Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 11:47

General

  • Target

    7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

  • Size

    3.1MB

  • MD5

    239c5f964b458a0a935a4b42d74bcbda

  • SHA1

    7a037d3bd8817adf6e58734b08e807a84083f0ce

  • SHA256

    7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

  • SHA512

    2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

  • SSDEEP

    98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
    "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3208
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xEfYJhOaGbD.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1856
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1472
        • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
          "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1716
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ojcl0btPiyM.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3300
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:1688
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2156
              • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4264
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1088
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgaGJ2Bt4lnD.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3924
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:4828
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:3852
                    • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                      "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3688
                      • C:\Windows\SYSTEM32\schtasks.exe
                        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:2104
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\43jBt57uhH3C.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5084
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:2052
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:3976
                          • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                            "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                            9⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3144
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:3064
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxftFGOpNBIB.bat" "
                              10⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3012
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                11⤵
                                  PID:4496
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  11⤵
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:116
                                • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                  "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                  11⤵
                                  • Checks computer location settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:412
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                    12⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:336
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LLnvw9lKCdKQ.bat" "
                                    12⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1788
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:4764
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        • Runs ping.exe
                                        PID:2236
                                      • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:2040
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                          14⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3000
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7NrKssaaiuDs.bat" "
                                          14⤵
                                            PID:3652
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              15⤵
                                                PID:4948
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                15⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:4848
                                              • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                15⤵
                                                • Checks computer location settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3068
                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                  16⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1268
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0dt3DIAp0YpB.bat" "
                                                  16⤵
                                                    PID:1880
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      17⤵
                                                        PID:3736
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 10 localhost
                                                        17⤵
                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                        • Runs ping.exe
                                                        PID:4524
                                                      • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                        17⤵
                                                        • Checks computer location settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3868
                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                          18⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1364
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOlrV1LFOz4s.bat" "
                                                          18⤵
                                                            PID:468
                                                            • C:\Windows\system32\chcp.com
                                                              chcp 65001
                                                              19⤵
                                                                PID:4808
                                                              • C:\Windows\system32\PING.EXE
                                                                ping -n 10 localhost
                                                                19⤵
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:4220
                                                              • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                                19⤵
                                                                • Checks computer location settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1608
                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                  20⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1216
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ggji4RJHBkwF.bat" "
                                                                  20⤵
                                                                    PID:2164
                                                                    • C:\Windows\system32\chcp.com
                                                                      chcp 65001
                                                                      21⤵
                                                                        PID:2212
                                                                      • C:\Windows\system32\PING.EXE
                                                                        ping -n 10 localhost
                                                                        21⤵
                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                        • Runs ping.exe
                                                                        PID:3616
                                                                      • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                                        21⤵
                                                                        • Checks computer location settings
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4860
                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                          22⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:1848
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCydzg65nSae.bat" "
                                                                          22⤵
                                                                            PID:3036
                                                                            • C:\Windows\system32\chcp.com
                                                                              chcp 65001
                                                                              23⤵
                                                                                PID:2464
                                                                              • C:\Windows\system32\PING.EXE
                                                                                ping -n 10 localhost
                                                                                23⤵
                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                • Runs ping.exe
                                                                                PID:4496
                                                                              • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                                                23⤵
                                                                                • Checks computer location settings
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4548
                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                  24⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1492
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HTCIVxJKPMCL.bat" "
                                                                                  24⤵
                                                                                    PID:868
                                                                                    • C:\Windows\system32\chcp.com
                                                                                      chcp 65001
                                                                                      25⤵
                                                                                        PID:3776
                                                                                      • C:\Windows\system32\PING.EXE
                                                                                        ping -n 10 localhost
                                                                                        25⤵
                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                        • Runs ping.exe
                                                                                        PID:1540
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                                                        25⤵
                                                                                        • Checks computer location settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1788
                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                          26⤵
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:4728
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THpsCv7yClnA.bat" "
                                                                                          26⤵
                                                                                            PID:3644
                                                                                            • C:\Windows\system32\chcp.com
                                                                                              chcp 65001
                                                                                              27⤵
                                                                                                PID:3684
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                ping -n 10 localhost
                                                                                                27⤵
                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                • Runs ping.exe
                                                                                                PID:992
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                                                                27⤵
                                                                                                • Checks computer location settings
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2688
                                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                  28⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:2440
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIPxKgaET1h6.bat" "
                                                                                                  28⤵
                                                                                                    PID:2380
                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                      chcp 65001
                                                                                                      29⤵
                                                                                                        PID:3300
                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                        ping -n 10 localhost
                                                                                                        29⤵
                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                        • Runs ping.exe
                                                                                                        PID:1836
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
                                                                                                        29⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4652
                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                          30⤵
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1552
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUPCB6yYMhu6.bat" "
                                                                                                          30⤵
                                                                                                            PID:1132
                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                              chcp 65001
                                                                                                              31⤵
                                                                                                                PID:2556
                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                ping -n 10 localhost
                                                                                                                31⤵
                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                • Runs ping.exe
                                                                                                                PID:3632

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\0dt3DIAp0YpB.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    650e61d995a9934fbc60f2da0d1cf3dd

                                                    SHA1

                                                    77af5fed6367ab785b2f7504f6af053568467c5f

                                                    SHA256

                                                    78d7611c0dc2227f32abb6b41bd9e32cbc720591de55a2d01487e7fab114c211

                                                    SHA512

                                                    7f24f49b5ebab44d89750f3180b1535584ff8a5b65880e53109d7bb2f25d08172111104d28547976aa4aa075af2e230d2a036816adf51fe570c4c64fc4fd8c3d

                                                  • C:\Users\Admin\AppData\Local\Temp\2xEfYJhOaGbD.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    edd123165681e0e7ccafaf3f8fd12b11

                                                    SHA1

                                                    187d4d706436bba7addb768b0a2704ea6258bc21

                                                    SHA256

                                                    fd9d55baccda1d1d52e057aee1ba6981acc929b8a962469204fc336b347c5b7f

                                                    SHA512

                                                    7179437c33f741fb5d42c6ff4e6cd10cb102aad4957eb7adc8d8973c0a924927e243e97fc854da177470197ca2a1c66aaee030b43564e44533f0fd296805e7f7

                                                  • C:\Users\Admin\AppData\Local\Temp\43jBt57uhH3C.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    fceae675b16c0143f2e7740505c2fde4

                                                    SHA1

                                                    4e5d3b38bd0459396ab574f019a24478d1a33c33

                                                    SHA256

                                                    664fe4f45c9a84c3a1990e18375be343da70c1afd58ba204d4a1aa474b4b6a7f

                                                    SHA512

                                                    52c208f1c76d1a061815a7f2521cd2c1a5ef88616783a5851d52e65be3fb934666634227c22ab3863471b8cc2c71b15291ff8e1795d6cc39ae88d4411bf171e6

                                                  • C:\Users\Admin\AppData\Local\Temp\4ojcl0btPiyM.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    cf1c39706a479a8ae53d9b5b95edd0d8

                                                    SHA1

                                                    bd40d2af4c422dd8b2b5d949305c5b400d4d53de

                                                    SHA256

                                                    5323eb8e7c74e5dd18b7a313bbad47ed37acca4e4a41f6d41410c5d5e7c25e97

                                                    SHA512

                                                    5cc43ab3da69b00fb1fc070a4fb1a50c5900e446680a9ff10dd61bdce04ad0b140a59ccf643c1c601249bb13f9f94862c4918d8509f837106d55d8160de6fb2a

                                                  • C:\Users\Admin\AppData\Local\Temp\7NrKssaaiuDs.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    ac36f84ac1d31f0f34b7f768e05b50eb

                                                    SHA1

                                                    22e40c6b84256f7bd2ae0534c75e4c86d27e61d5

                                                    SHA256

                                                    250f348658d98d9dbd2e45781ebe3be103217ae1b14319604cdff747ad478010

                                                    SHA512

                                                    e7426f7bfa0a02dbf003cca0af81b7f6df9bad42bf95dd9cc84be671bc5df5cb85575ca1a31165e1837d6292c447e23e72ea9a646975f712a482dbe76d88c291

                                                  • C:\Users\Admin\AppData\Local\Temp\AgaGJ2Bt4lnD.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    edcbc6c57ddf0718296233a49c8eab35

                                                    SHA1

                                                    1555299740c3913833487f1c558f41df892414a8

                                                    SHA256

                                                    57c005ed6c800ab63be3fdd017c11ac50e373f248d86f2d597b94757c610dd35

                                                    SHA512

                                                    d772ffa79c217c5a59dc253abecef533a8f6b4f2a843419449064ff647fa321060761aca2e14882b667baa7020a9543157f67bea42fcd7304839b2ee88279e88

                                                  • C:\Users\Admin\AppData\Local\Temp\EUPCB6yYMhu6.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    cc24da64beb440976b5ca7d995c6d385

                                                    SHA1

                                                    f1527a6066843fd1c5f4b2949e87a1162ec09bd2

                                                    SHA256

                                                    13e5a61e5fd27739805ec350d13d6162f81ec7a0da77360c2b06e018498fd99a

                                                    SHA512

                                                    7fde57a5d5207a96edf1386b26f964d1440af0b084204569c8e8844e215dc69438b25d5f54060bd3061866053c2982b313e06da775865b4b0b9341066c49e36f

                                                  • C:\Users\Admin\AppData\Local\Temp\Ggji4RJHBkwF.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    acfcb04d82a6b61e527f00b0f21adfc1

                                                    SHA1

                                                    73523b26a2de21bb0196e1d9ebafbe208501a1ef

                                                    SHA256

                                                    5cc015989964097e2562c4323481715ac9b4c3d9a5ebf2f9a641d6845141fbed

                                                    SHA512

                                                    3776597af7aee52e0b06e54a0c94c0f39f00b43e82004f612668ca8b9b9923d5b834863d7f4addf0a2cd489bcd1a7bad7d45050b9c795f24d1a1a1809e829f48

                                                  • C:\Users\Admin\AppData\Local\Temp\HTCIVxJKPMCL.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    74d6b47d6789e4b8ed924cdcb173220d

                                                    SHA1

                                                    cc29a97cbd999cb3eca01c79e68399fbf98668c2

                                                    SHA256

                                                    dc3a4b53b0569d45b553f21bc0967afe70ddb743a156b071d75dc7ac80410f2b

                                                    SHA512

                                                    bd472f69037582a3f1619cca60bccac8c4e19e50ba1c04cf9f9587b0044e6e21f005fd2453ddc880d515c67b47571efdc1e337aabadcebe8cec468daf47aed9c

                                                  • C:\Users\Admin\AppData\Local\Temp\LLnvw9lKCdKQ.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    ef372140151b250060b23f9535e74523

                                                    SHA1

                                                    a2c9c693f12e7c9a102c034dc2117dd878209194

                                                    SHA256

                                                    7d29251a89d5272d5dea0aa955e37fba6648518c7b75eaf6e58a64738340616d

                                                    SHA512

                                                    9c99989fc56f955f00d1f50fb5b250b8f21e5580fdf7fb8eedaa9e0cc9fcd5508edcaf5aee165a9b4ae89ca001d755b7d2c36c9d4c996c04095b5f471f68b1f7

                                                  • C:\Users\Admin\AppData\Local\Temp\THpsCv7yClnA.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    a4ea480490fa34e6d38ad957e64e01b6

                                                    SHA1

                                                    bc49d356b74d1f368e96269315aa812cc518b0cd

                                                    SHA256

                                                    d752ab750882430ab87d53b6b91def45ac0c9ff02edd882d11ed29d65eab03f9

                                                    SHA512

                                                    f9a7034b88dfc1a1882cdc1132bcfd1a8d7e902168fe9378445e84b7c3e45200977e4bf3b4e8b26bf447f4f8fa2d817f68450a8a822c45e32957e34bf8888273

                                                  • C:\Users\Admin\AppData\Local\Temp\WOlrV1LFOz4s.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    07f0d4b62f2722d74c937b77aac112ad

                                                    SHA1

                                                    d30d962e5f8fb1790fd440b3e85511ef17937ed1

                                                    SHA256

                                                    14ebaa32b3c6ad0b6916ba1042c73d96ee5d5126f41c6f3ab3d0f670acc8e52a

                                                    SHA512

                                                    b8434d0669b98e4502c2b9a88ae740dbcc54bc592d15122cf2fbf333ffb61f93cbfe7515ba39ab20eb42da7b2a7796eda984dbc1fbc32ed6e8c0e32ea512a380

                                                  • C:\Users\Admin\AppData\Local\Temp\bxftFGOpNBIB.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    299f25fd0066c53b96832ed95df46de9

                                                    SHA1

                                                    8a9b5eb33251015f698020b4f2c69ebcff12daf4

                                                    SHA256

                                                    8962ebf973cdaf07bf69beca52a9bfd96e6fe3075c9faafe39efcf692b9e789c

                                                    SHA512

                                                    f96223e44e30b5bb443b876f653d274ef1ccea4330742ac0c4214a12d6caaaf2a4eae40226a0d5aa2ac686d5d70f461b1aab47b6c4aefc0c137ab2ebf7151a2c

                                                  • C:\Users\Admin\AppData\Local\Temp\dIPxKgaET1h6.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    644fcad62be38ebd44749c5d09b42bc3

                                                    SHA1

                                                    b0b98710aea02ea66a9b5b6aea39a9cceab8c6a6

                                                    SHA256

                                                    6da3584b534bfee52752210b92ea9ef7c66e911f9abfe356222ebfc5463742c1

                                                    SHA512

                                                    9d65ce64396f55eb12449ce251223ad7c9ad6575e0ec3e334029e260a9967d2dd2e3f2bf42a868652fbbb600d30de18902f2604d13af1681a4923bdb7c0b1d37

                                                  • C:\Users\Admin\AppData\Local\Temp\qCydzg65nSae.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    671ac0cea5fe2c523277be849252c33d

                                                    SHA1

                                                    8105e1fea73ddd3bfa5920048ee87b377a0137ed

                                                    SHA256

                                                    b6407ceb643ecf6e754d98f7d8a98bd43cd1fb8fb69d2ebcdfc56bba16e5f6c1

                                                    SHA512

                                                    393a377cc9a14c62e67eb5e74c81a98ab9f3b2b1198543f357ab7152ebea1b5dfb06c86cf71c8d83b9b2ab30005679be9fa52a45e8fe6e12fcdc738cf9d4d17c

                                                  • memory/1324-9-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1324-0-0x00007FFB28113000-0x00007FFB28115000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/1324-4-0x000000001BE00000-0x000000001BEB2000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/1324-3-0x000000001BCF0000-0x000000001BD40000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/1324-2-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1324-1-0x00000000005C0000-0x00000000008E4000-memory.dmp

                                                    Filesize

                                                    3.1MB