        Program crash
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 2228
        23⤵
        Program crash
        
        PID:2548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 2188
        21⤵
        Program crash
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 2204
        19⤵
        Program crash
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 2168
        17⤵
        Program crash
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2224
        15⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 2224
        13⤵
        Program crash
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 2192
        11⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1672
        9⤵
        Program crash
        
        PID:3480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 2196
        7⤵
        Program crash
        
        PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1936
        5⤵
        Program crash
        
        PID:4512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1084
    3⤵
    - Program crash
    PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4436 -ip 4436
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4308 -ip 4308
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1276 -ip 1276
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2128 -ip 2128
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5036 -ip 5036
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2148 -ip 2148
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 672 -ip 672
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4872 -ip 4872
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1916 -ip 1916
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3508 -ip 3508
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3492 -ip 3492
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1160 -ip 1160
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4124 -ip 4124
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11y1kTVfANAG.bat

Filesize
219B

MD5
83cf316b2421faf96a503b45d6448360

SHA1
fa1d14d78c01a0585f3dd9b7c9609c81f81a9ccd

SHA256
eb7dd2493e9520c19a8c0eed814fefe2163d1f4017299e385e2b1d04b01b3e60

SHA512
1cd9d99b9eff186f9bc7f3c50a1297b08e7128b8a93bd012513d1cf2a3fc8d6c457161a32a05ae4473d6773f3795e892969fa5305b452ac6ec8fb38066312b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gtl4sAQwgSj.bat

Filesize
219B

MD5
21a5a2057abbf69210aa80eed5be4740

SHA1
4a568c0136b519f32361ece05d1bc255ec1b1525

SHA256
248d109d793c7de952debe8448080e8b2c641b43e545ee54814d75f525f935f3

SHA512
84dedb720585b65aad714261d9d0814650e47ffb7385c5aff948933599daa6fd1f87792e27df9162c278ac73b1997ad62355360f024000540be4fe8ccf6e7440

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgXMm8D7vhGG.bat

Filesize
219B

MD5
0ec9e240fa74066f2f507d6b910c32d5

SHA1
ada40b8bf906731bcfb522c73deab2290902adbb

SHA256
c5a98e54f8a4e646ed2b48f818f280376bb52dfc92945bd20f48f1fa3d490d17

SHA512
b151023d0c43cd75cb9fd4b6e70be733a925b0eb0b6e2e6a8fa6e143839c9c754663db0ecc910bf927cfb946318e211a99df0245ecb95811899d8c3eebb824be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwOOrgNPBOzP.bat

Filesize
219B

MD5
d982f5067427e450b8c7cf2535ed5f0e

SHA1
d9155060aabbe56b86de913f6b17d38326256e16

SHA256
0696da7d1293ac7a1d9299fdcd2237b7973acffcb3341a6eb9cf3525771d3f75

SHA512
08ec9949d742dad54a627c5749d77871b83f148592ab65abdedcb83ca969c560b6fc38cea9713a5a71bd22a81c311f94870f2d863aef05e444bf9b5a241c7ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IImgcA2mMm51.bat

Filesize
219B

MD5
7ed4543756130e279d7d91a6056f91d5

SHA1
0555775b696ca31ec83de94274afc7b705a97da8

SHA256
577141c1d8b572ab0ceb8f890bb09cfc541e66bc1f93664cb2befe538fdc6a53

SHA512
eb54cc3d984d9a8747be0e28d5a0fb9ab3b004dd6fe1c02a6c6875e90b4f0a008ce82a76a98e95d662f93acbad3d8e901eb58738e30eab45ed017a5d0c0456d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKJx13lHBDfN.bat

Filesize
219B

MD5
c9794a5313f9921fe100a59d5850e30a

SHA1
a4d54cbf6571b31cabcb10bb270b7cbe016e5eb8

SHA256
0516d791dc54f9826deb5086538ba586bcae0c37be486cbdfaf93da592fd3665

SHA512
a709155bd2109c1f04f1f9959432f29043b8c28394fceb7c5ab3a519007855ee4c908f25306bcfd28881584524a2373370852dcf884202b732fb39ebd7b09b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\JY3KB3lVrep3.bat

Filesize
219B

MD5
cc9ba2ca922e75a40645f4fbd709dbc4

SHA1
78f30afd63cbceb05116cbdbd1c2a6527480e902

SHA256
bc1442ee840822f2cac7c36ce1bd7319952a88711fce3c5fb9fdeaba7ab3e07a

SHA512
b5d6b2b94028382f72e74093789c10864947a878cd57723b46e9d834f7cc3915177df7bd75a204e204647135e67948ea0689543ecea9c25ee949d2a70b233282

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaEot1fdp3Vd.bat

Filesize
219B

MD5
338042fffb156defca516698eaf75094

SHA1
bd3d1bdb8167b9c62731985b8aae26ec5f090c09

SHA256
2616126be08b1bbeb5af10d609c3b035e88b3f93f2059e2a5971c90f09c9cbd2

SHA512
608f976d40acff817fca8548ddbe4304de97c4604e1af291ace55cf0c6b1ca8da99d70c64e8e73f8d152de06f5b7ad3a0d7fa9c35d11121f868495da8d55f79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hirIlLp6i5w6.bat

Filesize
219B

MD5
84c9eccc3ade07e5b0df1593ae01f85e

SHA1
0ec8ec46ccfdfc9e5e0aa6e0877b899548adb329

SHA256
850352f824b72ae4c4b912180cb5cd7f07da347cf4db419a2479674bdb402237

SHA512
3333341d36e2143944f7e1278ef36d68a489bba3c9085b7d0d5fe09a88e82c21b2ac40ae454b6f4f3589e656145575836dcea17eea3aba83563c36a2c268e21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixA4S0Hu9M5s.bat

Filesize
219B

MD5
dcc70300fd37cda13eae84c791d5dc18

SHA1
bd4f17dc47b1e414a9fffe447148c6730f3d7473

SHA256
d41530ca062246a50aa609f30cb32df51641410bcc140c3dc33b7485e547c410

SHA512
6d1317c60c986c2d84a6d9a84bd5100e90d94d77a054cdc7b30fa98fd8c7b42ee2f9f963034e16a8b7bc4ece0fee4bd5cf163c557424fad0dc4364061e595652

Download Submit
C:\Users\Admin\AppData\Local\Temp\llmhTd9Uo9CS.bat

Filesize
219B

MD5
4cc9f0a6e4f18c336ca16ebd058e8f80

SHA1
dcae4d7895aa4bc311cb255bfc8c0cecff2311a9

SHA256
e425078e5e915721b7ab7ad3a394aab01d17bc57acacaa58754dd9bf949f0257

SHA512
f023a63d2416443f51ba403b737b435afce3ec842a285a496440a57783258a10c3c70bfb35b82f8278aa5e28782a43a98a3519bb0e92169c3a4e0043ca19398d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oo7hfG1I8NTi.bat

Filesize
219B

MD5
3ddfbb7204e840d362391efb17d79e11

SHA1
5ddc4dc9158d8d7069b28fcdef7682a775ddbe6b

SHA256
d696afd82d205acfedea51f707d194d9018c7eb1b0668d962052407a6f80eb86

SHA512
e402e1c37d000caab87a8b6b55bd53b5213debded1a3f1b8f406abd83b4f569d0752b7e1b61d2c1ffa082744185c22ae88a0d26a986874a6352e64cf623ece92

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCxBcfwi5Rk6.bat

Filesize
219B

MD5
31f75c29d594946ea31132e8aa49af9d

SHA1
ce2086ee58c095df00981ba6afcf01ad66c41764

SHA256
d4c19507ad06d523be6e7fec971a5707a6f6c8eccb72e4615a7f54be015629fe

SHA512
14eee5eaba54558ee359960908fdb6f549dee09feecf51bca5bc424bde75676fe036f53dfdefc41c417b48352ddff9f440ad496e43e73cf2be4d3951717e6612

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYLTN9b4Hqqi.bat

Filesize
219B

MD5
f869047bdb6c0e20c989a39b2d85ae29

SHA1
75c1e19c113e8d33af34b26d20f1616767880b70

SHA256
b356b6da7cd64ecb05739f4e4ce3c1c30a71166b73941752fac01924349e0953

SHA512
cba3564cd6ae707daf9f83cb472bdf16360f079970d21467af24f5aebf06d4de30e51718c2e66f56b25eb8a9b8233b1ba15c0e338467dbbb1eea82e1881a6c62

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
f39f44fd31476a9af10678928aff9a06

SHA1
761b73d7fc6942e09a3573c77d93ed5a30620d57

SHA256
f2629ac7792252e0328ff63dddade23e901e768476e744894cf6fea72b2e3e15

SHA512
7374a8d7aa43a0cf2d166c8d7e31e1c99767451ea6964dbe3ab90a4d4e5c55a6a22e8b2bdc745749c5bead8ca2870c2549aedd26ab54ea65aa4e8d0e6209a84a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
e7bb7ab8f338deab7a3f8bcbf89e2ec0

SHA1
fbd8a1d730a3984af4cde1c0f3f771e0d9ea39a4

SHA256
00be25ab2a2edb0726c09c246bf82014da5fc6cd1f6ff2ebf0ec9d7f9cc21391

SHA512
78cd5ca7ae90ac967b9edf2980c64d61f4b926d0278c4323c139a044580d3da384ee763b08c07eea8adcab0b0b732e52c243dc4fed493664250a81c1723da359

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
dda61ad6a54e6e363ca805e6ad270fe0

SHA1
93e9107f6b88abfb75cc1a2d17ae082ee96e8b94

SHA256
5fd31e4fa6af00134506981fdfdd7926dd15260e205d01454fa4494e855d3a62

SHA512
7706c7965cbfeccb6da240a57062917084c0a3e7e7eb09662f48c6f8c0df17809420df000f547de1b5640e633db6219821622119f76a9d61e547fe6e4df84dd7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
fa61583c269c73d2a90548fe060ddb67

SHA1
b74c5a8208af6ad4d39b08a74b10eb3dfdf812b0

SHA256
c734889e1a6030ec44883fe83f92a44911037b9f6e7a87b32263ab44802db4f8

SHA512
ecb6937aec5e6a45fa1877fe7c72daffd910806094d2165af6d5556328def28fc1b1416fa2c7ef934c169bf466e5d6ae749deed678a8799d845cc7445c56f43d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
85e3802e9ffda0e5ddade09f8e7f0182

SHA1
187ecc4fba7e28f8c535c198c5cee31fdf400ed5

SHA256
68f2361ee0fdc475626acdb011598494f0a33e38968d2ced4d926de792a02941

SHA512
f51e9bc7ad88801a9f32f1fbdaaa2f2f7dba8c695014325e8d01f6fc82f729165fdc2c668a030d573cc75943c4591782ac3b29458b4e01b5e4e96735c2121fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
26e8de4a5d811bd7fe25697b2a4a4302

SHA1
2b4f39a138d76318c56cd7d343071ede39a84824

SHA256
264d8d7cc4667a7592dd8ee450ea7909ecdb50fd73415ed74fa46eec18264c73

SHA512
6b2f62d623dc0d15a32694733b87714cffb0bb9ab93d6881e13db6ed346ad3f1f7dbc4c0d64ef9cb2caacd4dde11c85aeff5b4df1e2448807930f909a432557d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
15d7c76f3f2177b0ab8f5f40b34d7373

SHA1
c38e3618809c75998dd23b355ade6b848f9b6a00

SHA256
a5f3709f810e7942ece9535a3c0ad3066c6a05314791c316aa71f07653d53d7f

SHA512
601dd3feb4e8b79ef18dc715e7aa65eadb3d891a81e453b8a7be3dba28316b2840dedc4b5d62dc4a2c0648bc7d233d4239f96104a8903a51596801ef3d43114a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
183c726a04362901a8163fd125268f8a

SHA1
51c0c0e97ce002823ecc820c3439ca313b889e8f

SHA256
daf66e44df7bbb657ab152ab3c9d63f3f8c5600b634cd591caf651cb38452825

SHA512
3074190d9944a3e6be5cc42e2b63f52621dde8856d15b99f7150e2b518ab647b8d7a2c48e3b5f9363c5e5cd570df7db58221f89401182c7ff390e592cbf4b6cc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
bda02ec5876069663bf13acfe59aef67

SHA1
33359010d64e880227ab7009e03102affd820ac1

SHA256
e4890bc101da6e10171e32fde031703c563fc8205bc3a650b9cd68ce9baa5755

SHA512
ccbdc08de9530ee000390af8f82e44f158ffbc3a798bfebf2934d92253b832d193662178777415588af1aabe15754ce0295bf0a87ed50a9969f464071884b8fd

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
46b85736561d098a6cbadd2cc20de5a1

SHA1
4b8e6f1d90ff6deb9343b4b9d2160e294f1c4275

SHA256
fc759b83ef2b6156b61f2c596c627f81d994c65ed3b5a5c0cb5681f1db3c77ed

SHA512
ab0c7a74be5a77ebaaa46197b5aa27fd1724e089e352ba74c0d154681d9aaa9767edcc625472633cb0f26c8ac57c1b21c3bb7608187547e718b1d3a5e19d8ec8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
18449e1c34372a15e07bb92c06ad12b9

SHA1
bc32122de51924fa2e3cda625a5051ea617b00b7

SHA256
1f67449ac17e76b3ae55ad25dcc1e0387037f57ad9fad12ed3145b1678a5f107

SHA512
c4f891d5448acdcec03e7407e04211791953f5e62eb5924c0ae5fd869982a7484650bbfdf48efcc858a5e36f85c0d98a088892b310adf0bdb0c225657d1cbdc5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
0091e24cd66e2b616a5aff088a17dd6a

SHA1
6bfabc397a944bc628985b4e88f875387d8bd2d7

SHA256
2265e050a67a12a17c02ec178ca56a074fbe25299b9b75fd57afdfffc202e507

SHA512
85b31c5a7b7db3e56225e8db053e4aeef5596a4f795bf0586702fc4b038921f0fd4256babf34b7a2291290fd731fc174da6b44f29b44ece3829c064af38b9bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
15dc63563f530eff0839ae19ad9ba0e6

SHA1
f019269a901d36d23595038c2bdc4fc288487649

SHA256
b0cfe5a2d66309799328a804747e6d1a25269a9934b726794a01cb5c2846a3ff

SHA512
d972ac2e8f60fefd9e1f765f204b2177d89ced386e258309dc6259f14da3516edab476830a4e752f59c39afec6c2a548d79707c0cc5e22269abc195d076ac998

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
memory/3152-23-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3152-16-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3152-18-0x00000000065A0000-0x00000000065AA000-memory.dmp

Filesize
40KB

Download
memory/3152-14-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/5004-15-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/5004-7-0x0000000006280000-0x00000000062BC000-memory.dmp

Filesize
240KB

Download
memory/5004-2-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/5004-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/5004-3-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/5004-5-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/5004-4-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/5004-6-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/5004-1-0x00000000005A0000-0x0000000000626000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads