Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:30

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    f67e6aafbd9c86771f11c05ae83ae83e

  • SHA1

    c9fe04c78139d000182d89f4dd013e647db64cc0

  • SHA256

    534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

  • SHA512

    f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

  • SSDEEP

    49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes
  • encryption_key

    7A589EDBC6A581E125BF830EF0D05FC74BB75E30

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ctfmon

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1672
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4572
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcesOh4O044F.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2640
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3352
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2340
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:948
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hpp53vecSNSM.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4812
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4768
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1072
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:3676
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3688
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K7Qd0baR3w28.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3692
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2012
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:636
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:4928
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2156
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u9hGiPl9RsDp.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1076
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:5052
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3732
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:3252
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4208
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Y9tjmm7iZrH.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3544
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4292
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:2508
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:1344
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:836
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuH2FmPZvGo1.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1668
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:904
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1512
                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1472
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:772
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgZYP0A66zOq.bat" "
                                            15⤵
                                              PID:2712
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:1644
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:2160
                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:3820
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3220
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ClEBBFSSQGC5.bat" "
                                                    17⤵
                                                      PID:636
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:3504
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4248
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:1808
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3052
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bE3bYIXRJdHG.bat" "
                                                            19⤵
                                                              PID:4752
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:388
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2532
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:3784
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2512
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hy6cry1KCeeX.bat" "
                                                                    21⤵
                                                                      PID:3184
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3544
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:3856
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:4212
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4908
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ctuc81WnujCk.bat" "
                                                                            23⤵
                                                                              PID:4172
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:1512
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:4772
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:1740
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4792
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1WCULAwvFALB.bat" "
                                                                                    25⤵
                                                                                      PID:2328
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:972
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:2612
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:2712
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4496
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ERKDwEeX0aFB.bat" "
                                                                                            27⤵
                                                                                              PID:4572
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:2408
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1736
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:3860
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:4600
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYwbbf8DeRJ7.bat" "
                                                                                                    29⤵
                                                                                                      PID:4880
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2424
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:2240
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:1076
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:1780
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQf8R0RpgdaB.bat" "
                                                                                                            31⤵
                                                                                                              PID:2660
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:2112
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:3100

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\1WCULAwvFALB.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    9f29ee89f1ec4425ee2480380a0d5896

                                                    SHA1

                                                    73fb6bfd456a38c5c43c653c9a69ac86d1041fdf

                                                    SHA256

                                                    b0388a5692a5720fb348cadeff3d62889650fea46315fe335f34ff1c7d46fa24

                                                    SHA512

                                                    6b2d768e29ed8276377636ae7cac21cb96846b9c59e48a5c916014cd1f765d72964ff53cd71a8c510537a0db9bc292a127657acb1a636b137b0f207c00cd1199

                                                  • C:\Users\Admin\AppData\Local\Temp\1Y9tjmm7iZrH.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    b7b7dc9c9ee6eef2b2abe0d6cf72d491

                                                    SHA1

                                                    5db7fe28b1657ebe701c5ae1ce9fbbf40311aba9

                                                    SHA256

                                                    1a66bb428ff9d71444d5ba0fc2d6adfcb78e37f4ef53247f4470a7d2c86a5df5

                                                    SHA512

                                                    25ea43d008675c8afd40a1f019756473d5956aba03b68f6ac25bec93b8569d67961654ecb056f92006ea44e1963852e3f60a5bb6ae6d5da98bb19cfc1f6caab6

                                                  • C:\Users\Admin\AppData\Local\Temp\ClEBBFSSQGC5.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    74298e95f5ab7fe7f88a81c1f336f5ab

                                                    SHA1

                                                    887e7e637281007151f545dc17848c9d0e5adbc0

                                                    SHA256

                                                    7f9d50ef46afc76ace367ebc1c9c6c63bda35a93ed53edad32d5e352672b7e4b

                                                    SHA512

                                                    561ce80aec7c5af7202cbf6b95ba602007f223c840b0ed6451be1abf2d149db0cf1379397be97c1193fdea198e988af6a4c56e08dd4c2ac8a4576c25cd8f477c

                                                  • C:\Users\Admin\AppData\Local\Temp\Ctuc81WnujCk.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    3e61cc3d55a74a4b022461fd743cfff9

                                                    SHA1

                                                    ba6210a8f52c3c71e5f1afd0eb94de075db489b0

                                                    SHA256

                                                    978c71cead3fb46eeddb43d0b2ce69b75a5ce24297727771aafe5d152c7c85c6

                                                    SHA512

                                                    14142b69c9480c7019922afd69df8bd4cbee6ee02c433305ff77c729bd12a0e8e758e3a2083a3713b27c035b49999eb35898fa728361383bb1cd334dce912b4b

                                                  • C:\Users\Admin\AppData\Local\Temp\ERKDwEeX0aFB.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    aa773ba62cc06a76fed7e3028d790405

                                                    SHA1

                                                    69658904a64056d8ac270c96e185b2953d13663a

                                                    SHA256

                                                    d87758170ca5e7aa4bcddd6f256a0b9b3607ae740832d33750c47ba945c36a5c

                                                    SHA512

                                                    62c93a403a7951f73a361252d819da289dca99587179df9472decf89bfb2a6bab3102d9422e2646fa16ab8563b7c7da975a2cc19ca6f7e2882b63fa134cde477

                                                  • C:\Users\Admin\AppData\Local\Temp\Hpp53vecSNSM.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    8d9a439e92803ee32a7d68f64a729f12

                                                    SHA1

                                                    ef0b44147f430ed1ec882b289658f7df3b165fb6

                                                    SHA256

                                                    0b26afb6796f749f6a36b3e02e76f97dbc805ad6248b266082ab6dc35fc48015

                                                    SHA512

                                                    f9f33a4c2a6d017c27e9d596403c86430a7c134de5ac3c9f6ae71f8f26016460f7f98fed1a805ce78ac151b7f45b584635ab601fd293d289f56ee36c17efb770

                                                  • C:\Users\Admin\AppData\Local\Temp\Hy6cry1KCeeX.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    5abbfd469295b72aef685e483924d55e

                                                    SHA1

                                                    35e7aeba8bd0dc843652f7a463ea24c08da115f7

                                                    SHA256

                                                    9bd6d88c00846d5907bc7669e42ea8e9ace4c44213fe77055c08ebcada8ecafd

                                                    SHA512

                                                    288a5ad2e8d3da5fda7b00857e024cc33aadad0925b6070167b9188cbedd7e8d9d8bc0ecb0b2bb5d072c2ae4e9db988ac841f533a8530f15e6f8b97e45fc1576

                                                  • C:\Users\Admin\AppData\Local\Temp\K7Qd0baR3w28.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    196537f1e37899f4c04da80c669e7e18

                                                    SHA1

                                                    44e5c001a8552b468087942bf229a9d3d85cef27

                                                    SHA256

                                                    22d5f5c48209bd01fa5e3371b5078d3ae2840c756a5b72ecd04392783df9cf23

                                                    SHA512

                                                    96c7994141cbfdc903666c28cb190eae9423825aec73ae8589d53c8bd5e3965b654fa02de7db7a60f9eb664413270605d065b9ac11dfa82bda4f5126425808e7

                                                  • C:\Users\Admin\AppData\Local\Temp\VgZYP0A66zOq.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    d63a040e9d0a8b43f0642a2b94195c0a

                                                    SHA1

                                                    f6fda5886975103ae4b311d637fc5213c00db156

                                                    SHA256

                                                    3baf6a7fb9b16e6c0127d2780b8de338cab85bdb81a4ab2eae00acfac8efd6ed

                                                    SHA512

                                                    55e80a5185befe494afc79b803a6d62f1ae10e2da45d244b8655984c4eff7b52c182e62b5fc4a52652dd0f5c696d629cc5cef60ee84f4292308e092582009830

                                                  • C:\Users\Admin\AppData\Local\Temp\VuH2FmPZvGo1.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    4e926a37c8ad43325a67deeaf2706fa9

                                                    SHA1

                                                    eae3aeeca18c9aeb4877603c1b3053e61ff91209

                                                    SHA256

                                                    115184872da2502f8f92effafbb1f378bb102896476dd53e25a0f42fcdf35f25

                                                    SHA512

                                                    1c5f11cbbe1341299660b4267f3aea8862d24320b8d57aee3a5de4488fb3b16bb304ae48dfaef478264995c6d8b1cc8d783aad1b3ce264fcd6affb97e2a98fa0

                                                  • C:\Users\Admin\AppData\Local\Temp\bE3bYIXRJdHG.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    74e41af0cac08ce7339e75b8c5fe7037

                                                    SHA1

                                                    f8667e58959207b4bfbf9c05dc1dceb613318efa

                                                    SHA256

                                                    16d1714082b50f1745defcafe421953e3dcba39cef0d4522d29cc2e1c6cbdb2a

                                                    SHA512

                                                    88974eff634285f33ff1c05a9c8a6c6c65c001f920ea25e754ab22a6070c55a6e69efe38719b04158fed5d41bd922915ba93105faa44a3448a00219ff251d8ee

                                                  • C:\Users\Admin\AppData\Local\Temp\bcesOh4O044F.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    b65fb110df6a9429159ea5ed92203b05

                                                    SHA1

                                                    518d17513eaffb9e0729df237cc2f845a4c46ff0

                                                    SHA256

                                                    fc9463dc38092b8e5f63068dda01553f3dca825535b6aa716831aabee041755a

                                                    SHA512

                                                    19e57d40d0074a1597635ac7db2d7e6f4d28ff58eaa2adacc2d9366be32ab12c4e5e1f740a5f8d83675b23933fc7e23ec2ca87ac5a0f2fa1cfd75a0f0ac3af01

                                                  • C:\Users\Admin\AppData\Local\Temp\kYwbbf8DeRJ7.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    cbfc8e955d05b29ef61ea936065b81bb

                                                    SHA1

                                                    064806c9b7e7549dbcc1bfc99019beb56b320484

                                                    SHA256

                                                    0192ab259e4d4da62f96be869193512d821a0ea0828955d97ef0c31c9188771f

                                                    SHA512

                                                    6c1a2fc05b18332dc02b180043251670e5debfa5b2d3c44f36393db8099a0c3d22ae5e1abe4a25e38b5e4f8d70f572e361ce99c737917b819e485d2904dc6c67

                                                  • C:\Users\Admin\AppData\Local\Temp\u9hGiPl9RsDp.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    168408698331b06d74604206a72dbd79

                                                    SHA1

                                                    0211976117c0a93f46f08f7034282fe49f6b2c21

                                                    SHA256

                                                    03e62dca3254b7f33c28457054ca4b407ebc9b30fc4e15115bb50657259b7478

                                                    SHA512

                                                    05fafa72500401c1556abe8f6aeea9728c82dfb76dacf6155744398eb3a103a3a771ef483e2f5287433922f29456b346cfc236d88c4a88cbfe0ea65140735a63

                                                  • C:\Users\Admin\AppData\Local\Temp\yQf8R0RpgdaB.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    d27e38e087c04fa5373405e2214899f4

                                                    SHA1

                                                    f9d56bf5741f388195e4d1e09db01a8e97707321

                                                    SHA256

                                                    1d0e3ff71853750ef3275aa0c296bd4f8e0f5b2772c887096e13174a75c5ad89

                                                    SHA512

                                                    a9957a8d771ff974d9a33d29663c706ca1876409190c0a3bb1660417e0d50fc625b332eaeb6010294f53d50216a49ae735824971345349f46e314ed6c2cb00e9

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    f67e6aafbd9c86771f11c05ae83ae83e

                                                    SHA1

                                                    c9fe04c78139d000182d89f4dd013e647db64cc0

                                                    SHA256

                                                    534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

                                                    SHA512

                                                    f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

                                                  • memory/3632-11-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3632-9-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3632-12-0x000000001C140000-0x000000001C190000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/3632-18-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3632-13-0x000000001C250000-0x000000001C302000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/4296-10-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4296-0-0x00007FFB42953000-0x00007FFB42955000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4296-2-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4296-1-0x0000000000FC0000-0x00000000012E4000-memory.dmp

                                                    Filesize

                                                    3.1MB