quasar | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ogpayload.exe
Size

507KB
MD5

4e7b96fe3160ff171e8e334c66c3205c
SHA1

ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512

2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
SSDEEP

6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP

Score

10^/10

quasar school discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
	2	ip-api.com	Process not Found
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 16 IoCs

resource	yara_rule
behavioral1/memory/2032-1-0x0000000000FE0000-0x0000000001066000-memory.dmp	family_quasar
behavioral1/files/0x003000000001435e-5.dat	family_quasar
behavioral1/memory/2728-11-0x0000000000D00000-0x0000000000D86000-memory.dmp	family_quasar
behavioral1/memory/2792-31-0x0000000000D00000-0x0000000000D86000-memory.dmp	family_quasar
behavioral1/memory/2760-49-0x0000000000F90000-0x0000000001016000-memory.dmp	family_quasar
behavioral1/memory/376-67-0x0000000000100000-0x0000000000186000-memory.dmp	family_quasar
behavioral1/memory/1836-85-0x0000000001380000-0x0000000001406000-memory.dmp	family_quasar
behavioral1/memory/2412-103-0x0000000001380000-0x0000000001406000-memory.dmp	family_quasar
behavioral1/memory/2840-121-0x0000000001380000-0x0000000001406000-memory.dmp	family_quasar
behavioral1/memory/2660-139-0x0000000001380000-0x0000000001406000-memory.dmp	family_quasar
behavioral1/memory/2020-164-0x00000000000F0000-0x0000000000176000-memory.dmp	family_quasar
behavioral1/memory/3056-174-0x00000000008C0000-0x0000000000946000-memory.dmp	family_quasar
behavioral1/memory/2540-184-0x0000000000AD0000-0x0000000000B56000-memory.dmp	family_quasar
behavioral1/memory/2800-194-0x0000000000290000-0x0000000000316000-memory.dmp	family_quasar
behavioral1/memory/1784-204-0x0000000000FC0000-0x0000000001046000-memory.dmp	family_quasar
behavioral1/memory/340-214-0x0000000000FC0000-0x0000000001046000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2728	comctl32.exe
2792	comctl32.exe
2760	comctl32.exe
376	comctl32.exe
1836	comctl32.exe
2412	comctl32.exe
2840	comctl32.exe
2660	comctl32.exe
2188	comctl32.exe
2020	comctl32.exe
3056	comctl32.exe
2540	comctl32.exe
2800	comctl32.exe
1784	comctl32.exe
340	comctl32.exe

Loads dropped DLL 64 IoCs

pid	Process
2032	ogpayload.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
320	2728	WerFault.exe	31
1992	2792	WerFault.exe	39
2784	2760	WerFault.exe	47
1976	376	WerFault.exe	57
2724	1836	WerFault.exe	65
2428	2412	WerFault.exe	73
2604	2840	WerFault.exe	81
2964	2660	WerFault.exe	89
1976	2188	WerFault.exe	97
2716	2020	WerFault.exe	105
2848	3056	WerFault.exe	113
2404	2540	WerFault.exe	121
1956	2800	WerFault.exe	129
2956	1784	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2764	PING.EXE
2280	PING.EXE
1744	PING.EXE
1916	PING.EXE
2292	PING.EXE
2224	PING.EXE
624	PING.EXE
2228	PING.EXE
1780	PING.EXE
1044	PING.EXE
1440	PING.EXE
1640	PING.EXE
2124	PING.EXE
1316	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2764	PING.EXE
2124	PING.EXE
2224	PING.EXE
1744	PING.EXE
2280	PING.EXE
2228	PING.EXE
2292	PING.EXE
1640	PING.EXE
1440	PING.EXE
1780	PING.EXE
1316	PING.EXE
1916	PING.EXE
1044	PING.EXE
624	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe
2504	schtasks.exe
2468	schtasks.exe
1480	schtasks.exe
1428	schtasks.exe
1300	schtasks.exe
1452	schtasks.exe
2316	schtasks.exe
2552	schtasks.exe
2968	schtasks.exe
2252	schtasks.exe
536	schtasks.exe
688	schtasks.exe
2828	schtasks.exe
1872	schtasks.exe
2056	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	ogpayload.exe
Token: SeDebugPrivilege	2728	comctl32.exe
Token: SeDebugPrivilege	2792	comctl32.exe
Token: SeDebugPrivilege	2760	comctl32.exe
Token: SeDebugPrivilege	376	comctl32.exe
Token: SeDebugPrivilege	1836	comctl32.exe
Token: SeDebugPrivilege	2412	comctl32.exe
Token: SeDebugPrivilege	2840	comctl32.exe
Token: SeDebugPrivilege	2660	comctl32.exe
Token: SeDebugPrivilege	2188	comctl32.exe
Token: SeDebugPrivilege	2020	comctl32.exe
Token: SeDebugPrivilege	3056	comctl32.exe
Token: SeDebugPrivilege	2540	comctl32.exe
Token: SeDebugPrivilege	2800	comctl32.exe
Token: SeDebugPrivilege	1784	comctl32.exe
Token: SeDebugPrivilege	340	comctl32.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2728	comctl32.exe
2792	comctl32.exe
2760	comctl32.exe
376	comctl32.exe
1836	comctl32.exe
2412	comctl32.exe
2840	comctl32.exe
2660	comctl32.exe
2188	comctl32.exe
2020	comctl32.exe
3056	comctl32.exe
2540	comctl32.exe
2800	comctl32.exe
1784	comctl32.exe
340	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2552	2032	ogpayload.exe	29
PID 2032 wrote to memory of 2552	2032	ogpayload.exe	29
PID 2032 wrote to memory of 2552	2032	ogpayload.exe	29
PID 2032 wrote to memory of 2552	2032	ogpayload.exe	29
PID 2032 wrote to memory of 2728	2032	ogpayload.exe	31
PID 2032 wrote to memory of 2728	2032	ogpayload.exe	31
PID 2032 wrote to memory of 2728	2032	ogpayload.exe	31
PID 2032 wrote to memory of 2728	2032	ogpayload.exe	31
PID 2728 wrote to memory of 2468	2728	comctl32.exe	32
PID 2728 wrote to memory of 2468	2728	comctl32.exe	32
PID 2728 wrote to memory of 2468	2728	comctl32.exe	32
PID 2728 wrote to memory of 2468	2728	comctl32.exe	32
PID 2728 wrote to memory of 1196	2728	comctl32.exe	34
PID 2728 wrote to memory of 1196	2728	comctl32.exe	34
PID 2728 wrote to memory of 1196	2728	comctl32.exe	34
PID 2728 wrote to memory of 1196	2728	comctl32.exe	34
PID 2728 wrote to memory of 320	2728	comctl32.exe	36
PID 2728 wrote to memory of 320	2728	comctl32.exe	36
PID 2728 wrote to memory of 320	2728	comctl32.exe	36
PID 2728 wrote to memory of 320	2728	comctl32.exe	36
PID 1196 wrote to memory of 872	1196	cmd.exe	37
PID 1196 wrote to memory of 872	1196	cmd.exe	37
PID 1196 wrote to memory of 872	1196	cmd.exe	37
PID 1196 wrote to memory of 872	1196	cmd.exe	37
PID 1196 wrote to memory of 1044	1196	cmd.exe	38
PID 1196 wrote to memory of 1044	1196	cmd.exe	38
PID 1196 wrote to memory of 1044	1196	cmd.exe	38
PID 1196 wrote to memory of 1044	1196	cmd.exe	38
PID 1196 wrote to memory of 2792	1196	cmd.exe	39
PID 1196 wrote to memory of 2792	1196	cmd.exe	39
PID 1196 wrote to memory of 2792	1196	cmd.exe	39
PID 1196 wrote to memory of 2792	1196	cmd.exe	39
PID 2792 wrote to memory of 2828	2792	comctl32.exe	40
PID 2792 wrote to memory of 2828	2792	comctl32.exe	40
PID 2792 wrote to memory of 2828	2792	comctl32.exe	40
PID 2792 wrote to memory of 2828	2792	comctl32.exe	40
PID 2792 wrote to memory of 1956	2792	comctl32.exe	42
PID 2792 wrote to memory of 1956	2792	comctl32.exe	42
PID 2792 wrote to memory of 1956	2792	comctl32.exe	42
PID 2792 wrote to memory of 1956	2792	comctl32.exe	42
PID 2792 wrote to memory of 1992	2792	comctl32.exe	44
PID 2792 wrote to memory of 1992	2792	comctl32.exe	44
PID 2792 wrote to memory of 1992	2792	comctl32.exe	44
PID 2792 wrote to memory of 1992	2792	comctl32.exe	44
PID 1956 wrote to memory of 1988	1956	cmd.exe	45
PID 1956 wrote to memory of 1988	1956	cmd.exe	45
PID 1956 wrote to memory of 1988	1956	cmd.exe	45
PID 1956 wrote to memory of 1988	1956	cmd.exe	45
PID 1956 wrote to memory of 1640	1956	cmd.exe	46
PID 1956 wrote to memory of 1640	1956	cmd.exe	46
PID 1956 wrote to memory of 1640	1956	cmd.exe	46
PID 1956 wrote to memory of 1640	1956	cmd.exe	46
PID 1956 wrote to memory of 2760	1956	cmd.exe	47
PID 1956 wrote to memory of 2760	1956	cmd.exe	47
PID 1956 wrote to memory of 2760	1956	cmd.exe	47
PID 1956 wrote to memory of 2760	1956	cmd.exe	47
PID 2760 wrote to memory of 1872	2760	comctl32.exe	48
PID 2760 wrote to memory of 1872	2760	comctl32.exe	48
PID 2760 wrote to memory of 1872	2760	comctl32.exe	48
PID 2760 wrote to memory of 1872	2760	comctl32.exe	48
PID 2760 wrote to memory of 2904	2760	comctl32.exe	50
PID 2760 wrote to memory of 2904	2760	comctl32.exe	50
PID 2760 wrote to memory of 2904	2760	comctl32.exe	50
PID 2760 wrote to memory of 2904	2760	comctl32.exe	50

C:\Users\Admin\AppData\Local\Temp\ogpayload.exe
"C:\Users\Admin\AppData\Local\Temp\ogpayload.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ogpayload.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2552
- C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tzLugAoBlTk9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1044
  - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\h4EYUX2fwPO9.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
      - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5s3SQW7G1bhA.bat" "
        7⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\52djDyEI2yBN.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuVmZYsowzwo.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RVMyvrrgKhBc.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ss5DVFu8Wj28.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMHnsS0R41Rk.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\u9Iy0hvjeO3s.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaRPxJS8Or06.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bitdS3X11xEX.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pvCk98L9xfaH.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZRC4J6bn1lgn.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\d4UT2e5bxt0J.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1420
        29⤵
        Program crash
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1420
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:1956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1420
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1440
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1412
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1440
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1440
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1428
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1436
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1428
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1452
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1436
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1408
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1448
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52djDyEI2yBN.bat

Filesize
219B

MD5
b9acbfb1a9ce24405b4432db5d6d8597

SHA1
e930edd3fe9e898f1add2269a4bfc5468d4443f3

SHA256
54680e3a7e58ce6e1beb5dea1ca0d042b718ab27e4d6484c1d405d0b8c0c32d0

SHA512
e9a1c2b0d84ddb3693c781af15f9bcae4a1abedac4e6f974b1535d7a84fda9142fbb51fd8910d5422b7f245df0a8497b071ba51fc6c6239bb2a9b40bc847759a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5s3SQW7G1bhA.bat

Filesize
219B

MD5
5a366ac4910573ff64986ed10899d758

SHA1
5a7e64e91cc28fd337dd3360c67c445f07494d4e

SHA256
8e200f529876421ca3e1a6d26766e3a3def1afcd8a3786fc55777adaa02882bc

SHA512
1fdc01b1e3ee9dbee745ccd2f40c208ea6a7e64d7885f3cad2b66e6155ee4133fe6f98f6b20e5895d223f5aff28e904acd464b0328ae24ed90d810bad35a0e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVMyvrrgKhBc.bat

Filesize
219B

MD5
6094d094b70fbf974aedcf16c8101b3e

SHA1
02303c27b67192aef93b99ad8e9a28d278845be6

SHA256
d2e25ebf2e863336735e79cbee38d5ca004d7e71a8040d3067040bb99f6b2940

SHA512
90ef3db4bdfe33259944b5731de2d4daa549c225b15508d1a0038388c7353b402bd9624b3d653d05f58b0a8160e39fd5f5c8351d65410432d7c146baedd1c28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaRPxJS8Or06.bat

Filesize
219B

MD5
ca3affce7a591a00b562325af0ee70a3

SHA1
0960f7485cf516ab814490e0be922d76b1dfcb03

SHA256
e15b8e77045c5ecf1c6b89212d6b12cb85a5a230994c2bd817ba44bd0f81da37

SHA512
ec3a1f0b3b2217680e987759a60ac5a87569aa44c18e0edad7789fcfec87754ce3cc18599f63d0c1b34f2eb153b7c16b8888c4ce5c59a7aa98ba1ade30e681c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuVmZYsowzwo.bat

Filesize
219B

MD5
a4425466bcddde1728098df8f2a00d29

SHA1
fdf6e869212fdc109862281c330dc5b9320367d9

SHA256
7960affb85acb9f3794a58d932759539bd09830544609becf8b51dd47244fba9

SHA512
02f1f8ee1c08313f73d3a8ff20104ef91cec42045bfa17194ba20a7709fffb3da7df19dd96aa0e1be482d483f0366f54534db9c2b2e7c22add0dfe0e4a10c8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMHnsS0R41Rk.bat

Filesize
219B

MD5
80c2261ce71161f30acf6dec5cab6a65

SHA1
83033f2d158c40f010378d0b2c89564f3a6afd55

SHA256
e73ce0d5d4e70e6c8c06f4686ffae24e51d872df080297be335f5f9ce82d726c

SHA512
672f3023c42268b4dd5f5c758642fced7adae1c5b34bedaf34d71cb56b8428e06a82c188c7b8d68c21bad584c7efc138054c8ffa3dd46f417373c2adb61397cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRC4J6bn1lgn.bat

Filesize
219B

MD5
065253950aedd290d7141864a4c80e27

SHA1
175fab05cf23efa8454bf90fd3f85456e5175cd2

SHA256
a82445ac57208e130120584913b692e972e4d302cb07721ee858e19a8e2f1d28

SHA512
fa8fc43f5cfdc3c2284c211c1985cf9a056a96b85352aca46739c800f5cdfeb5b3b34f175bfde8ada33feb4f9b7b504acc68074cd6b1641957d225f2f73ee379

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitdS3X11xEX.bat

Filesize
219B

MD5
24e8b0615eaf7d63962b2f52c8e2a0d2

SHA1
7686314736c1279a5ef8160fb8a38c0736e1709e

SHA256
28fb6e5c4c482ddd445aecf60cc4d3484ef09ca1ae6efcb856b0805c7d927b94

SHA512
748507f43bd7f832a4a68d011919e46213edf09ffc428ddac4783ef14dd90901139bf475813d9b17fbec4138c3e2c6a3bdcc084fa4c87d83729e40188d9c089b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4UT2e5bxt0J.bat

Filesize
219B

MD5
7d89e2e64ce6f006d3dbaf6c520a7dca

SHA1
9570db20c26274f0bc4ac1b97e1f530dd923b209

SHA256
35eee9a0500bc0318f43c3267cfd5a74759364d20d6844a57fe60e4281fa24dc

SHA512
363df3fa3429ee932aa3fd14f71292c4be3c7a0741ab4722286b33cfc8cd18b4e8ba4e732a7ac6965800d247c149e50830a0beed9a08b3c7a13deb849cb8440c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4EYUX2fwPO9.bat

Filesize
219B

MD5
a13358348b6314b3b7a945ea9d6cab10

SHA1
2f3c9530284b80b789a8b950eebdd4a4d21db629

SHA256
9a9c5d6cc7faccfe55874c2b2a83f76cbbe411d51b8c85b6576a246ca4c429ed

SHA512
29751e756969734a12d3fd3d96d0f4aba5b42a16c7f6195ae5db1ee9767bb9eecf65c8f68f3de4ee7c86bf6303d2f1bc28a60e9a907ca2bd2ece91d2a49a1c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvCk98L9xfaH.bat

Filesize
219B

MD5
fc0d1d551d3c9164365162e5865046f3

SHA1
4023c3bf7b2a08062123f20b9d20336bcc1b907d

SHA256
a2402c562287c525065785cd35979d8feb4d54f56417aa2eaa1c3de8d9c6f0c9

SHA512
d3396167d017a072cfe766514417c9f9fd02203c771d0d3365832193fe2390791b3e888cf3faee127196501a68e3ab10615b77380f57cfdabf5ec3c2145c9230

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss5DVFu8Wj28.bat

Filesize
219B

MD5
dd75e1e4528244fa21f8c41dec42a821

SHA1
7fc9a23d871b107afbe30dda9b86b86e63d21349

SHA256
e6409101d02fa098a37ffaa4409e7fc37bc6275d27b6b22a8093b93f2cd1dc98

SHA512
43290afd28e3e04fd56c794018dd832b037c2585d7dfb64af780dfc5302d526cc7824c259bbdd7ee5787365b38edbd230830180b6294f712ba3c8df74bc9c2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzLugAoBlTk9.bat

Filesize
219B

MD5
7630378e72d791fdb7e3af1d99f76c50

SHA1
bf40c65b11b44c975903e7a521ec8ea97c2f4e5d

SHA256
3dc9923adca022830f7b142b8d66457290e5e0560f8093ff330aad3d7e242fe7

SHA512
ae9b20111e2b3dba342a85006d584bddb9d60ac47cd51196f759a69ab9928136d51ef7d662e99a23c62ef2a0d49db6c73da5b042faf22a370d19421277273a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\u9Iy0hvjeO3s.bat

Filesize
219B

MD5
9ddc5441d004c21d323aaac60f742be3

SHA1
a671c066b2540c86b0f26e6afedbb0a4ee193496

SHA256
97d69c766cddffa4ab400d78216f0caddc76777c83c881a5ea4a172537fdd0d5

SHA512
7351772fe142740985e74f26d515a12977eebd68d3ac602fac19ed5369af62a51bf1ae5a92fd4a06217b21e814ef17b67757c98bf1d3b1dbb8dd912560f580c3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
2943dac36d3ffd7b57ba0ef5bf3af14b

SHA1
01c7f1ea48dd26267ff9fa151d69ca49eb92d4da

SHA256
ca603afc14e5110837e9fba727856fca60b0399564dfbf4f2a29909008ec352f

SHA512
9c69360a2e3594901efcea1a03003f50cb9d463ebd1b2e57caad9979cb8a8a347b7f8a6ec3aa65ae48e0672d3f8d96bbfa4001f16960855638c125f131f2ed6f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
cdd0bf7ff29246c3a889b90fd202aeaa

SHA1
f63c25e68091afbf3f9033f08550d8c87932fd4a

SHA256
c5abf07e07cb850b0219e6cb0b59ff28e0c5aaff147db1f84c89458375ce1d38

SHA512
ddd2db1669dc046ce0cd06ab2d66a90f9503f358509cbf5a0df987d5fbf4af0e0f965c5995082282425e5a37bb9c4e18a61c8d3bb5b383985f8e3d69b01975e9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
95b6f4836b493b546b1b170315538f0a

SHA1
a7ec93c0188bd96832100e85cbc62a21f05d0bbf

SHA256
aded19c9fc1e296dc5c027da99da7d47ccd93bc76facb0ff997050ef0934ad12

SHA512
37eaf24b4eec2f93c440db27c9bf56658724db583f61885cc83dd515aeacc70c3346d5a058761c214e6593681b60add35de74f6d508b5f6f2860d568cc6b75c5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
74b07bf6b7dfabeaeff717cbc3dc7950

SHA1
08c6a92dfb910401cf456bceed10384057ef6014

SHA256
7dc16e162026b694cff523b48bd8aa2e16c93ee2391f2cd702183a222b59749c

SHA512
ba0b6d1fc3359967530010315550473f8b81d74a321a15abae038998d63c5cc31ed976c366852fe43324315733bb8bf3cb5224e16c9b9d1ddfb5e74e417b3c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
41dd5f084b7bd30c29e0b4ee70207639

SHA1
c973c9aa99cfe4c2f26d0cee2337492d0e681c56

SHA256
566bb30fd872ab1ee715061e228ed6c0687d7cf29345bb42888f79bd90d4d9b1

SHA512
aa1c35d8899f259741dc7c9bee10e11235906393db60188fea87b514c32b4e0d1a2f7ac5614256bd16f256cf06c9dc6934b38ed4ec3eafd35a42cfe1f1ab19ef

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
79501ac8f5d48ed18ec7532f5b2d5aa3

SHA1
f796e2c1918d6ae0cc100ddeec9fba248ffb2d9e

SHA256
f895763bfd64785c371c61d630c442e2b170f05aa61987e5a659938287bf2eee

SHA512
f7a205b12b445c6a533bd3b9f102790520c792b607c09eee633870cc683e9d5654f4cf4a1723654bc842a04a62ae7d823c889f831d9927ba8d16ee654ccdfa83

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
3af1778d355d60a6c2e9ac052fb65778

SHA1
2e96316d34871631bdb95cd85fe587a5f5629bb0

SHA256
8f471c21c6bfe5116e3a68ad96974797754bbb364018ac6bbf1cd1a18643ba8c

SHA512
d6a3ce54b7e664e1f2d5daece21bb3032ad75e2091154ba88a480b603471877b97118f47e02b10063aa64863f2439995fa1f64b62cc7bbeec3e7c720ce782b21

Download Submit
\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
memory/340-214-0x0000000000FC0000-0x0000000001046000-memory.dmp

Filesize
536KB

Download
memory/376-67-0x0000000000100000-0x0000000000186000-memory.dmp

Filesize
536KB

Download
memory/1784-204-0x0000000000FC0000-0x0000000001046000-memory.dmp

Filesize
536KB

Download
memory/1836-85-0x0000000001380000-0x0000000001406000-memory.dmp

Filesize
536KB

Download
memory/2020-164-0x00000000000F0000-0x0000000000176000-memory.dmp

Filesize
536KB

Download
memory/2032-1-0x0000000000FE0000-0x0000000001066000-memory.dmp

Filesize
536KB

Download
memory/2032-2-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2032-0-0x00000000741CE000-0x00000000741CF000-memory.dmp

Filesize
4KB

Download
memory/2032-13-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2412-103-0x0000000001380000-0x0000000001406000-memory.dmp

Filesize
536KB

Download
memory/2540-184-0x0000000000AD0000-0x0000000000B56000-memory.dmp

Filesize
536KB

Download
memory/2660-139-0x0000000001380000-0x0000000001406000-memory.dmp

Filesize
536KB

Download
memory/2728-11-0x0000000000D00000-0x0000000000D86000-memory.dmp

Filesize
536KB

Download
memory/2728-10-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-12-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-29-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-49-0x0000000000F90000-0x0000000001016000-memory.dmp

Filesize
536KB

Download
memory/2792-31-0x0000000000D00000-0x0000000000D86000-memory.dmp

Filesize
536KB

Download
memory/2800-194-0x0000000000290000-0x0000000000316000-memory.dmp

Filesize
536KB

Download
memory/2840-121-0x0000000001380000-0x0000000001406000-memory.dmp

Filesize
536KB

Download
memory/3056-174-0x00000000008C0000-0x0000000000946000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads