quasar | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ogpayload.exe
Size

507KB
MD5

4e7b96fe3160ff171e8e334c66c3205c
SHA1

ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512

2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
SSDEEP

6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP

Score

10^/10

quasar school discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	13	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
	52	ip-api.com	Process not Found
	71	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2176-1-0x0000000000910000-0x0000000000996000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023bbe-11.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	comctl32.exe

Executes dropped EXE 14 IoCs

pid	Process
2984	comctl32.exe
2724	comctl32.exe
5020	comctl32.exe
4308	comctl32.exe
4988	comctl32.exe
3600	comctl32.exe
4592	comctl32.exe
3404	comctl32.exe
4368	comctl32.exe
4300	comctl32.exe
760	comctl32.exe
3700	comctl32.exe
4320	comctl32.exe
4408	comctl32.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
52	ip-api.com
71	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3984	2984	WerFault.exe	86
2744	2724	WerFault.exe	105
652	5020	WerFault.exe	119
1972	4308	WerFault.exe	133
2608	4988	WerFault.exe	144
3516	3600	WerFault.exe	155
4312	4592	WerFault.exe	166
4324	3404	WerFault.exe	177
544	4368	WerFault.exe	188
4820	4300	WerFault.exe	199
2836	760	WerFault.exe	210
3308	3700	WerFault.exe	221
3044	4320	WerFault.exe	232
3300	4408	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4316	PING.EXE
952	PING.EXE
3296	PING.EXE
448	PING.EXE
4440	PING.EXE
2160	PING.EXE
3236	PING.EXE
4980	PING.EXE
2012	PING.EXE
4924	PING.EXE
4876	PING.EXE
2192	PING.EXE
3628	PING.EXE
2636	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4876	PING.EXE
448	PING.EXE
952	PING.EXE
2160	PING.EXE
3296	PING.EXE
3236	PING.EXE
4980	PING.EXE
2192	PING.EXE
4316	PING.EXE
4440	PING.EXE
3628	PING.EXE
2636	PING.EXE
2012	PING.EXE
4924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1864	schtasks.exe
3964	schtasks.exe
836	schtasks.exe
4396	schtasks.exe
968	schtasks.exe
4404	schtasks.exe
4872	schtasks.exe
4280	schtasks.exe
4568	schtasks.exe
2436	schtasks.exe
3212	schtasks.exe
3660	schtasks.exe
332	schtasks.exe
3772	schtasks.exe
3024	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	ogpayload.exe
Token: SeDebugPrivilege	2984	comctl32.exe
Token: SeDebugPrivilege	2724	comctl32.exe
Token: SeDebugPrivilege	5020	comctl32.exe
Token: SeDebugPrivilege	4308	comctl32.exe
Token: SeDebugPrivilege	4988	comctl32.exe
Token: SeDebugPrivilege	3600	comctl32.exe
Token: SeDebugPrivilege	4592	comctl32.exe
Token: SeDebugPrivilege	3404	comctl32.exe
Token: SeDebugPrivilege	4368	comctl32.exe
Token: SeDebugPrivilege	4300	comctl32.exe
Token: SeDebugPrivilege	760	comctl32.exe
Token: SeDebugPrivilege	3700	comctl32.exe
Token: SeDebugPrivilege	4320	comctl32.exe
Token: SeDebugPrivilege	4408	comctl32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2984	comctl32.exe
2724	comctl32.exe
5020	comctl32.exe
4308	comctl32.exe
4988	comctl32.exe
3600	comctl32.exe
4592	comctl32.exe
3404	comctl32.exe
4368	comctl32.exe
4300	comctl32.exe
760	comctl32.exe
3700	comctl32.exe
4320	comctl32.exe
4408	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 968	2176	ogpayload.exe	84
PID 2176 wrote to memory of 968	2176	ogpayload.exe	84
PID 2176 wrote to memory of 968	2176	ogpayload.exe	84
PID 2176 wrote to memory of 2984	2176	ogpayload.exe	86
PID 2176 wrote to memory of 2984	2176	ogpayload.exe	86
PID 2176 wrote to memory of 2984	2176	ogpayload.exe	86
PID 2984 wrote to memory of 4568	2984	comctl32.exe	87
PID 2984 wrote to memory of 4568	2984	comctl32.exe	87
PID 2984 wrote to memory of 4568	2984	comctl32.exe	87
PID 2984 wrote to memory of 1736	2984	comctl32.exe	89
PID 2984 wrote to memory of 1736	2984	comctl32.exe	89
PID 2984 wrote to memory of 1736	2984	comctl32.exe	89
PID 1736 wrote to memory of 1300	1736	cmd.exe	92
PID 1736 wrote to memory of 1300	1736	cmd.exe	92
PID 1736 wrote to memory of 1300	1736	cmd.exe	92
PID 1736 wrote to memory of 4316	1736	cmd.exe	95
PID 1736 wrote to memory of 4316	1736	cmd.exe	95
PID 1736 wrote to memory of 4316	1736	cmd.exe	95
PID 1736 wrote to memory of 2724	1736	cmd.exe	105
PID 1736 wrote to memory of 2724	1736	cmd.exe	105
PID 1736 wrote to memory of 2724	1736	cmd.exe	105
PID 2724 wrote to memory of 1864	2724	comctl32.exe	109
PID 2724 wrote to memory of 1864	2724	comctl32.exe	109
PID 2724 wrote to memory of 1864	2724	comctl32.exe	109
PID 2724 wrote to memory of 4408	2724	comctl32.exe	112
PID 2724 wrote to memory of 4408	2724	comctl32.exe	112
PID 2724 wrote to memory of 4408	2724	comctl32.exe	112
PID 4408 wrote to memory of 4380	4408	cmd.exe	115
PID 4408 wrote to memory of 4380	4408	cmd.exe	115
PID 4408 wrote to memory of 4380	4408	cmd.exe	115
PID 4408 wrote to memory of 3236	4408	cmd.exe	117
PID 4408 wrote to memory of 3236	4408	cmd.exe	117
PID 4408 wrote to memory of 3236	4408	cmd.exe	117
PID 4408 wrote to memory of 5020	4408	cmd.exe	119
PID 4408 wrote to memory of 5020	4408	cmd.exe	119
PID 4408 wrote to memory of 5020	4408	cmd.exe	119
PID 5020 wrote to memory of 3964	5020	comctl32.exe	121
PID 5020 wrote to memory of 3964	5020	comctl32.exe	121
PID 5020 wrote to memory of 3964	5020	comctl32.exe	121
PID 5020 wrote to memory of 1976	5020	comctl32.exe	123
PID 5020 wrote to memory of 1976	5020	comctl32.exe	123
PID 5020 wrote to memory of 1976	5020	comctl32.exe	123
PID 1976 wrote to memory of 1564	1976	cmd.exe	127
PID 1976 wrote to memory of 1564	1976	cmd.exe	127
PID 1976 wrote to memory of 1564	1976	cmd.exe	127
PID 1976 wrote to memory of 448	1976	cmd.exe	128
PID 1976 wrote to memory of 448	1976	cmd.exe	128
PID 1976 wrote to memory of 448	1976	cmd.exe	128
PID 1976 wrote to memory of 4308	1976	cmd.exe	133
PID 1976 wrote to memory of 4308	1976	cmd.exe	133
PID 1976 wrote to memory of 4308	1976	cmd.exe	133
PID 4308 wrote to memory of 2436	4308	comctl32.exe	135
PID 4308 wrote to memory of 2436	4308	comctl32.exe	135
PID 4308 wrote to memory of 2436	4308	comctl32.exe	135
PID 4308 wrote to memory of 3580	4308	comctl32.exe	137
PID 4308 wrote to memory of 3580	4308	comctl32.exe	137
PID 4308 wrote to memory of 3580	4308	comctl32.exe	137
PID 3580 wrote to memory of 1448	3580	cmd.exe	140
PID 3580 wrote to memory of 1448	3580	cmd.exe	140
PID 3580 wrote to memory of 1448	3580	cmd.exe	140
PID 3580 wrote to memory of 4440	3580	cmd.exe	142
PID 3580 wrote to memory of 4440	3580	cmd.exe	142
PID 3580 wrote to memory of 4440	3580	cmd.exe	142
PID 3580 wrote to memory of 4988	3580	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\ogpayload.exe
"C:\Users\Admin\AppData\Local\Temp\ogpayload.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ogpayload.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:968
- C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmmCuLxbf7bb.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1300
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4316
  - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1IzSF8haixnF.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3236
      - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x0KgNqMyxSMD.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1oXniulcVa5T.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uxzgCDUAcD5x.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TR4tEHC0Hm1q.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJdJ2TdNnrzR.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ll53V31bPnWX.bat" "
        17⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuXxzMk9XQX0.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bq29t0MyxbTH.bat" "
        21⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TzU2MJ5W4FUl.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\31eqG2atKqHE.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yjz4OkGIYLqB.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4876
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSLIWSwgnqQ9.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 2192
        29⤵
        Program crash
        
        PID:3300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1944
        27⤵
        Program crash
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 2228
        25⤵
        Program crash
        
        PID:3308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1920
        23⤵
        Program crash
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 2224
        21⤵
        Program crash
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 2196
        19⤵
        Program crash
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 2224
        17⤵
        Program crash
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 2244
        15⤵
        Program crash
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 2224
        13⤵
        Program crash
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 2224
        11⤵
        Program crash
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 2224
        9⤵
        Program crash
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2224
        7⤵
        Program crash
        
        PID:652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1080
        5⤵
        Program crash
        
        PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2216
    3⤵
    - Program crash
    PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2724 -ip 2724
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5020 -ip 5020
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4308 -ip 4308
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4988 -ip 4988
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3600 -ip 3600
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4592 -ip 4592
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3404 -ip 3404
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4368 -ip 4368
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4300 -ip 4300
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 760 -ip 760
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3700 -ip 3700
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4320 -ip 4320
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4408 -ip 4408
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1IzSF8haixnF.bat

Filesize
219B

MD5
315aaab4ec80c6519c417700896440df

SHA1
518605c512ed1ef3af15263a7af9351fa40ae00d

SHA256
45da4f11b4a691de7edbff7ca9fe82fbe843d744e78f7a8041c2cb59e6de7e21

SHA512
55bb622bafe9352785f2dae78f042f818939be9aab73df0b2851ba768b0a44de8f19876944f6735d9037630eb3b4ddaa30130c9a6f9e13546bb19e8c25d08e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1oXniulcVa5T.bat

Filesize
219B

MD5
c6388668145b0a18ab102e4de477b896

SHA1
821aca1a89579d0858c204b05ef83dedfba5e1d3

SHA256
54558c004d89a39adbe84c0db9d0c918a6e0dfe816622730a09bd49fc5dea6a0

SHA512
849120a8f89c52baa28c96eac35bdc92ca20b695f0e5a27b36f188e2054ada460873452c00f18b524eea7191ff69ffd33c6b7c96b254f382761a28956adfb14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31eqG2atKqHE.bat

Filesize
219B

MD5
eae2749c468685b1e1d46359988d5167

SHA1
91b54a73aea0d1132eddcc94b37ce911a97539bc

SHA256
e3ece344988db279606d62eda45ce1bc95b14b62a81df13761fe3a9e7d38f578

SHA512
06feedf8f5a438138dc55ba84c75fcf3554e453b7d033fe76d16405370f1bcb4ef092458caa675145a3a2ef7d6bb365d835b59ee7bd969380e2047c2ffdf8273

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuXxzMk9XQX0.bat

Filesize
219B

MD5
7d5b91224ecee0bbc38023e70ff9fbef

SHA1
9c6187a30a60e9fe436bc3feb9a827e9ea76458b

SHA256
79edb357af261c9e76efc4fb6a6723d6210eff97088c5851191ab70eb849edc5

SHA512
7bf55b8981b1cb058af807a12e004401320bf0718fc760093bafaaf8a679cc639a826dcb85beb0a38984c43f93488be6e90f1b8875dc83537a39fd9f45755065

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ll53V31bPnWX.bat

Filesize
219B

MD5
a3a35dd66604c16827c69b65e24ccac1

SHA1
dc6690ecdae87205f4a819a1164bf288b0ad10a4

SHA256
bd7a5ef387e0b8b44eefda2f7906308252b0d2cc7c0d30672404471f42b16fb7

SHA512
cb974f16466a30e06978fdd2cdc57555781c90c46a9da8a400143860ad3d42bb2496292344c25021e3a88ce62a6d835dbbd22f39c33e1bd27e8d9eafbb865117

Download Submit
C:\Users\Admin\AppData\Local\Temp\TR4tEHC0Hm1q.bat

Filesize
219B

MD5
187d3b711d8ffcbac2876ff9cb08f8c1

SHA1
0143e34d17fb16e041eadb933fe2c0fd93742cb0

SHA256
4951a1f9f9efc71684c3daf613e4f5fe45dd672e000712bee3e9f5c6e4c0f4b5

SHA512
7e3665de0f1f55e40c69bba1de32bf62cbec44c55e78b884f2286c2f92dbfcddb180b31677bf8ffdc141cd2cfa646ba202a5ff48908137a8e39c0671a77d5815

Download Submit
C:\Users\Admin\AppData\Local\Temp\TzU2MJ5W4FUl.bat

Filesize
219B

MD5
1cf424d49c126be0c5273425606486fc

SHA1
95c16d544b926d5a948fbdea760e7a857b4d50b5

SHA256
592a14cdacfd2280156bcf9a419301b948afe58c818fe71c6bee359a60b9984b

SHA512
d449c391f88ea58022dd78b20a8f6124f17ce871c0b2654f12a4168d672020dcaf399841d3d9d37ad332db55b0cd0a60ab1461a0a01e25e3658733bdefb804c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmmCuLxbf7bb.bat

Filesize
219B

MD5
715d54148f5b6b97e5de05d24e7f6273

SHA1
700d76f0022c0c78369cc53c38bd1460b067fde4

SHA256
ee94b7680810419874e54221c41b28d76cde5519219adb6322c946060477295a

SHA512
5e09be784f48b706c28e0fc43a2eaf25d0c54e7594568cd80f05bd5cd6e6dc357eedf586a406b3db00e74f0d2f2ef4e0d3aabf791420a088ddd43aa0e438f55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bq29t0MyxbTH.bat

Filesize
219B

MD5
d95068142a5f5da6e8b0b91ad0a5332f

SHA1
c440ebc98844efbd87263e68cff7f7b4d495e288

SHA256
3c7e575e31018b1c041331e6c8da0e73e4e77374942ccffb922c8cdfa1669440

SHA512
450312784b81fc7979bacd1a994ae7d0373d00f48afed0f6565bb133995bdf3f1517c3208ae62eef62fc5a34c1c292bc42a4dabd85323be8ee22539c54230424

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJdJ2TdNnrzR.bat

Filesize
219B

MD5
11bf2d6f6ece2cff52d3b29cdb9f7874

SHA1
c115a54e37fb3a1858e8978cf14460fdf3344204

SHA256
9ed202ac10077099028e28b9823a43f5b624202e517228a3c08c7cba58e610eb

SHA512
ea4b7006d6fe945abde426f42b7e861658ec7b54513a09b4854aa3fda3ecd2eb4351e38af140bf1b18817050439625b93056077704f055d51de4798de54e6e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSLIWSwgnqQ9.bat

Filesize
219B

MD5
3f1bf91fc2140352f1dc3d9644330239

SHA1
2c37131540ec6d17f3d5acb0991a4fea249ab8cc

SHA256
09780506f1144a9a16d09c12d95aa3c9ec851daf7daa9dc185159ed3890538cd

SHA512
5ee2a379d77c03b63a08cfe699a582a8834e8f0d12eeabb2006dc411ee9c254e0f351b34f0e36688557602b3c561d383d44021295bdbfa7925a98d0f34c3466e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxzgCDUAcD5x.bat

Filesize
219B

MD5
968875de3ceaa3e93c168e3ea6aa16e5

SHA1
0fc15889e08f44bf4337588e9f66e9459fa2d4da

SHA256
5a3edcee04f85a5e7b3e2399543b61d008d2ea4586c36a16e4b9cdf1c3f3c64c

SHA512
422e6aa9586b9b59cc4f16a4a512757548875efcb4943c48910c592263f8fe4673b110b9280341b08f9788dcc866244391b56d508a14281b9fc6d49b4a0023fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0KgNqMyxSMD.bat

Filesize
219B

MD5
d08261a31d6801289906d90c94e44a11

SHA1
acaee50e4fae8aa40ffeff2e1c232d47d88eeb7c

SHA256
66387983cdd4f69cb6970b5c9f67b93b305e1500aae56167ed8a65641c98d253

SHA512
0a27fbe61d0a7089d24a40e69fe0ff330319eddfab507c1be7729e9447e6ea3e40a68c003decac34247cb8741f7cd67f80c6765f763a56959ee66dc2c29661f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjz4OkGIYLqB.bat

Filesize
219B

MD5
5fef38c16f292b9088b50e77395236f8

SHA1
36ba3ce57b448c66c24b8ba71c45b9ac97812f22

SHA256
25969b7f1f66b39f84e73eb308aabed6ff0736a30bb914e3087576f966cddc11

SHA512
2bf5652abeb31b94e7dde1fb911752ceac6fdd6218cf1c9c19d8e976b0a831f24111f7b57099dd1055907595cea501aba3efd0ed44fe280e2d7330ae23285a5b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
a54de3f037a97bd9be15ad2d92cd3ff0

SHA1
bf5e3a79fc5808c626cee475b9d2a8ed65a0b878

SHA256
8c685e733b43827b1a0e77fad89e313dff9c1b0abec843665cf729243869fd3e

SHA512
036d1da66b5b3476558b1ce991426269fcf7a71b2d21365e928a9b94338e1fd3a036f773149159b908646c8f0b6ff2d363a5629563d7a3dd1cd27a282d94c3e7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
b9584905157eac9e4975a6a357058824

SHA1
724444a186cfeaff7cb96014b1ebed6d863d3777

SHA256
c35d0cb59ad1c1dd3e7cef2c0467e52b78e682f9359201f2d2275305a5d74001

SHA512
f37cdb740c72aed3de9e4f4645da3341ec135ce3632d31f112b9591ad3ce61a95f368faf4ecdf3cbc83e3f9d8af18eb634ebe558403509e534308017eee1b5cc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
011dcf8ee095b14a2665e95d8f31d04c

SHA1
9152c390ba64fd1098fa55b07c3d3cadc1535099

SHA256
c5745d40a2fadcd0ee75a8a26646479590a60b736a1928cac537d5d4cf9d99c6

SHA512
ca138885aa30f2902e23968596622055ac032f62b2384c9fb7c48d48a0d4bfb63ef0b9ba799f73cd365d56fda03025c2dddd7679ee16710a80face7e10cc25d1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
55dc3e4c398480c927df44143a922848

SHA1
7b6adc2943de5bf4b0b2cba0d5e2b2eb390347ac

SHA256
53ee73e34f7cbeb58d62d792950a1e7dec6b3a809f4f3ba23b53af46281264ad

SHA512
0c632fbc0e39f361b9566090d87087e268f6e3df097189a330c53af333517f61c34defec9695e41993b2fce994c3b424f9f6b103f235df3790ffdeb025449b18

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
b4d28487a20f4285476bad9b3ff32e1e

SHA1
8e3392039b9cb55dcc143b2946f6dc6f058a77e6

SHA256
96e986149eadd28da4ee6119f77ed91cee6b8b5329326d70d70a7a52a773c655

SHA512
4e37410b639e72b9db80aa9605756a6bc1e395cfa5eea50b7f64b84e04ccb846f4d2bc5c027415ae3decd5fa8d5d3319b352e9d1cffe1a07bbd0ad67e1d296ff

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
c628dceb8ec7030dceb37d783ac46665

SHA1
97c7c08da05b0024851a6a4544cb46eda5317096

SHA256
c4a58f592ac708695fdf69db71d8a260cfaaf3512bd9d6c30cba1f5795b0786c

SHA512
12b96e6039a210d93ae90e5271bac5f5a913df78a0b2a28126eb83c84478e8cdcac3f682320d380e9c19a49edf0b2a9e66d4c7ccc2be2669c9877045a9a57bf4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
34c930d61b7606eb0bced4fdfb92fcd3

SHA1
6dbb4053deac406ed88be99ef443b0fff0fee985

SHA256
77fad288bfddaa8e8d828af9754b86d3ac29fc4d6ffbe0cfcf239c925d6b9a87

SHA512
acea366e1d70eb7e8a567afe447ca4e7d3182d281228498cd722b70f70efe194d9ae3b1afe039d1ddabdb7efcb4b2dbcd0231a1c482824f6993dc8218642b2cf

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
474f9b290705d0b663ba767e9c853934

SHA1
d2ed81d1039172160749618f2bf60601be0c84a0

SHA256
a2a3e5b23eda4552f6c83b5bf5cb2b7bd69a0a5fcf85a214cac76f007dd6c6ee

SHA512
ffa730fbfb5a8769e7eae6af69d20e4ae560c4b11fb0309babda9345c7fac6425b216d082eb2f869dc71ff588e7033e49243b7cfec59e54d8b25605d4a4f270a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
8aa34be6e57b38b7b32ae852286e2828

SHA1
1535d18bd4fdfb0b35fd339c77c8498dd96c3d59

SHA256
5c4112476545d6568a781a61da4a802dd98344e2339eda0c6e727b608bc6d310

SHA512
1b89230ef1a24fc98a677c37e6976bae3d317aeae46f9abdefd3518b7e85854bababd4a06d0c4768816e5b6ce98814181f0d12ac3054f12b46e223306e445f67

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
443b17b749e2d718430b3d50397776e5

SHA1
738c8fa76b3e5f4a39cd146945fd3cea7542c4de

SHA256
339055f1c7c968abd6d5c8109480bd2a82ecf61405a8ddeb1a94d7fa80268656

SHA512
db20b42e2e034c64cc442348db897c1d7f8fc34062b9d985223a1349d02116782ab0736c99a08f9221a2d33a9f0ecbda08dd20f3c7ccfe9729dd4e3ccf61cc57

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
f258e917699f6f4191e0dbb80fb9a010

SHA1
c0af3c4060a958202fe52241d3ca76a896a7e894

SHA256
14942fa68ba14c60d56da9283754ba3028275608e030eb70b69a436495641044

SHA512
f92b4bd6036cfecb49885f5638fa0717ffa202761c356d7b1ad439d66e79634a41b556d24971a5a9070b555f4e5298881306eddc70e7ceac39b0027a3bc871a6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
memory/2176-6-0x0000000005900000-0x0000000005912000-memory.dmp

Filesize
72KB

Download
memory/2176-14-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2176-5-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2176-4-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2176-3-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/2176-7-0x0000000006600000-0x000000000663C000-memory.dmp

Filesize
240KB

Download
memory/2176-2-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/2176-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000910000-0x0000000000996000-memory.dmp

Filesize
536KB

Download
memory/2984-15-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2984-18-0x0000000006100000-0x000000000610A000-memory.dmp

Filesize
40KB

Download
memory/2984-16-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2984-23-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads