Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:27

General

  • Target

    runtimebroker.exe

  • Size

    3.1MB

  • MD5

    a29d070abe87b2be24892421e0c763bb

  • SHA1

    383104c7c6956a98ae5f63c743250f737700f509

  • SHA256

    00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636

  • SHA512

    6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969

  • SSDEEP

    49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes
  • encryption_key

    7A589EDBC6A581E125BF830EF0D05FC74BB75E30

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ctfmon

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
    "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2136
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3748
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koRPlbqIzybn.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4084
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1036
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:780
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3252
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSG7bMClcsjw.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1272
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2876
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1004
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:644
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2308
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLRjYO4Atty0.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2644
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2016
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1464
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1044
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1484
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W9DgtkbAix3I.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3892
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4868
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1552
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:752
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4448
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6yFJ8JVtcDVq.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4640
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1300
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:2576
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:4560
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1296
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E70BSEhP5IAA.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1584
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:3384
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4620
                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1396
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1036
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGXqXnmXyhoF.bat" "
                                            15⤵
                                              PID:3216
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:2896
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3132
                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:3164
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4524
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kk2llVyDnSGu.bat" "
                                                    17⤵
                                                      PID:1524
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:1152
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:3264
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:3744
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1964
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmCRfDMzQeuF.bat" "
                                                            19⤵
                                                              PID:4788
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:2544
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:4796
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:3392
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4400
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O3j87eTQff4F.bat" "
                                                                    21⤵
                                                                      PID:1144
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:4592
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4488
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:4276
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2936
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCsgsOlZP9RB.bat" "
                                                                            23⤵
                                                                              PID:1412
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:4564
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:2404
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:4512
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4752
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u3bslgGKTlJa.bat" "
                                                                                    25⤵
                                                                                      PID:2196
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:720
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:1504
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:1860
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2628
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z30NzlJiTKra.bat" "
                                                                                            27⤵
                                                                                              PID:3256
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:5116
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:2824
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:2840
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2284
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8q6xPoAoTRg3.bat" "
                                                                                                    29⤵
                                                                                                      PID:2960
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:3200
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:1572
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:2208
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:4444
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1jJh4S4QiXgm.bat" "
                                                                                                            31⤵
                                                                                                              PID:4904
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:2244
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:2008

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\1jJh4S4QiXgm.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    dd613cadd6040cf9ddd2c6751bbeee44

                                                    SHA1

                                                    9fbdaa90f1f2e6b3986951357863e98227fd4fcc

                                                    SHA256

                                                    710a7901fc9dd964a8ff8c7d938d9321a3df16fbb226bb3b4060cb8456d53a3d

                                                    SHA512

                                                    5f18e392ccfc74d8d4a6934d8cf27ebfb4a2ec16260a65a538081f13fc56044e8deb71b5d41a2d4c497daed38875a2f1fd357cc5ba3c95460b84d68734d16427

                                                  • C:\Users\Admin\AppData\Local\Temp\6yFJ8JVtcDVq.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    eca03d845294a5a9793282af4b56bd29

                                                    SHA1

                                                    ece11fb9bbaee62d27b2e731131c199792bc851c

                                                    SHA256

                                                    6fafcab908ac64be891c496d1afed28b0dcdd9d1aa370512e2a3b833801f6296

                                                    SHA512

                                                    bc222a98c71e4b8673c97b007613e002480b8b4873a05fe1608ff401b6f7d7202abe08475e2851b748a14c81e7e9bfb353671a71a15e9edc956c596c4132b3ac

                                                  • C:\Users\Admin\AppData\Local\Temp\8q6xPoAoTRg3.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    184420839645e52709d6cfecf039fce2

                                                    SHA1

                                                    04848b37dccffb018feec8d4812455bf5ee5b919

                                                    SHA256

                                                    98172ddf7f4dcf5d15fc1aa5d42b6d472d5b2d986a1719ba2ac7bf7e78636744

                                                    SHA512

                                                    6d9cd55249c8b5620cca3d49acf0bb9cb19de528752eb627f47b48a115165ddf57ddd8936e9fff76bdda9f9e6db13078c703c7d2b0607dacb7d854892fe77911

                                                  • C:\Users\Admin\AppData\Local\Temp\CLRjYO4Atty0.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    73e740a9d13344757270577982daf61b

                                                    SHA1

                                                    97e8a3604d74e68ff8e2f63b797d9ce67fb90512

                                                    SHA256

                                                    f0b84b825aaf217a701756b34da7a9b9f4c575725d16eb177bb3a9387073433c

                                                    SHA512

                                                    de7a2dd5e33c636de74d346ec511d281d8243d3fe998cd595c8275cdc4c732d94ba11c40daa461b3bafc85f40098d639a0de98b5ccaf867334c91adcd44f3cc6

                                                  • C:\Users\Admin\AppData\Local\Temp\E70BSEhP5IAA.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    dcdda56fce520b79ce8d99b4d4a3fb79

                                                    SHA1

                                                    50c6bc4df0f33a8e99884b8f7d1cc0f60a016f84

                                                    SHA256

                                                    7529d20e29c2cae18e58e7aa00f390937a5b95fc2377aea3e51733f29ad06bec

                                                    SHA512

                                                    6b964ea43cf3e235e9f40703f4736fe32044052d99764977ebb3d3f2e177b1a488656a17055ff835f893c33ab3e64e74813921f43247d6c42533d828ac6bf505

                                                  • C:\Users\Admin\AppData\Local\Temp\O3j87eTQff4F.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    ece5b7217d42fcac0bb37dcce70af819

                                                    SHA1

                                                    bc63ff7c53c804286e2b42fa6ee39876eb1f614a

                                                    SHA256

                                                    fa275f4fdd5301df03e3448a448b0b73029a8c725932c5c5360503ffcda10c83

                                                    SHA512

                                                    82f46e6decc9e48fe501e99e86e0826fdd2bc02a6a05a19eaefcb7b783ad77a0032f3f66ed97a6ea30d93c48c647637b4490cae80cae93a0996a01fb9830b449

                                                  • C:\Users\Admin\AppData\Local\Temp\W9DgtkbAix3I.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    acb96788a6d75c9a1c233b571ff07b86

                                                    SHA1

                                                    a0a94dfe78e290655390d6158ade125dcdf8a493

                                                    SHA256

                                                    c52d6d313c21acbf3b87c4b4566b14c1cfc0eaaf53654bf370c70838d3f20e84

                                                    SHA512

                                                    2195da1caad42cd66f72f205a2ae37d41ff08f33101e3f5acdca6844fbae9f354340b00f593a27285b2a1c54d1f46f813977aec2e8a21a435c1ff15783ae7266

                                                  • C:\Users\Admin\AppData\Local\Temp\Z30NzlJiTKra.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    02ebef2595c6dbd9c15d7ba0d73d1423

                                                    SHA1

                                                    7691ad21a68b33a74a5079b283feedf09fbefd73

                                                    SHA256

                                                    0be4c1bf7d40b454e1f3a69b1d0b0607f2fd08987b72226612eee355b0d8a84a

                                                    SHA512

                                                    d7d177109b7bb6d3c2b614368d90fa05a2f375ed2f963719bde055ec5a686ec933f8b3d3e9f596e071d48563d8c2f1b7c02527a72687d1cd2b4bd4678812c00c

                                                  • C:\Users\Admin\AppData\Local\Temp\eSG7bMClcsjw.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    54da737590feeb304b1954fabce3cf43

                                                    SHA1

                                                    3b5f9b79b3a3af1571d045ebb670b036e08d7268

                                                    SHA256

                                                    71b7bd1c0623e7d997aff28edd5f3de41f27137f831bca26d0b6159433ae0a43

                                                    SHA512

                                                    4c0a1ffb0279f9243ab1b816ecaece7660f1679428a4e8cf6d73ac0ae95af9f382a8337da3c4a27f821d098d35c522d2d26c136ad8cddb2099973f51db9d15b3

                                                  • C:\Users\Admin\AppData\Local\Temp\kk2llVyDnSGu.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    8929f09479e815b12a12e032e0de5797

                                                    SHA1

                                                    799b188a5cfac8acb615e3d9e9d4f93beda3e422

                                                    SHA256

                                                    724af45dd8408e7c031933827feab9f5984240d3c36b4918c3c4ec3a387384de

                                                    SHA512

                                                    e43f4a6d9f225a035d55e7877e0e69c1ec504a2712070c3e3b206af9a7b9b6097251fcf0a572ff2ad9c1ca89888fce6db210c3fded113c5d8b849eb1e5bfff6e

                                                  • C:\Users\Admin\AppData\Local\Temp\koRPlbqIzybn.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    a290fcf473caa55c219405b39ab84252

                                                    SHA1

                                                    ff9473f917822e160aa20ad3ecd02065a5c98633

                                                    SHA256

                                                    7393b8b3183e709a5fb364d4677aa2e3e6ffaabf986d362efa1b7d25b0492dff

                                                    SHA512

                                                    4d6af279a4d671f2e4c40d6b75b7a32229aeb6ab490125cc4aaf7d3dd46e937e84f01758423f0a816d8451bbd3ed3307cc5be6ba55dd8c1095e825311f590ce1

                                                  • C:\Users\Admin\AppData\Local\Temp\sGXqXnmXyhoF.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    618e12d03dd50d7b36f0a513da051b75

                                                    SHA1

                                                    d618c01e224ce3a6c9197dc7bc8c3785086764b2

                                                    SHA256

                                                    16a7adc2113178d5ed8bbf1b25432e9a6fdebe360316f9e7ad33b7d70661fbb7

                                                    SHA512

                                                    db8b25b79e5fda4b5bb42b89a547fc5617b77919f4fb8a08e78366ae11ab71589a50d3eb8e5730b3005a49ce0acaeeb1b97b8636c8f07f11a8943b7dc4507ba9

                                                  • C:\Users\Admin\AppData\Local\Temp\u3bslgGKTlJa.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    6ec0dd41011c17085c60ec996e379b3f

                                                    SHA1

                                                    b3950ffd39c4158b8b066a4616d1b719d72c4227

                                                    SHA256

                                                    1aab3b881f7c1f2d503f44bb05ec4a7955fd987d2d7501eaa1e685ec0fd924ad

                                                    SHA512

                                                    56b0a399366d7a8302333295da96776bbd33918441f23f8c17995676c96bd752776224c53402a6b5579fa8883969fc2fef22ed9b9565a5a572fcb43a48088c42

                                                  • C:\Users\Admin\AppData\Local\Temp\wCsgsOlZP9RB.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    a7c1f599174d3f395fbea964a6d79fb0

                                                    SHA1

                                                    c71cccf22179a6c199dead10f597b901584ec382

                                                    SHA256

                                                    abf5328b3b55050bbe087f1a05fc14b4aee043d925350af2c0eda937d8ba06da

                                                    SHA512

                                                    6ca9b66a8b0a4562fdc9664568b38c49c7d598f749f53ee1bb4a1e91410d1abe8a8b10bb06c24c8c7eb40543f46173d92d6ad9c08233356407de0f36ca1bed3e

                                                  • C:\Users\Admin\AppData\Local\Temp\wmCRfDMzQeuF.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    83df98a5389ab499d1e43e9d172118b6

                                                    SHA1

                                                    c037eb6ad4683848632ce2835850ecdf1acb3010

                                                    SHA256

                                                    993ae23998047bcd028a5a53455ff884cbf01d643dfe6c95f7a659159478ced0

                                                    SHA512

                                                    545b173b3f718dfab14e368f2f083e2228b3994506c2fbe8cf7ae4976a5d546984ddc09372c0a198c7948d83e538ade1adfd54be72557387ce8821ebaad3f722

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    a29d070abe87b2be24892421e0c763bb

                                                    SHA1

                                                    383104c7c6956a98ae5f63c743250f737700f509

                                                    SHA256

                                                    00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636

                                                    SHA512

                                                    6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969

                                                  • memory/336-9-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/336-11-0x000000001E4D0000-0x000000001E582000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/336-8-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/336-10-0x000000001E3C0000-0x000000001E410000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/336-16-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4768-0-0x00007FFEC6143000-0x00007FFEC6145000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4768-1-0x0000000000590000-0x00000000008B4000-memory.dmp

                                                    Filesize

                                                    3.1MB