quasar | e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
Size

507KB
MD5

4e7b96fe3160ff171e8e334c66c3205c
SHA1

ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f
SHA256

e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c
SHA512

2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48
SSDEEP

6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP

Score

10^/10

quasar school discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	74	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
	12	ip-api.com	Process not Found
	55	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/640-1-0x0000000000180000-0x0000000000206000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c63-11.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	comctl32.exe

Executes dropped EXE 14 IoCs

pid	Process
5040	comctl32.exe
1828	comctl32.exe
2712	comctl32.exe
4560	comctl32.exe
3132	comctl32.exe
3676	comctl32.exe
1076	comctl32.exe
5052	comctl32.exe
1004	comctl32.exe
4640	comctl32.exe
4572	comctl32.exe
1684	comctl32.exe
3952	comctl32.exe
2264	comctl32.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
55	ip-api.com
74	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3976	5040	WerFault.exe	85
2856	1828	WerFault.exe	97
2440	2712	WerFault.exe	110
1432	4560	WerFault.exe	121
5092	3132	WerFault.exe	130
1752	3676	WerFault.exe	139
4316	1076	WerFault.exe	148
3952	5052	WerFault.exe	157
1660	1004	WerFault.exe	166
4836	4640	WerFault.exe	175
1668	4572	WerFault.exe	184
3664	1684	WerFault.exe	193
4820	3952	WerFault.exe	202
3632	2264	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3988	PING.EXE
4628	PING.EXE
4264	PING.EXE
2528	PING.EXE
464	PING.EXE
2412	PING.EXE
2660	PING.EXE
2288	PING.EXE
1440	PING.EXE
752	PING.EXE
2456	PING.EXE
3156	PING.EXE
3188	PING.EXE
5012	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1440	PING.EXE
3156	PING.EXE
4628	PING.EXE
2528	PING.EXE
3188	PING.EXE
464	PING.EXE
3988	PING.EXE
2288	PING.EXE
5012	PING.EXE
2456	PING.EXE
2412	PING.EXE
2660	PING.EXE
752	PING.EXE
4264	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1340	schtasks.exe
3124	schtasks.exe
4988	schtasks.exe
1124	schtasks.exe
3416	schtasks.exe
4544	schtasks.exe
3440	schtasks.exe
3676	schtasks.exe
1352	schtasks.exe
400	schtasks.exe
2312	schtasks.exe
3284	schtasks.exe
4904	schtasks.exe
4888	schtasks.exe
3604	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
Token: SeDebugPrivilege	5040	comctl32.exe
Token: SeDebugPrivilege	1828	comctl32.exe
Token: SeDebugPrivilege	2712	comctl32.exe
Token: SeDebugPrivilege	4560	comctl32.exe
Token: SeDebugPrivilege	3132	comctl32.exe
Token: SeDebugPrivilege	3676	comctl32.exe
Token: SeDebugPrivilege	1076	comctl32.exe
Token: SeDebugPrivilege	5052	comctl32.exe
Token: SeDebugPrivilege	1004	comctl32.exe
Token: SeDebugPrivilege	4640	comctl32.exe
Token: SeDebugPrivilege	4572	comctl32.exe
Token: SeDebugPrivilege	1684	comctl32.exe
Token: SeDebugPrivilege	3952	comctl32.exe
Token: SeDebugPrivilege	2264	comctl32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5040	comctl32.exe
1828	comctl32.exe
2712	comctl32.exe
4560	comctl32.exe
3132	comctl32.exe
3676	comctl32.exe
1076	comctl32.exe
5052	comctl32.exe
1004	comctl32.exe
4640	comctl32.exe
4572	comctl32.exe
1684	comctl32.exe
3952	comctl32.exe
2264	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3440	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	83
PID 640 wrote to memory of 3440	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	83
PID 640 wrote to memory of 3440	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	83
PID 640 wrote to memory of 5040	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	85
PID 640 wrote to memory of 5040	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	85
PID 640 wrote to memory of 5040	640	e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe	85
PID 5040 wrote to memory of 1124	5040	comctl32.exe	86
PID 5040 wrote to memory of 1124	5040	comctl32.exe	86
PID 5040 wrote to memory of 1124	5040	comctl32.exe	86
PID 5040 wrote to memory of 3160	5040	comctl32.exe	88
PID 5040 wrote to memory of 3160	5040	comctl32.exe	88
PID 5040 wrote to memory of 3160	5040	comctl32.exe	88
PID 3160 wrote to memory of 1872	3160	cmd.exe	91
PID 3160 wrote to memory of 1872	3160	cmd.exe	91
PID 3160 wrote to memory of 1872	3160	cmd.exe	91
PID 3160 wrote to memory of 2528	3160	cmd.exe	93
PID 3160 wrote to memory of 2528	3160	cmd.exe	93
PID 3160 wrote to memory of 2528	3160	cmd.exe	93
PID 3160 wrote to memory of 1828	3160	cmd.exe	97
PID 3160 wrote to memory of 1828	3160	cmd.exe	97
PID 3160 wrote to memory of 1828	3160	cmd.exe	97
PID 1828 wrote to memory of 4904	1828	comctl32.exe	99
PID 1828 wrote to memory of 4904	1828	comctl32.exe	99
PID 1828 wrote to memory of 4904	1828	comctl32.exe	99
PID 1828 wrote to memory of 3284	1828	comctl32.exe	101
PID 1828 wrote to memory of 3284	1828	comctl32.exe	101
PID 1828 wrote to memory of 3284	1828	comctl32.exe	101
PID 3284 wrote to memory of 4184	3284	cmd.exe	104
PID 3284 wrote to memory of 4184	3284	cmd.exe	104
PID 3284 wrote to memory of 4184	3284	cmd.exe	104
PID 3284 wrote to memory of 3188	3284	cmd.exe	106
PID 3284 wrote to memory of 3188	3284	cmd.exe	106
PID 3284 wrote to memory of 3188	3284	cmd.exe	106
PID 3284 wrote to memory of 2712	3284	cmd.exe	110
PID 3284 wrote to memory of 2712	3284	cmd.exe	110
PID 3284 wrote to memory of 2712	3284	cmd.exe	110
PID 2712 wrote to memory of 4888	2712	comctl32.exe	111
PID 2712 wrote to memory of 4888	2712	comctl32.exe	111
PID 2712 wrote to memory of 4888	2712	comctl32.exe	111
PID 2712 wrote to memory of 2288	2712	comctl32.exe	113
PID 2712 wrote to memory of 2288	2712	comctl32.exe	113
PID 2712 wrote to memory of 2288	2712	comctl32.exe	113
PID 2288 wrote to memory of 3436	2288	cmd.exe	117
PID 2288 wrote to memory of 3436	2288	cmd.exe	117
PID 2288 wrote to memory of 3436	2288	cmd.exe	117
PID 2288 wrote to memory of 1440	2288	cmd.exe	118
PID 2288 wrote to memory of 1440	2288	cmd.exe	118
PID 2288 wrote to memory of 1440	2288	cmd.exe	118
PID 2288 wrote to memory of 4560	2288	cmd.exe	121
PID 2288 wrote to memory of 4560	2288	cmd.exe	121
PID 2288 wrote to memory of 4560	2288	cmd.exe	121
PID 4560 wrote to memory of 1340	4560	comctl32.exe	122
PID 4560 wrote to memory of 1340	4560	comctl32.exe	122
PID 4560 wrote to memory of 1340	4560	comctl32.exe	122
PID 4560 wrote to memory of 5080	4560	comctl32.exe	124
PID 4560 wrote to memory of 5080	4560	comctl32.exe	124
PID 4560 wrote to memory of 5080	4560	comctl32.exe	124
PID 5080 wrote to memory of 3168	5080	cmd.exe	128
PID 5080 wrote to memory of 3168	5080	cmd.exe	128
PID 5080 wrote to memory of 3168	5080	cmd.exe	128
PID 5080 wrote to memory of 464	5080	cmd.exe	129
PID 5080 wrote to memory of 464	5080	cmd.exe	129
PID 5080 wrote to memory of 464	5080	cmd.exe	129
PID 5080 wrote to memory of 3132	5080	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe
"C:\Users\Admin\AppData\Local\Temp\e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3440
- C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMNrvo7xMHh9.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2528
  - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuJxBDZ2KSlL.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3188
      - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEAyXpWuhQHa.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyRImQj5LS1B.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\31QqSuPm7sVY.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5012
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BpRgahyiBnuj.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uS7IiKkZaseU.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        17⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5ntqwXPzwNF.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcvGJcoBRJkX.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        21⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKGURKUZgoJU.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        23⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TBun8cN9mL7S.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UPDZoHpwDcHF.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        27⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OLOGexcbzCCc.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4wG8zqF8rSFT.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 2200
        29⤵
        Program crash
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1932
        27⤵
        Program crash
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 2224
        25⤵
        Program crash
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 2224
        23⤵
        Program crash
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 2224
        21⤵
        Program crash
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 2212
        19⤵
        Program crash
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 2176
        17⤵
        Program crash
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 2228
        15⤵
        Program crash
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 2224
        13⤵
        Program crash
        
        PID:1752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 2228
        11⤵
        Program crash
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2192
        9⤵
        Program crash
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2200
        7⤵
        Program crash
        
        PID:2440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 2228
        5⤵
        Program crash
        
        PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 2200
    3⤵
    - Program crash
    PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1828 -ip 1828
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2712 -ip 2712
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4560 -ip 4560
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 3132
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3676 -ip 3676
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1076 -ip 1076
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5052 -ip 5052
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1004 -ip 1004
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4640 -ip 4640
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4572 -ip 4572
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1684 -ip 1684
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3952 -ip 3952
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2264 -ip 2264
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31QqSuPm7sVY.bat

Filesize
219B

MD5
884c71f76dba6079c4b78e7ac8d330c5

SHA1
f6b95346572ea9228f9d6531f70abf9b23c787dd

SHA256
e862a7a80608f882724c7da8f8fdc593dd374de1b54f0beac39271ac111c7c24

SHA512
186f1049ec252d0ab0a37eea8c3d4b8368263e928116bd884e90bd6b31e5eb87f6e25327cd0be1e095ca5433dbe548c46828b354e25e1b90498c2841a29baf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\4wG8zqF8rSFT.bat

Filesize
219B

MD5
dd9be47e23e6fb3681a577d16e483c67

SHA1
4bf1b099f3de59e9049ad734845f8bc5545d27a9

SHA256
51f3de413b8b964e97022681e6de77ff0c6532d68db2053a919cfe925a8e8c0f

SHA512
73eec0aff4f4386d9acb81878c895336ad332974b594f3a6e51428e4ea1403634bbfbbe56334c925364f391b526b15f447c8cb60115490b3fbf6acf2ab0718c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BpRgahyiBnuj.bat

Filesize
219B

MD5
e6768e723d5560dc0c8c66c6c76a7038

SHA1
6ab91269344cddd543610d537cdfa25d9b850c4d

SHA256
ca1b786a9e22d13ae28f809267377a6054213e1e53adca2fccf83a264d4ec880

SHA512
03f27be9eb5df8a70d66c9f7881bbedcd8f3340b5351164001ce9f940bbfa5547d575d49a11de42a3490343ee8b4c396bdae9cde0e9dee2ff6e8979cdc2ea2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKGURKUZgoJU.bat

Filesize
219B

MD5
f7030f10269e35d5a56b09b0609bc00c

SHA1
0473e60025ac77b274bf051c9112251ea4fe4a66

SHA256
8d56bad565a79791702d5bf634575325ee12c53750aa3d0091620390dae1bf0d

SHA512
cd52966844e98773550797f423682acbef6941ddb09d8e8f85c97e818c7f46108ff10c4a225c80628b3bad5288b82cb1b3c8871a0da510b8989d4246159608d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuJxBDZ2KSlL.bat

Filesize
219B

MD5
489630dd6a55ace704004e7cd11eb4f1

SHA1
e672ed8f344eb2c3835e01bf82119b9b8dd4d848

SHA256
de8811ee08c1de0b1acb84639f9f2287fe46df46efac55f59f6cad0b2e6a97eb

SHA512
60998717b1c29478118d630627cd8d7d323e9de5b2039f9734dd92848dcc2288584469880db26d975718f808cd255aebbdc62a61ea1c299e0de2d8f3f5806109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcvGJcoBRJkX.bat

Filesize
219B

MD5
4d2b4cf68e30c6354ea65c359b5c4fc2

SHA1
0251156cb1bdd023e6cfcbcc6d6c14f852b343cd

SHA256
34d95df5d01736a947ac4edc3b260ef569f2f5ec43efb2a117d0eed4ad0ee606

SHA512
9c63d5c16ffc8625aa5eb37e119aa7300689c03afeb1249803bfd11671ee773a3505a708f0601dadc65d02136b6320c4613dbde09546d7646a29c988934e4160

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEAyXpWuhQHa.bat

Filesize
219B

MD5
a5d2b603fec7f4059cebf8bcc4b44e5b

SHA1
1cffb4d053ad4c7122f0979046020b6f5f69e1a8

SHA256
370158b8fa1ded52dd7ef8bf67d826e27e4455460bd28ad1592f2a94478c70a9

SHA512
0bc63ccd6ee877ef4c1622dd1f1b1d709692d25d1e0d979c21d13f9183c890b41a97d75a458eb441d8ca22daa2bc636a430ff14992ace1eec547b0c35de386f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OLOGexcbzCCc.bat

Filesize
219B

MD5
2f760f7665542a27ed7e214dcc1a57f2

SHA1
7c959ea17c1d043fbf238b5315af9bd0fd4311a6

SHA256
12946717034704cdac769ff63e1b21a57253556d949f347dcd0a9f1ca1f86cf6

SHA512
0fcd4ac70e545cc853d726a956746449e5780d17ae09fc95d4075b08e0d704bc440586f1e7f11c556b4c5767400c247777ef64e1b1ac7dfc2fa71911725f64a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QyRImQj5LS1B.bat

Filesize
219B

MD5
1855ec8573c10c4293e98af80a47b106

SHA1
c7de1c41d774f218733345d6c8bf0a5ba64c0e74

SHA256
ef2fc010ee40fa7fce38dd707ff0185252a2c12eed393adaa4376707a8ac1f7b

SHA512
36152f0d9229382421cbc9bce386eb200b2f455173645733bc55c473c76a23a5c4094cea51e5a93d96b877e815a62340cd4a9cc1f1932f93ec84075938b78ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBun8cN9mL7S.bat

Filesize
219B

MD5
89c26fc6507d6e08be54f30795a2c026

SHA1
8af5f92c407aad732ed4169af4b79b63ba3fd4f1

SHA256
cdd8dfc4ed59e9da44123f2048d4e441d7a3ec6430c2adb564b8678bb0eb77da

SHA512
a088cadeaa9ae4a64dac07243af715030ace58e94203fbd12bf014eb7b9190b0e1512706c5b872f3f9e55f6024e1c619b240fa96ae37d513ad275fb039791c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDZoHpwDcHF.bat

Filesize
219B

MD5
ccbd406d0579fbe8c19167fb88dfe968

SHA1
a00f760a347d8bb8264bd9d48c9904ac54110a02

SHA256
fa336483baaae756fbb27ea0712b5907121c8bd61904407f036d1f03bf10d3eb

SHA512
b77cec13d5626d8d77bb159f0a4dccc9af0a84b8cdf6363a929b824e00ad47a48d5161736fe3201908093eed07fd82ed6f4202db40212714150534a9c8a9e6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMNrvo7xMHh9.bat

Filesize
219B

MD5
4f799482ff92154d89d1995317a699f8

SHA1
f5e461204258c4adcdd3ad82d87b8a71c83c6e56

SHA256
fc92569d6efc9e3371fb73cbae3fb6c3574391d9b2c58ad7ae9a6275b905ce7e

SHA512
c418fd0c922be560b68c59d77cf2cbe7c15130fba88ba2561df615362aac375ac8bc3b83eb7d50af803ffae75fd1063a0a20bdc3837749df2a104c971727cef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5ntqwXPzwNF.bat

Filesize
219B

MD5
9792e95fedc1c2eed99dfb134d7d49bf

SHA1
bac3473c5b02394561b4bb3b84ff633e6086b174

SHA256
eae28959f2791315e16e319fa059f033ea9c1d414ab3635e1f88b2731c404403

SHA512
082d9fe85d6fd65d829ce03feecff8676518d9a8d06fd4436f793c15c162954fb24c13708c3480b262e49794afcfcb3529b5a1c313050714084ba538c294a0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uS7IiKkZaseU.bat

Filesize
219B

MD5
0f48088f3398c024f7da9cb664b44064

SHA1
bde181d45ed4509484f1ca60844d333a360a7948

SHA256
0f697bc3ef470b51bef77be59b36242f096e7df5ef4f9412c492d3a604b755f1

SHA512
e03cf222fd2582a5846f1c560ef5f12560a2ca9d9301bce767e890458eac26b570d2c7c35e8e04e6486c893ffed6a873ee5dbaba5bfda25190c830d06c31bdbe

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
c0a268543d8c20656a7462c89bf9f0fc

SHA1
bbc0516a41917a272f7cbb77afbe8a99455f1635

SHA256
bc339bc43243c8ba0326b1f1361796000091588a799f3609a3907ff7e9363a49

SHA512
b16c51ad2547fa7fb999fa3f0b4951b83480b0191687dd33a6944e3237ed66959d7d270db1abce2a371a11ce43fc4f35cd8000cbe7ba77dbed74df0395b0d8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
490bffd85d23fb390cdf8968ed917a38

SHA1
75343f7eaa69e23daf4879e21c761cd9576fa2f5

SHA256
7079290d5a81e478c7b180f7c0c57aac000032e8470ce860123849b0a2bdd6c6

SHA512
6e10dd5f96c7cd219f335368ec15ab933e2d869164490ce764df84fb95e76b549fe3aab7ccd7e019969389842c97002e1dc8d151f3effe5b5a484e7615a9fce2

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
a1430500cf8a722c17c9620ef0894e09

SHA1
4163cf7241d2275ed451dae6f956e3423ed7a963

SHA256
6af606d664974b2ae71c1239ea28e9ebae93b501f755cd856cb67ac1a8e6f249

SHA512
9655fe4017d1f66cd3329c8d28d2ea1180b988d1a530f208d25182475224527ee15205de9dd7bbe0d71e11fe1149daaac83f54c8422d9ab81d5d50658bc56a86

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
efe99c1a34c77e0d2e17ebfe2505b1c7

SHA1
2e6d79c7ae930a89934523ec731db01350e05a36

SHA256
64ccc0499a364c38b093440c20a1d0566534014f9bcd04d1309faf7a9a1a8c3d

SHA512
9d0c855c8e37279f9405c3788509a8bb2f02572106355406987bc51c3bdedae42c5898d944681569ad108b35c7a2ca191512c2e2e4bc93f251be5eed1defbafb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
eef4f9c96e47e895043f766dd3b14339

SHA1
18dabb90d0d0b57f345b06e61f794db3c5c13409

SHA256
ae6e0ffa26cd332c010576d350c3363b34efb69768f49b2820f83542adf83dca

SHA512
2ef51e47ee1ab849104b5d734d2cc1f096007160eab680e6903839789385957960aa2379e9f6887542244a09a2012898023d4f81d3757bfed75624df827e089b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
91a1ebbc5de7f87f60f1a4c918c31662

SHA1
c3d4b2e4ed1083065cf2d4f9e6a0c6f55736c9e6

SHA256
266634201ffee1a5e1de3bd7275cc542668a741b843e027f5b3213812f9c171d

SHA512
89b0a6bbd6d822ef72808561914cdb630261a1be4c77dcd128f45a6299e61aca45886afacc277f71c5885a300a493b04d59eb53ce8cfed189df40d70339c0f44

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
13f6a1c202951b8d3a9c2d5eee5f46d8

SHA1
454bec3d2024f0e41117f1b2ddf83c88daa77ed1

SHA256
4cea42e7bbbb3d6343189c1d306bc3ead47900d497fe1945311a8e7d8d7b71a9

SHA512
ef8d965330e6247700c7127ec512ede7c05ac46820c518dafaee3c438f2464fe3a9116dbc3a8f88718094c2b351555f4ee035f70d999e069e9b17bc77bce22b6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
d6a12440f70433c81be08b779d640219

SHA1
73864e03bd1ed6e039fdf28afd07296a2f8a4fe2

SHA256
627caffe86ea633e9b436dee31a8b73a46d4929febb41a6e3e7dc4744ff89006

SHA512
06b58dba7479d9672abd77f01371c6953b0f49a4f76180168f446246ee7775ba4a641d58cb1b4144803fd4fd2ca6d6802629cf470cb44a94bf3ca5f782bc3253

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
a63528b25cd27fa173032cd406b7c574

SHA1
c90c2b599aad17cb531026ff4de1f20b6dfae38a

SHA256
47ee8c779e0d2e7236ac8d11ed9c2dfac977404392bb20316f62bb9888705918

SHA512
1132be04785d887a638016cd259474c96ca1d1ce4202993b2fb7b0a6c0423407ad7c8af8eecb33adecdeb6b9c797880d2fea3d8864ae7b39c3dd952e94887624

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
2f5608e49c482aee319b7f1a0136a817

SHA1
2a0da4414d4fdaa8b21df0af9d1e44857a3b76cd

SHA256
c3ee8b56f81ae2d479bd3befdf1d9f5137bbfede45dadec02fd57079f1b0f6cc

SHA512
736676a291175254542509bc9c3b3c19d908e3f3d96861e4838dbcbddccc0ae226be2c4e026e40683576fa91b1e1f3be6d9711803cd1c93a6b02935648491821

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
1389758b8a63ef373c128d200861a3a2

SHA1
cba4212fd0a4774687b17cd08add2ccd2f4198c9

SHA256
bd5d971f923950bbeb830c6c353dd10e5cbee70f20de9a15a006f2a3f6f7fe2c

SHA512
18068f777a8659a876e0b346f12d1fd465a850610877f50f3a7aedbb397fa0f1dfd6f639ba0786bf02edd442ebdcd4345dd7dc6dfaf9aba8d3000826b9518900

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
39a6becf27a128b3290ca2d3123f8199

SHA1
e5baaed53488c98286b17ea2e2a8b34c882972a2

SHA256
3fb180a00dbee3bd08eee5a10601f7a83a62e5a07d7a5755e88192cb12262004

SHA512
b3850ed87f61be947a696f98b3586b338c94584121a618fa3acbb15c7a06c0995c06c6a3207e2a916d52a8fe789267f39995cad42374b9ce6ebcf57aa7bbc885

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-17-2025

Filesize
224B

MD5
67cf0d7de1dcf62053bd315c302699cf

SHA1
62e9a5d48898a08d5054fe29b7c775c904b6783d

SHA256
a9d44b7c51d6b8c0558eddbab4812f7f4c1b2dfd6020a4d3167baaa870a478fa

SHA512
a96670d03adfc168f3a333ea698acd6ab8e07aa899cd59bf497ebaddf4c3230d030cec927dfd7891feef65ccb668caa122dcb5c066b8ee60df7a714e4b473561

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
memory/640-4-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/640-7-0x0000000005E70000-0x0000000005EAC000-memory.dmp

Filesize
240KB

Download
memory/640-6-0x0000000005930000-0x0000000005942000-memory.dmp

Filesize
72KB

Download
memory/640-15-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/640-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/640-5-0x0000000004D40000-0x0000000004DA6000-memory.dmp

Filesize
408KB

Download
memory/640-0-0x000000007537E000-0x000000007537F000-memory.dmp

Filesize
4KB

Download
memory/640-2-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/640-1-0x0000000000180000-0x0000000000206000-memory.dmp

Filesize
536KB

Download
memory/5040-23-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/5040-18-0x0000000006B10000-0x0000000006B1A000-memory.dmp

Filesize
40KB

Download
memory/5040-16-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/5040-14-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads