Overview

overview

10

Static

static

10

liberium executor.exe

windows7-x64

10

liberium executor.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    liberium executor.exe

  • Size

    3.1MB

  • MD5

    a83c74ddda692ff3e4279ef4d1e1ab6b

  • SHA1

    f807912389ed16a9d7ac3e3e7b73282658c6ecf0

  • SHA256

    46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6

  • SHA512

    70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b

  • SSDEEP

    49152:Svdt62XlaSFNWPjljiFa2RoUYIsSDsKdpvVoGdqTHHB72eh2NT:Svf62XlaSFNWPjljiFXRoUYIsCsE

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.0.0.0.1:4782

Mutex

92adbb05-a27e-42e8-b9a2-c260d01e742b

Attributes
  • encryption_key

    46B4B3697EBEA35C7930856CF4E60FB52D50DE37

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    executor

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\liberium executor.exe
    "C:\Users\Admin\AppData\Local\Temp\liberium executor.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3288
    • C:\Program Files\SubDir\Client.exe
      "C:\Program Files\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2008
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EdD7iQOCtKff.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3528
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2404
          • C:\Program Files\SubDir\Client.exe
            "C:\Program Files\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4548
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2664
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GfedfTWAbuLK.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4908
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2784
                • C:\Program Files\SubDir\Client.exe
                  "C:\Program Files\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:2356
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4760
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ZxZpfGrHCYt.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3300
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:4856
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1660
                      • C:\Program Files\SubDir\Client.exe
                        "C:\Program Files\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:4324
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3064
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wxTuOTe1euq4.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3252
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:264
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2008
                            • C:\Program Files\SubDir\Client.exe
                              "C:\Program Files\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:1672
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:228
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWr3Zs5vkNfm.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3964
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4072
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:2212
                                  • C:\Program Files\SubDir\Client.exe
                                    "C:\Program Files\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:2660
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:980
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeD6vYJ8Qyf5.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2336
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4032
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4080
                                        • C:\Program Files\SubDir\Client.exe
                                          "C:\Program Files\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in Program Files directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:2444
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3988
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q4mJ5G1iBLfF.bat" "
                                            15⤵
                                              PID:1272
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:368
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:440
                                                • C:\Program Files\SubDir\Client.exe
                                                  "C:\Program Files\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in Program Files directory
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:736
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2544
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oxHDLEbKHB3T.bat" "
                                                    17⤵
                                                      PID:2000
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:760
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1660
                                                        • C:\Program Files\SubDir\Client.exe
                                                          "C:\Program Files\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in Program Files directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:3632
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4620
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u0nXayst6AkG.bat" "
                                                            19⤵
                                                              PID:4864
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3424
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:3528
                                                                • C:\Program Files\SubDir\Client.exe
                                                                  "C:\Program Files\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in Program Files directory
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:3396
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:228
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ayli89aHEeM.bat" "
                                                                    21⤵
                                                                      PID:4212
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:2832
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:840
                                                                        • C:\Program Files\SubDir\Client.exe
                                                                          "C:\Program Files\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in Program Files directory
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:4248
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:456
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7tfPiQ4rtPof.bat" "
                                                                            23⤵
                                                                              PID:3808
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3908
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3716
                                                                                • C:\Program Files\SubDir\Client.exe
                                                                                  "C:\Program Files\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in Program Files directory
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:4668
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:3972
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mXUKLpEfID9d.bat" "
                                                                                    25⤵
                                                                                      PID:4376
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:5000
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:2704
                                                                                        • C:\Program Files\SubDir\Client.exe
                                                                                          "C:\Program Files\SubDir\Client.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in Program Files directory
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:1548
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2340
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V92dlyKHY5mB.bat" "
                                                                                            27⤵
                                                                                              PID:2284
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4028
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:4736
                                                                                                • C:\Program Files\SubDir\Client.exe
                                                                                                  "C:\Program Files\SubDir\Client.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in Program Files directory
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:3940
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:384
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUmTGCM1qHgV.bat" "
                                                                                                    29⤵
                                                                                                      PID:4180
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:3104
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:1792
                                                                                                        • C:\Program Files\SubDir\Client.exe
                                                                                                          "C:\Program Files\SubDir\Client.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in Program Files directory
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:1936
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:772
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQNeTAetQzHd.bat" "
                                                                                                            31⤵
                                                                                                              PID:2080
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:2236
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:1132

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files\SubDir\Client.exe
                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    a83c74ddda692ff3e4279ef4d1e1ab6b

                                                    SHA1

                                                    f807912389ed16a9d7ac3e3e7b73282658c6ecf0

                                                    SHA256

                                                    46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6

                                                    SHA512

                                                    70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\6ZxZpfGrHCYt.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    be6e9272d40750af0add2daa1b848474

                                                    SHA1

                                                    81072324a4afa8f96347879bc400d285feb42575

                                                    SHA256

                                                    330bc396880979cc4282d3e9575cd83d668a5cdca5284e62dd88aa32ca55368b

                                                    SHA512

                                                    e804c57b590dba078bb5ee63fa382b5844fa7cc9962ce8ce225fdd79548afc0d58a755e34bbbdec8966445205e17100649061b3f3115c52ac1192ca964ae1e61

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\7tfPiQ4rtPof.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    903d9c4a83908859f68c9283282705a0

                                                    SHA1

                                                    cfb6668cbf6c6bf6f5b9d7464d38d3778671ebe5

                                                    SHA256

                                                    0032ade1699a071a0592f825e164ec6de6d2deb627c1f95426baf8d3228a7d2a

                                                    SHA512

                                                    22b7da447325f40dde949b707552782a3f0e829864e9f898ec27778d786202f7d568ea5fc10ac5feb619bebd72a4a32d88d51a1420cc40a5083dd8623bd42276

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\8ayli89aHEeM.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    8b28dcbae3419c29fa615fef682a0d02

                                                    SHA1

                                                    12b8de4491a91691a78689e0947c65fc9cc6a916

                                                    SHA256

                                                    0a98a40cc6157da66693585d6d5fdeb985e737c40dd4f2a4bd3b210dc1d3fa4d

                                                    SHA512

                                                    dc5309b4a6c9b19c52f09681d95223e3fa54e21236ff1a73866a8e8a635071e2095df13f4ab11c32d37839248519f6be0851d64704f9ad09661b0be420d4769f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\CeD6vYJ8Qyf5.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    8244048c1bc8f1a841aeebca3002ddb6

                                                    SHA1

                                                    1a98ef0e8554dd7ca11a9784b05e02828a9abb4f

                                                    SHA256

                                                    fefd14b2f46221bd19da0cd02e7150133c38f58236ce7f55c7058e9501b530be

                                                    SHA512

                                                    019503ea3d88ee9a58a5c58ea256f393504692e7083d4f77687de3a4053e38afd0e28408479da8d0a1f6b35d61ae1dc6691b9f9827fb8bad8ec752df64687119

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\EdD7iQOCtKff.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    3990a249e72716f37ecd12f26514655c

                                                    SHA1

                                                    6e34827c8a5438ef53d3600db3fb8e2956fc4603

                                                    SHA256

                                                    17135f3b9f585e7d124172234217a5489700f45034c0e68d3a81d50ed4437b0e

                                                    SHA512

                                                    aa8dd01e026351e96a4a8e5ff9adf6800f7b9cd5a3a1428f050cb0cda9ed1cf4b54a5bb95011a02c952ff94c831e720f8828ea114bb65617e8cb6cb18e2f0b22

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\GfedfTWAbuLK.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    680633ed1d7f2b9acf15f45807b40f77

                                                    SHA1

                                                    8e5eb2d5a04246aa6c9bef0fec388467c3560df3

                                                    SHA256

                                                    8b93c3882ca44c9eccffb3db5e6f7d01f3b98e51f1fe8ca2736a260b01289b1d

                                                    SHA512

                                                    1517eb93be2c20dd65411ed9881daefd6415ba89962a5e7b7254db2af0bce3a841c53a6988953208fbae534973e8869b893032743fdf83acaa870055db044aad

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\Q4mJ5G1iBLfF.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    3bbecaf7326efc3a105874ea3cba9062

                                                    SHA1

                                                    6c5f239793c0caecd3203bb65349df6ee13b042a

                                                    SHA256

                                                    579169497c70183ae7cbcd0a9e8e332a723b1ee9ac18c0062a9f01fe9dacc750

                                                    SHA512

                                                    49662fea7de656f6f091716e3848c910781c7ec36a62eeb0e6ba35b06b219d902e51dbae7051000929206ec4d6a2b71b5699ba852c53ab4d3f39a2edf84757a6

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\V92dlyKHY5mB.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    1462e0308e62901319f097c1dce87af9

                                                    SHA1

                                                    b055e8f1f593adac14f67b6062dd8a161950a860

                                                    SHA256

                                                    03b15397139eb0e0def65d6929fb53bb62e419ecb3af533c895678d81acd4e6d

                                                    SHA512

                                                    8080ff0bafe37dbb95191ef5d2235f9a1651a4cb81dbc6847ba56265d9d5845e5da32681ba54e0876fda7ed206e0c927f7ae8f5d88797cb9cb90d0e00719a3ad

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\hQNeTAetQzHd.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    939f4b4e538529b3af32b594560c8558

                                                    SHA1

                                                    b693ee637f5da1c3d5d68b87b94bb3da746baf32

                                                    SHA256

                                                    161abee2dafe612db0da29351440d115727cf88ae7b7d8ca61e9bdfcbbf09605

                                                    SHA512

                                                    1c6503f7c27a678cb08e24bd9ee283a9602222e28e9c6543a2fc74258fefc6f99af75e26fc7361fe07ae1b1a44f89c391a631ed9cfa5bf596a67491c070c76ed

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\iWr3Zs5vkNfm.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    8e73b4d84ac96a5835b530de9c75e2db

                                                    SHA1

                                                    8b98e060bfb0d5d43f996e95fa27d5f90aa49988

                                                    SHA256

                                                    1abd119b1bd96503e876c46c32a643b18994e20df0052c1051b8f6622cb8b54e

                                                    SHA512

                                                    856b286463931fecb7a0ad5ed48788b612a8d2edd1b13ac29578d4968f4fcaa6ed9a390043790d6675ebae06acf1a192db075fec6e458531dee4bb2ce2d5da70

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\kUmTGCM1qHgV.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    57280038246ae439fe96a9ff15ce064d

                                                    SHA1

                                                    fe423eb141b5c6812882e6b930f42a5944083cbe

                                                    SHA256

                                                    09bde6c9307e626860502644232b196fa3811499596007b79d0180ea5e555706

                                                    SHA512

                                                    72f63207ef4f879fa9249bc3c5f40dae6300099df8429c7d8a312a353ebbc4eee0d418e784f0bf0a884af7afcf47cec0b3dacd63937b632bd01904e5830c00d3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\mXUKLpEfID9d.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    6a982cdcee8de74587ba88600a2b92f0

                                                    SHA1

                                                    7171d914cd626a9542815b898598e40fc51e3f1d

                                                    SHA256

                                                    e1cbf522e78b93066ae195b1eaa1b70ea52dd346c9b1ece622736331fbc1d8c0

                                                    SHA512

                                                    1997133f85afe7f459544f520d2e8e9df31c0429e7156a56bf4c05ac4a1f5ff2740affc3536d803f4fe2ee7bc90a6d7d9d767258e3ad4d6265e70a8d5f43498b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\oxHDLEbKHB3T.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    ce483b4c347563046995e7764aa3e095

                                                    SHA1

                                                    317065a19addb6d11000fc313bbc0b0546d3128a

                                                    SHA256

                                                    367b550e9a541cb7cfa260b08967e37f298629416e3f722ce18da98a56415a71

                                                    SHA512

                                                    f4778a7b2839cffdf499cbb40debb2c98f2de35c5743d5aebd3d8868525ffbd53c1a1db6b34a2b1900cb41558a81f90d6b8eb0282320345302f6e4caaa43cd76

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\u0nXayst6AkG.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    f35ba883cd4236f202ae23e4c6009fce

                                                    SHA1

                                                    a836e49d0dfcadb7d9876cf403708bcecbf6896f

                                                    SHA256

                                                    2937a15ee582dab150879ffd8783f43f1f6f551a6e23e4902c6e6f2d32e3e192

                                                    SHA512

                                                    88794119290f4348858cb82839a4f6d8b6136b9e42c73e415cc2bd61ecdd072ef887b16ded60c7cd980cc45a1e7f6c8bb7d114687d5505f9f837effc9893681b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\wxTuOTe1euq4.bat
                                                    Filesize

                                                    193B

                                                    MD5

                                                    990a1a315b104a08f62ce5bcfc693340

                                                    SHA1

                                                    7cdc7d30e37b0b8c9ec768560c66dc8683f6bcc2

                                                    SHA256

                                                    86b96e7c845f5f7a870b642b47fb9e9d4f2da9f393c013e026d5c228962c0bc2

                                                    SHA512

                                                    68f13ced3422e7fb46856cff6eaa6fb947a77dc1e6585b1f950c16ff82419ed2a28d9edf7a3487a77750a370676380dce19169bd7af5b8be21c8adf6326636d7

                                                    Download Submit

                                                  • memory/2052-0-0x00007FFB66543000-0x00007FFB66545000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/2052-10-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/2052-2-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/2052-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                    Download

                                                  • memory/2924-19-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/2924-13-0x000000001CA70000-0x000000001CB22000-memory.dmp

                                                    Filesize

                                                    712KB

                                                    Download

                                                  • memory/2924-12-0x000000001C960000-0x000000001C9B0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/2924-11-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/2924-9-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download