Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:39

General

  • Target

    defender64.exe

  • Size

    3.1MB

  • MD5

    a3ffca2a5a9a4917a64bcabccb4f9fad

  • SHA1

    9cfc0318809849ab6f2edfc18f6975da812a9f51

  • SHA256

    21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

  • SHA512

    d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

  • SSDEEP

    49152:nv3I22SsaNYfdPBldt698dBcjHKPRJ6CbR3LoGd2THHB72eh2NT:nv422SsaNYfdPBldt6+dBcjHKPRJ68

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

C2

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes
  • encryption_key

    E5250226804167CB0B1B4B0E9667D0C056694DCA

  • install_name

    defenderx64.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Helper

  • subdirectory

    en

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\defender64.exe
    "C:\Users\Admin\AppData\Local\Temp\defender64.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2188
    • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
      "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1940
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SjjKPzoF9867.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4016
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:212
          • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
            "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1248
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2636
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xxhEsNlHC79r.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1956
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4312
                • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:3540
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3120
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8k9l4IapXwwR.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4820
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1400
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2536
                      • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1564
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1848
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BLpnWzdmkBy5.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2500
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:5024
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4656
                            • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                              "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:4040
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4860
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pms4eUuM6OjH.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4480
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:2112
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1960
                                  • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                    "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:2656
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2632
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sm32bTYgIMcl.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4452
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4768
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3548
                                        • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                          "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:5068
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4112
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FpSEaAVvOZx4.bat" "
                                            15⤵
                                              PID:3712
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:4716
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:5052
                                                • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:4988
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4328
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GbWDFEvzlj3Z.bat" "
                                                    17⤵
                                                      PID:3036
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:1928
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:312
                                                        • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                          "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:740
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3492
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q4YtABFbyCrD.bat" "
                                                            19⤵
                                                              PID:1408
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:4056
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2320
                                                                • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                                  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:4012
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2112
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0es5kJcVeRmY.bat" "
                                                                    21⤵
                                                                      PID:4480
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:1956
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:2632
                                                                        • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                                          "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:3952
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3024
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aXb6iXZ0N0Q4.bat" "
                                                                            23⤵
                                                                              PID:1976
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3548
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:2968
                                                                                • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:4008
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:3748
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCkIGXMsIeDb.bat" "
                                                                                    25⤵
                                                                                      PID:3632
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:3184
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:5084
                                                                                        • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:364
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4564
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jLMWHj4blQYf.bat" "
                                                                                            27⤵
                                                                                              PID:1640
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:1372
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:4384
                                                                                                • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:3492
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:3684
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZT08yPywwdmC.bat" "
                                                                                                    29⤵
                                                                                                      PID:3204
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2600
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:3672
                                                                                                        • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:2736
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:828
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceBFzZJWyQSS.bat" "
                                                                                                            31⤵
                                                                                                              PID:4840
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:1920
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:3752

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\defenderx64.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\0es5kJcVeRmY.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    905e785bb9965c76f3744ed830d17cf2

                                                    SHA1

                                                    a92912d38fd57940c59985f623ba339a41717a1d

                                                    SHA256

                                                    a3137df9d39cbff5c7955b0a0d61a634944f2afb49918f595622335dc914667c

                                                    SHA512

                                                    082eddcee9e0348e17e637e557cc855ac0e5714317c2ba1796318837885920d53edde271235dcf8dcfe000afcd32785ddb6bb83fb72252160c5e075de63d873d

                                                  • C:\Users\Admin\AppData\Local\Temp\8k9l4IapXwwR.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    1f62a57665f4959c5feaf6ac5359bb1b

                                                    SHA1

                                                    06860c7fd4624a42315ac464933f799ff1e3ef89

                                                    SHA256

                                                    52115594e9c58849b76bc3fa313f100c96fd1c9d6ea3621837eb6bc2f8ed3ecf

                                                    SHA512

                                                    0f651acf3dd25f5c8216af897f7b62bfddaab2248d3266ecb4490554df1947768945798b8c49e88d7caf869366e76c053cd808563bd793e1f2158a7f755e9d54

                                                  • C:\Users\Admin\AppData\Local\Temp\BLpnWzdmkBy5.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    e72db0939cd4d7e13f7de404fea7bb81

                                                    SHA1

                                                    29f9ef96251454c7ae8bd47e0c5189aaa15f8103

                                                    SHA256

                                                    4338925186705d56e7b6f97e58bda99cab750bcc177b29969583d3e37b97e839

                                                    SHA512

                                                    f5e5ee51812d49c5235bc0af28e20e3a111d8d36b363089a35ce5c0d8d1a2df16d1b1df02e05873964d7d27ed685592891c20d91854f56da9a8ec42ed71e0da8

                                                  • C:\Users\Admin\AppData\Local\Temp\FpSEaAVvOZx4.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    843e1801f3a57f8ab117993b470a4839

                                                    SHA1

                                                    d41e26c575ebacf2d87bfa1b2e0342fce7e3d818

                                                    SHA256

                                                    dcf53dac8fd86107b3caaac4c5eb7dc64318f954bb06215622d6b62e24714474

                                                    SHA512

                                                    b78c3b971c6576b12d3e361582def3e6d1eb031057b8bcc67b5d46616cd65c92fb93762befd17fe03c525872ce02a271de39cad76996a67bd04a8341da7aeb34

                                                  • C:\Users\Admin\AppData\Local\Temp\GbWDFEvzlj3Z.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    5e6601ae62b9ca48e205f658cd556525

                                                    SHA1

                                                    a363b884beff712adc71964ff6e53ec6d5b342d4

                                                    SHA256

                                                    342c9346d57de6d73f06e7c94def15f9a2be23298d515b22f5e91b8cf954ae87

                                                    SHA512

                                                    c73ed26d05efbee71a3f5559fe500364edc1985adf95721f33d9ff0ae56ab102139d390e7a5b67b427f7929fd74bc019ab368adcac5e5f77caa41fbb4949c05c

                                                  • C:\Users\Admin\AppData\Local\Temp\Pms4eUuM6OjH.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    bae976f9833d9c1844a5760ba2d1f17f

                                                    SHA1

                                                    db7d621c677c3a02270ef9ddb542b304e1f15e0b

                                                    SHA256

                                                    3d63e6292beacb36c4329cc6545d298817f61aaba52eac73e8bbcbe9bc6c19be

                                                    SHA512

                                                    1ead7786faa8946863599fccbc968ebe26f76a89c196838c9ff86624dc9a544f1be5c0b1b9545ebf5af020413f9c125ea44d33c2f93afdce0bdb66b448efb838

                                                  • C:\Users\Admin\AppData\Local\Temp\Q4YtABFbyCrD.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    bff793b9978d51f651734d823721615f

                                                    SHA1

                                                    3df9dd5a0dd080461e404c209e81f396387b6cc6

                                                    SHA256

                                                    be2136e0ad2dcf207958b40bdf9d13cff36e69767300b6d4ef2630b1839f86cb

                                                    SHA512

                                                    dc3406ad7056499a57db569572ee77625aca523b7f30589fafdb68aa8a1b3c310bef84711fa344a1bd1713dfc67a877d7e3fdf0fb0688fdfc443a4a033662898

                                                  • C:\Users\Admin\AppData\Local\Temp\SjjKPzoF9867.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    0f9b7265b9ad24a90ffdcbac4a553010

                                                    SHA1

                                                    c0905b1e7bc613b5e396fe330fe36b5b7760e6df

                                                    SHA256

                                                    9c5dec65a716443b32083e3d41164de60e4e654efa43a0b13db24deb9283f63a

                                                    SHA512

                                                    542e847b010d839b847cbdefeb4ff010e4a9022f22d167f84e8b193c480895fe5a4ce08183c19921ae9dadd69c80f2be982091087a9d72e97577ae80a26875a0

                                                  • C:\Users\Admin\AppData\Local\Temp\ZT08yPywwdmC.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    d791a31e66df19135b5642123e7d3639

                                                    SHA1

                                                    f83f2346edbe2fe62d2b1039e5cf2670ccd28bd8

                                                    SHA256

                                                    9c5c96433f2ba9c4365fbd934f91cd8dc31935ba12a9e2bc79aedbcaa5824f96

                                                    SHA512

                                                    ba4b632e68ed8aebfc369f372c4d9ff05568bb6b6f3010fa027acd62dec48631349da8b3ec0eb8165761792f76fd0f285f764ce1989128c725e916051e24f368

                                                  • C:\Users\Admin\AppData\Local\Temp\aXb6iXZ0N0Q4.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    3a0504c179f5752ae28da6b22396765f

                                                    SHA1

                                                    e3355b80b3997b48487aea458228b0858b22d387

                                                    SHA256

                                                    e3a17f37d45225b52d27f89fc93c3d6e68ab494e5def26c0d97a679b129b052d

                                                    SHA512

                                                    07df33c9bef830e3500e520365ee91c8b2ab41942f1d36e0ffd59cc46dcdae6b0c533e80b7e8ebed2afce64c2132fed325b5ceb9770170ee8b98497f79a620a0

                                                  • C:\Users\Admin\AppData\Local\Temp\ceBFzZJWyQSS.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    480ec0ccab7b2a484b71d362b5592401

                                                    SHA1

                                                    d939eed9a3e8b012e0f67ae7f143caf592d5bf50

                                                    SHA256

                                                    9b5e88c52c218f878158dac8fe96afd7922f53b5821d6e1d7fdd7509303fb6af

                                                    SHA512

                                                    1b7e3c8d2b65a35814859de95d45ac417a40f561c941eb8958bb0c6cc888be119e44e9e4f6650e574c896173fec58759cb27537c92c84eaccfdc7c0d0361cec2

                                                  • C:\Users\Admin\AppData\Local\Temp\gCkIGXMsIeDb.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    3e3ada9ad8005a74899d473b633a003c

                                                    SHA1

                                                    970970ae042f838e33a69f09655a7b48e5cc4307

                                                    SHA256

                                                    43573c5c1a707c96dfa9f4281c7b0046c124acdf38d7ab93e9d226bb8d943781

                                                    SHA512

                                                    1588a39677e4fd5552e8b118a01278c1bd8d77892e0f983f7e6285c56bb57a5fbf33ffa971322d0790ab002525940196f62557e7e80eac21baf8a63b4287eb4c

                                                  • C:\Users\Admin\AppData\Local\Temp\jLMWHj4blQYf.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    cd2e8e8d579f9008e69bb7fe870fbd1d

                                                    SHA1

                                                    ea32b4977726b4c16821927cabec1181c8ef0633

                                                    SHA256

                                                    586e2f48cc2ebc594c3dad2ac302f1a59e04ea0d3678d46194084f072a75ceff

                                                    SHA512

                                                    20d5c8043ad9a8dc61f9bf6f7c1f0643d871f67c8aa2af73d6bde4700ff847c02151ffcf5d134c9210ecdf1d6fd1b655e6c101538cea6b41f70569f7d6fbf406

                                                  • C:\Users\Admin\AppData\Local\Temp\sm32bTYgIMcl.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    941d1db97555661bbbdf26d7607d5893

                                                    SHA1

                                                    0d76f72b7289d6cfd02aea21f3eb0a9a98c0337e

                                                    SHA256

                                                    62fef0b0f6ee77712db9e34cc440cfb2d404a99a6f2655134187d419953087c8

                                                    SHA512

                                                    35d1b3ced6597a0a081ac4fc096ac9724e2362a1eb3700c5f28235a9bee4047c0b19ffb198a552016f67d1c8d0488b1ca2e244437453155da297de0c67beb6cf

                                                  • C:\Users\Admin\AppData\Local\Temp\xxhEsNlHC79r.bat

                                                    Filesize

                                                    208B

                                                    MD5

                                                    b11e45118ded795d71aa56f72284dd90

                                                    SHA1

                                                    6fc991cf4e01d7ee04a9b2f78597463923f2a329

                                                    SHA256

                                                    648d32d6dd6c6093dff6304e94537e663452b6e183b90e281c0715b6b1463d7c

                                                    SHA512

                                                    df16552acd098c0067cf1d3bdc9fa2946561f0b490ac7c9ccee956954e1e628dadb98ae070745bc29290bdc48c176d7c29837ec7c1e248fcc06f073f6dfbb50c

                                                  • C:\Users\Admin\AppData\Roaming\en\defenderx64.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    a3ffca2a5a9a4917a64bcabccb4f9fad

                                                    SHA1

                                                    9cfc0318809849ab6f2edfc18f6975da812a9f51

                                                    SHA256

                                                    21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

                                                    SHA512

                                                    d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

                                                  • memory/2332-17-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2332-12-0x000000001C400000-0x000000001C4B2000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/2332-11-0x000000001C2F0000-0x000000001C340000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/2332-10-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2332-9-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4916-0-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4916-8-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4916-2-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4916-1-0x00000000000E0000-0x0000000000404000-memory.dmp

                                                    Filesize

                                                    3.1MB