quasar | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
Size

507KB
MD5

4e7b96fe3160ff171e8e334c66c3205c
SHA1

ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512

2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
SSDEEP

6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP

Score

10^/10

quasar school discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	2	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
	11	ip-api.com	Process not Found
	18	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2420-1-0x00000000011D0000-0x0000000001256000-memory.dmp	family_quasar
behavioral1/files/0x00390000000173a9-5.dat	family_quasar
behavioral1/memory/2696-11-0x0000000000BA0000-0x0000000000C26000-memory.dmp	family_quasar
behavioral1/memory/2016-31-0x0000000000BF0000-0x0000000000C76000-memory.dmp	family_quasar
behavioral1/memory/2220-49-0x0000000001230000-0x00000000012B6000-memory.dmp	family_quasar
behavioral1/memory/956-67-0x0000000001230000-0x00000000012B6000-memory.dmp	family_quasar
behavioral1/memory/2592-102-0x0000000000040000-0x00000000000C6000-memory.dmp	family_quasar
behavioral1/memory/1060-120-0x0000000000E70000-0x0000000000EF6000-memory.dmp	family_quasar
behavioral1/memory/3016-138-0x0000000001210000-0x0000000001296000-memory.dmp	family_quasar
behavioral1/memory/2032-154-0x0000000001210000-0x0000000001296000-memory.dmp	family_quasar
behavioral1/memory/1504-191-0x0000000000140000-0x00000000001C6000-memory.dmp	family_quasar
behavioral1/memory/2440-201-0x0000000000930000-0x00000000009B6000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2696	comctl32.exe
2016	comctl32.exe
2220	comctl32.exe
956	comctl32.exe
1800	comctl32.exe
2592	comctl32.exe
1060	comctl32.exe
3016	comctl32.exe
2032	comctl32.exe
1532	comctl32.exe
1604	comctl32.exe
1696	comctl32.exe
1504	comctl32.exe
2440	comctl32.exe
2888	comctl32.exe

Loads dropped DLL 64 IoCs

pid	Process
2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
1820	WerFault.exe
1820	WerFault.exe
1820	WerFault.exe
1820	WerFault.exe
1820	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
876	WerFault.exe
876	WerFault.exe
876	WerFault.exe
876	WerFault.exe
876	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
1788	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
480	WerFault.exe
480	WerFault.exe
480	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
11	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1820	2696	WerFault.exe	33
2788	2016	WerFault.exe	41
1332	2220	WerFault.exe	49
1808	956	WerFault.exe	57
876	1800	WerFault.exe	65
1788	2592	WerFault.exe	73
2772	1060	WerFault.exe	81
1636	3016	WerFault.exe	89
2304	2032	WerFault.exe	98
2504	1532	WerFault.exe	106
1624	1604	WerFault.exe	114
1576	1696	WerFault.exe	122
480	1504	WerFault.exe	130
3016	2440	WerFault.exe	138
2032	2888	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2400	PING.EXE
2856	PING.EXE
560	PING.EXE
852	PING.EXE
1016	PING.EXE
2140	PING.EXE
624	PING.EXE
344	PING.EXE
344	PING.EXE
2684	PING.EXE
1368	PING.EXE
2124	PING.EXE
1592	PING.EXE
2236	PING.EXE
3024	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
344	PING.EXE
1016	PING.EXE
2140	PING.EXE
2684	PING.EXE
624	PING.EXE
2124	PING.EXE
852	PING.EXE
2856	PING.EXE
560	PING.EXE
3024	PING.EXE
2400	PING.EXE
1592	PING.EXE
2236	PING.EXE
344	PING.EXE
1368	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2132	schtasks.exe
2776	schtasks.exe
2148	schtasks.exe
2560	schtasks.exe
2952	schtasks.exe
2460	schtasks.exe
2980	schtasks.exe
2044	schtasks.exe
2632	schtasks.exe
2284	schtasks.exe
2932	schtasks.exe
2980	schtasks.exe
1172	schtasks.exe
2160	schtasks.exe
1816	schtasks.exe
2552	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
Token: SeDebugPrivilege	2696	comctl32.exe
Token: SeDebugPrivilege	2016	comctl32.exe
Token: SeDebugPrivilege	2220	comctl32.exe
Token: SeDebugPrivilege	956	comctl32.exe
Token: SeDebugPrivilege	1800	comctl32.exe
Token: SeDebugPrivilege	2592	comctl32.exe
Token: SeDebugPrivilege	1060	comctl32.exe
Token: SeDebugPrivilege	3016	comctl32.exe
Token: SeDebugPrivilege	2032	comctl32.exe
Token: SeDebugPrivilege	1532	comctl32.exe
Token: SeDebugPrivilege	1604	comctl32.exe
Token: SeDebugPrivilege	1696	comctl32.exe
Token: SeDebugPrivilege	1504	comctl32.exe
Token: SeDebugPrivilege	2440	comctl32.exe
Token: SeDebugPrivilege	2888	comctl32.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2696	comctl32.exe
2016	comctl32.exe
2220	comctl32.exe
956	comctl32.exe
1800	comctl32.exe
2592	comctl32.exe
1060	comctl32.exe
3016	comctl32.exe
2032	comctl32.exe
1532	comctl32.exe
1604	comctl32.exe
1696	comctl32.exe
1504	comctl32.exe
2440	comctl32.exe
2888	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2980	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	31
PID 2420 wrote to memory of 2980	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	31
PID 2420 wrote to memory of 2980	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	31
PID 2420 wrote to memory of 2980	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	31
PID 2420 wrote to memory of 2696	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	33
PID 2420 wrote to memory of 2696	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	33
PID 2420 wrote to memory of 2696	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	33
PID 2420 wrote to memory of 2696	2420	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	33
PID 2696 wrote to memory of 2560	2696	comctl32.exe	34
PID 2696 wrote to memory of 2560	2696	comctl32.exe	34
PID 2696 wrote to memory of 2560	2696	comctl32.exe	34
PID 2696 wrote to memory of 2560	2696	comctl32.exe	34
PID 2696 wrote to memory of 2416	2696	comctl32.exe	36
PID 2696 wrote to memory of 2416	2696	comctl32.exe	36
PID 2696 wrote to memory of 2416	2696	comctl32.exe	36
PID 2696 wrote to memory of 2416	2696	comctl32.exe	36
PID 2696 wrote to memory of 1820	2696	comctl32.exe	38
PID 2696 wrote to memory of 1820	2696	comctl32.exe	38
PID 2696 wrote to memory of 1820	2696	comctl32.exe	38
PID 2696 wrote to memory of 1820	2696	comctl32.exe	38
PID 2416 wrote to memory of 572	2416	cmd.exe	39
PID 2416 wrote to memory of 572	2416	cmd.exe	39
PID 2416 wrote to memory of 572	2416	cmd.exe	39
PID 2416 wrote to memory of 572	2416	cmd.exe	39
PID 2416 wrote to memory of 2124	2416	cmd.exe	40
PID 2416 wrote to memory of 2124	2416	cmd.exe	40
PID 2416 wrote to memory of 2124	2416	cmd.exe	40
PID 2416 wrote to memory of 2124	2416	cmd.exe	40
PID 2416 wrote to memory of 2016	2416	cmd.exe	41
PID 2416 wrote to memory of 2016	2416	cmd.exe	41
PID 2416 wrote to memory of 2016	2416	cmd.exe	41
PID 2416 wrote to memory of 2016	2416	cmd.exe	41
PID 2016 wrote to memory of 2632	2016	comctl32.exe	42
PID 2016 wrote to memory of 2632	2016	comctl32.exe	42
PID 2016 wrote to memory of 2632	2016	comctl32.exe	42
PID 2016 wrote to memory of 2632	2016	comctl32.exe	42
PID 2016 wrote to memory of 2364	2016	comctl32.exe	44
PID 2016 wrote to memory of 2364	2016	comctl32.exe	44
PID 2016 wrote to memory of 2364	2016	comctl32.exe	44
PID 2016 wrote to memory of 2364	2016	comctl32.exe	44
PID 2016 wrote to memory of 2788	2016	comctl32.exe	45
PID 2016 wrote to memory of 2788	2016	comctl32.exe	45
PID 2016 wrote to memory of 2788	2016	comctl32.exe	45
PID 2016 wrote to memory of 2788	2016	comctl32.exe	45
PID 2364 wrote to memory of 1616	2364	cmd.exe	47
PID 2364 wrote to memory of 1616	2364	cmd.exe	47
PID 2364 wrote to memory of 1616	2364	cmd.exe	47
PID 2364 wrote to memory of 1616	2364	cmd.exe	47
PID 2364 wrote to memory of 2400	2364	cmd.exe	48
PID 2364 wrote to memory of 2400	2364	cmd.exe	48
PID 2364 wrote to memory of 2400	2364	cmd.exe	48
PID 2364 wrote to memory of 2400	2364	cmd.exe	48
PID 2364 wrote to memory of 2220	2364	cmd.exe	49
PID 2364 wrote to memory of 2220	2364	cmd.exe	49
PID 2364 wrote to memory of 2220	2364	cmd.exe	49
PID 2364 wrote to memory of 2220	2364	cmd.exe	49
PID 2220 wrote to memory of 2160	2220	comctl32.exe	50
PID 2220 wrote to memory of 2160	2220	comctl32.exe	50
PID 2220 wrote to memory of 2160	2220	comctl32.exe	50
PID 2220 wrote to memory of 2160	2220	comctl32.exe	50
PID 2220 wrote to memory of 908	2220	comctl32.exe	52
PID 2220 wrote to memory of 908	2220	comctl32.exe	52
PID 2220 wrote to memory of 908	2220	comctl32.exe	52
PID 2220 wrote to memory of 908	2220	comctl32.exe	52

C:\Users\Admin\AppData\Local\Temp\e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
"C:\Users\Admin\AppData\Local\Temp\e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2980
- C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUhPjvhTvJ49.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:572
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2124
  - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIWJftm51VOB.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
      - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E7LEbssg6ghD.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\898p5X41tL4R.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\raOeMIytXXVO.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3JYvIBAwmIyD.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        15⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6wqL1jeliQIk.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\If0dxcqoyBlZ.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\16GRDNlgcNCW.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWPsAzH5Mp9j.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1LEm6yNgR1Sl.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D3O41rZkhmva.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\w2jTAHH8w1D7.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        29⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zD7TkTXTTCOE.bat" "
        29⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        31⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\W7nGtnMJs0qY.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1428
        31⤵
        Program crash
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1432
        29⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1436
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1432
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1424
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1432
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1424
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1440
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1432
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1448
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1440
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1436
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1440
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1392
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 1448
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16GRDNlgcNCW.bat

Filesize
219B

MD5
649130d0185560054a513e7cf2877500

SHA1
e22c63f337011aa7bca2113b13569f2e19274f32

SHA256
82661e03a6b2e860022b0b5ff6d8918cc5e59b955e46b68f8d2330f52f432479

SHA512
14fa6cedcae57ca25cfb1efb232be974d27897db03d7373c4051f79eb03cf9422e141e96d6c99c6c5255d407f031483404d660bcecbe0417fb43054b26be6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LEm6yNgR1Sl.bat

Filesize
219B

MD5
ca4064b7ffa8dc7273e815f73faee2fe

SHA1
281ca70e47efaf51d2609095a47eefb123f974b1

SHA256
0cb2bb73078b040b269a953f6b932d0b7824eea33d8cf440011fa553e1ea11b3

SHA512
83bbb135080204e47d9c7f39ea26ad0c271db6febc32e49e91544d2e89ba3a8dd642af27ccfb2d5426fc5125a7a7b9324b1ca3a92d165b384e2e159e7af60fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3JYvIBAwmIyD.bat

Filesize
219B

MD5
e3243ba1d952b79aee7d8395c5d5ea7e

SHA1
b3b86c159b9507b1131d49d60e00133d70b11960

SHA256
db34b1f3a8b765eed660c0769bb8d11dac1207438917f31fc8c13de849c7b58e

SHA512
48c1636992974bcc8d4e26012807fdfca126dfb3aa34f65cc35a199b3701a71bb282fdad426ca64b5dc7dd754caff9ebca408c82fb7b9e1c7e3bca9f3b5eb9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wqL1jeliQIk.bat

Filesize
219B

MD5
e73c7a3b117e4cb00a76fe76325a437f

SHA1
b24827bf7ead1eaf442bc2ad64d6882c5694d931

SHA256
db8e79ddeab8268c907b34d7b44fa88f4fba0a2ab371d58c39515c92a9a6c488

SHA512
02ff7f66f7d6c1cb2e20df2b6e65660aebb8f79bbc772e6358bfc7930fbe18d1da13791bf7a17c7ba3472996abfe77e9c91be2e1c7bc979fe43463ac8c382607

Download Submit
C:\Users\Admin\AppData\Local\Temp\898p5X41tL4R.bat

Filesize
219B

MD5
7e67bc640ecf07b3c3e99d3b42db3ee6

SHA1
25c02300ac0a953b5b73751f1f715efbfc0c0605

SHA256
9e6d556b437466f45b72ce57a2c254c03e9b882f2d63d10abcd17c31f305992d

SHA512
2a3616ff7780d1cd3607d111b08c368ee7a9c8fef4b6d9ce8d368bd771c8a806c67953b674dbb391136d873396ffe28275c3c923f529c2a8ebc681b92667c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3O41rZkhmva.bat

Filesize
219B

MD5
fe981d8b7d8839440b28a846e5c5a4f3

SHA1
9ee4de8870871ef8ccc6c42c43e1043c0e5e6330

SHA256
61a475b853851e664c079ffb47343b4b68be55e6dd6fe8823fcec3dbf047baea

SHA512
9be5a084c0f25aa99986d234969aea2804b61f157e44f835281eca722174465389b86e26d8f635503c8be1bff6e23ee4660940e0cde8d622ec29f23f56f023b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7LEbssg6ghD.bat

Filesize
219B

MD5
b9de545aead6728d63140021466935ef

SHA1
404b7892469e02e48fa165257a7aaba6e66cb135

SHA256
6068726cf8e7a1d5a1e29515d56e493a110103ac0e6144fd1249e6184da78e8c

SHA512
5e80abe0b44d8ac9270ac3ca8e979fff3254c4b5b56183bb36ff1c8e0110b467a52678e3671d84f67d9a3b322119d5630c82ce9768966b43723cc4253424a092

Download Submit
C:\Users\Admin\AppData\Local\Temp\If0dxcqoyBlZ.bat

Filesize
219B

MD5
7c74fc3449f4169d361f0d447d8042e8

SHA1
adffd60267f9e4581f75bedf289019e864d8795d

SHA256
459f95be2090f5036387e6c3c96e7a220ec077c7cd0ca294a8a62583d3b2b315

SHA512
0e0821e0ba850f195ebebd8fa0f3c0902ea95a0e2e6d6e4c0fb5b1b5f906442dd1ed3c96d92278627ce078e05219ca93a93677a2d9c047e0cd1be0c54e52b2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUhPjvhTvJ49.bat

Filesize
219B

MD5
b408a3324dc80d0633791b11ea3b002d

SHA1
60b68a714f08696ff24dd5cf4b4d116e733f5f52

SHA256
512521bb32585a529558abbc3c85b489173a80ed3bcb4199ed299b779a574405

SHA512
ea58a71c6d6e4a4705f9c63fcd322e0dd6b96dbdc1e6324a97f5e2baca665539e0f24d8d6e997548daa14370ba128fd902bc09baf0bd87400a468cb3b1fb7617

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7nGtnMJs0qY.bat

Filesize
219B

MD5
9e9b6fdc73d12e9674c8a61aaa0137d6

SHA1
7e7bd5ef5b95aeac79eba922767d08ba79e9f586

SHA256
aede7a0da32a1666e12ee5b1b1c074b022513fd187b1c1f3d69199270c3e8db2

SHA512
43a39bd06a313e733bd55a404d1964c71c2700e90e388860f915a08fc90b9c3f767d7eda69f2aaad3bbf6a3c564e6ba550f00e980544ba4bc85300802d0e845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWPsAzH5Mp9j.bat

Filesize
219B

MD5
c24f8d4d0c919eb4084573236e62535e

SHA1
d6062d8159b0263cb781f9af484d335f511c68b2

SHA256
e1de823aec7e1881077178ba5370c3e3717a232e300a4f1252006fe2758cb90b

SHA512
db5afab0ef6af1ce069c79b137e96a7eadbde4fe849597e900c01a440c027cb6f17860cb34859caad2ec6dbe95863ae99012acd8ce157d5880057adf8597b211

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIWJftm51VOB.bat

Filesize
219B

MD5
a99212d714f3d9f6c6f809d94573e828

SHA1
81ab2e865e72081a9ea3f6f397920264632476f9

SHA256
4f24e164e552099b4309613ce89a397df09d91b2861c8e58e45cdc5442a1ec42

SHA512
c4e82ca1692b63b03a10f7ecc946859304e0acf920338f009feb73478f22b485ec38d3593cb047e2a3906214b21e8c1f894ec5a59a7b018951a581ba50c1fcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\raOeMIytXXVO.bat

Filesize
219B

MD5
fc78a0f69c0fa06bbb621ce290bed5f6

SHA1
c714257ec9095c7df46d43d4ccd12cc56b75a7a9

SHA256
f5a6f13d76233d24ba064d426cb212a46ce4075906bd240fafd6c597125e335e

SHA512
6861f872b8db2f21913648ecf64bd2308809b38b62f12204e663a02e66fb9cf127a7759890a9ec6c46e8f1abb6024dbdf418c35fd62e3c159130b60e2a19ac1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2jTAHH8w1D7.bat

Filesize
219B

MD5
5955f7af9ffed75335ff3df782be0ad9

SHA1
1f8741b7482718fe475cb50e7353c8bfaa522d74

SHA256
166f54ab1ad0e508350cb1006259702de6a9bc949767a6ea9aa34449439f8134

SHA512
7f26e94338e9fe5efc023693ff9ba2d4b301affaa9b1b6c0cf57471d1fe12066f01e204ba37d26f496af84beb02324f03e37fe47fbbd9e61924bbd28ae080c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\zD7TkTXTTCOE.bat

Filesize
219B

MD5
59ca421a7640d4127b9c0871b029eb27

SHA1
1f7e0900b908cb7e5e130507bb4192c1d2d1ce5c

SHA256
c30ef3eee1fc9eb07796bffc64f43ac76e20fd8ac1116bbc50c167346a5b1b70

SHA512
d09a6c8bb7ca6ba5e3dae0eeae7a1d7a8fae34a4279d61cd4e7697aaca2740b20fde0c4b6d3cef37291357b4c8cd9ebde75a79075ea9c408a1a1c6d773c013c0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
a9cd40ff6fbfb889909bf951ff41bdf1

SHA1
b79e3b612d0caaf942bb562e9817693eb8750613

SHA256
8c59a99d8e6a4f902e9f75a2e60edc8112976a139518899844dda080a0eb500b

SHA512
1210917a60d05aef017b8880792efbd6bbd164b8e148ecb965b54f781bd440aa0590bd76433422543447030813d50fdbd48c6409278d833feb89a63f730c486c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
8c52dbfa757a730868531c3c8f4b80aa

SHA1
97d5f486f1cef8eed3cf57e1e047ccfe64faa679

SHA256
7171312bbc989cf1060e0cdfaf2754fb29a772357842510dbbbafb37c5e1c8e9

SHA512
cc581fd8f69af1992fc931188df9dcaa60fcf6535b3e6bf12371f268c4595ba8a4911b78d26c67f5275a8f864ac8905d189fe6fc7c5692c17059f2404a8bb1da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
3045f184f5cc05a9fa466c03aed0b741

SHA1
3a485a988d8ae830050eacd3d6dc16f7d4cd8208

SHA256
6b44630c95cd9bbce9148b323710874e93cf237b3934740409ce158d5c9a29a3

SHA512
ee2d23f0f941880433ff9dace23c55983cf286ed12f751dc020881748f32e2a95d0ae9a8fc1ee7acf23644043fdc7f79ec426034ccaee96ee88c85de72af0ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
4fc67db89b6d8abc7fa37bace23739db

SHA1
73c8a1700d1729b9303596815127833215be9d46

SHA256
4c3a77842c280f367924b6bbefe1467fd8b9615cd47a7fe7b5143d281e02d5fe

SHA512
5578243d1b41f2ad5f9484c4f98f88fc267828c7768e1fbea1d0eb84ef19d412e28403ae029b97786b9cf9deb8313d9245877feace9e982273d5a9cb853bfcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
666fad1baa11f032fcfe2464116e174b

SHA1
4784d8d49824c035b772755c522bb4aea4822386

SHA256
9d423b68e3edda8ea6060e9156a2328332724b9756e4f333b9137ffbbf00c3c6

SHA512
a30f236e6d3425520acdd0cf9237cefd5e0e3198d64863f831d513f943dda7066d5f402b339fd566d97cc6472ec9f4dad908cbfd151bc184ca2e443bee5ceb6b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
3e88e603e492dfa9e8efa3fb76d84d45

SHA1
1dc7242b8494809a4fc255130ee8c6b5662265f4

SHA256
ca6fedb354943466dcce684542575e653052fbe9e69453d4915154e8ad671932

SHA512
7f437ad50bb8418fa15ea266bed9e5d8454c593b8b1bfe8be9a9deda5be1cb8b1c8ee1be3a8fa841e19cd39a72d8291c112f1584d42937244925429821afdccd

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
72d7923559df729a15e718862f633166

SHA1
7a15b0337f278b28e6dd08ce021ab7287aaab594

SHA256
2c3a0628726af2efcb6f593d360a2c9a5f8687c49f916ef8b749102551e32c21

SHA512
6091cf48583028b6da7f95f5e433e906f63841e495acc0c0e00ad6e791fd68cf4b9ee7673bbb6d352e554d4ed64fb712cfad491b2ae3f18921d83a3bc5eba6f7

Download Submit
\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
memory/956-67-0x0000000001230000-0x00000000012B6000-memory.dmp

Filesize
536KB

Download
memory/1060-120-0x0000000000E70000-0x0000000000EF6000-memory.dmp

Filesize
536KB

Download
memory/1504-191-0x0000000000140000-0x00000000001C6000-memory.dmp

Filesize
536KB

Download
memory/2016-31-0x0000000000BF0000-0x0000000000C76000-memory.dmp

Filesize
536KB

Download
memory/2032-154-0x0000000001210000-0x0000000001296000-memory.dmp

Filesize
536KB

Download
memory/2220-49-0x0000000001230000-0x00000000012B6000-memory.dmp

Filesize
536KB

Download
memory/2420-12-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x00000000011D0000-0x0000000001256000-memory.dmp

Filesize
536KB

Download
memory/2420-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-201-0x0000000000930000-0x00000000009B6000-memory.dmp

Filesize
536KB

Download
memory/2592-102-0x0000000000040000-0x00000000000C6000-memory.dmp

Filesize
536KB

Download
memory/2696-10-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-13-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-11-0x0000000000BA0000-0x0000000000C26000-memory.dmp

Filesize
536KB

Download
memory/2696-29-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/3016-138-0x0000000001210000-0x0000000001296000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads