Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 02:17

General

  • Target

    2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

  • Size

    3.1MB

  • MD5

    4522bc113a6f5b984e9ffac278f9f064

  • SHA1

    392ec955d7b5c5da965f7af9f929b89c33409b03

  • SHA256

    2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

  • SHA512

    c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff

  • SSDEEP

    98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1524
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiBd0Gn66lhR.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2760
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1656
        • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
          "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2704
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\GF3VRkVReCvf.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2632
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2576
              • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3060
                • C:\Windows\system32\schtasks.exe
                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:580
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\uLlMm0FSvYMz.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1244
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:1552
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:376
                    • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                      "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                      7⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1944
                      • C:\Windows\system32\schtasks.exe
                        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:2160
                      • C:\Windows\system32\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQcti4YtZ2qd.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3048
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:2884
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:2436
                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                            9⤵
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2396
                            • C:\Windows\system32\schtasks.exe
                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:1864
                            • C:\Windows\system32\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\lHo96DIHh2hU.bat" "
                              10⤵
                                PID:632
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  11⤵
                                    PID:2288
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    11⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1804
                                  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                    11⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:940
                                    • C:\Windows\system32\schtasks.exe
                                      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      12⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2432
                                    • C:\Windows\system32\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\92Zx5I5a5ekL.bat" "
                                      12⤵
                                        PID:996
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          13⤵
                                            PID:1832
                                          • C:\Windows\system32\PING.EXE
                                            ping -n 10 localhost
                                            13⤵
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            • Runs ping.exe
                                            PID:1548
                                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                            13⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:484
                                            • C:\Windows\system32\schtasks.exe
                                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                              14⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2248
                                            • C:\Windows\system32\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\ANi3XxNo0NTs.bat" "
                                              14⤵
                                                PID:1512
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  15⤵
                                                    PID:780
                                                  • C:\Windows\system32\PING.EXE
                                                    ping -n 10 localhost
                                                    15⤵
                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                    • Runs ping.exe
                                                    PID:792
                                                  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                    15⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2504
                                                    • C:\Windows\system32\schtasks.exe
                                                      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                      16⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2996
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\GS3fJs2sh2yN.bat" "
                                                      16⤵
                                                        PID:2864
                                                        • C:\Windows\system32\chcp.com
                                                          chcp 65001
                                                          17⤵
                                                            PID:2152
                                                          • C:\Windows\system32\PING.EXE
                                                            ping -n 10 localhost
                                                            17⤵
                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                            • Runs ping.exe
                                                            PID:2700
                                                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                            17⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1752
                                                            • C:\Windows\system32\schtasks.exe
                                                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                              18⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:2584
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXx0XClvmNhJ.bat" "
                                                              18⤵
                                                                PID:2604
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  19⤵
                                                                    PID:2620
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping -n 10 localhost
                                                                    19⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:2344
                                                                  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                    19⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2576
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                      20⤵
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:3028
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\48wtayyFiQZy.bat" "
                                                                      20⤵
                                                                        PID:3024
                                                                        • C:\Windows\system32\chcp.com
                                                                          chcp 65001
                                                                          21⤵
                                                                            PID:868
                                                                          • C:\Windows\system32\PING.EXE
                                                                            ping -n 10 localhost
                                                                            21⤵
                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                            • Runs ping.exe
                                                                            PID:1208
                                                                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                            21⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1948
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                              22⤵
                                                                              • Scheduled Task/Job: Scheduled Task
                                                                              PID:1648
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\ttAw9eBFecnK.bat" "
                                                                              22⤵
                                                                                PID:1388
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  23⤵
                                                                                    PID:3020
                                                                                  • C:\Windows\system32\PING.EXE
                                                                                    ping -n 10 localhost
                                                                                    23⤵
                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                    • Runs ping.exe
                                                                                    PID:1944
                                                                                  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                    23⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2268
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                      24⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2672
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\o36AhZiYGKHS.bat" "
                                                                                      24⤵
                                                                                        PID:2972
                                                                                        • C:\Windows\system32\chcp.com
                                                                                          chcp 65001
                                                                                          25⤵
                                                                                            PID:1696
                                                                                          • C:\Windows\system32\PING.EXE
                                                                                            ping -n 10 localhost
                                                                                            25⤵
                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                            • Runs ping.exe
                                                                                            PID:1088
                                                                                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                            25⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2560
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                              26⤵
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:1708
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaG0fAA14Arj.bat" "
                                                                                              26⤵
                                                                                                PID:1268
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  27⤵
                                                                                                    PID:760
                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                    ping -n 10 localhost
                                                                                                    27⤵
                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                    • Runs ping.exe
                                                                                                    PID:1320
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                                    27⤵
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2272
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                      28⤵
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:884
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\v4bvnQ1WtZje.bat" "
                                                                                                      28⤵
                                                                                                        PID:2308
                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                          chcp 65001
                                                                                                          29⤵
                                                                                                            PID:2376
                                                                                                          • C:\Windows\system32\PING.EXE
                                                                                                            ping -n 10 localhost
                                                                                                            29⤵
                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                            • Runs ping.exe
                                                                                                            PID:2488
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                                            29⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:932
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                              30⤵
                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                              PID:552
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\HLWAxVjtYzCy.bat" "
                                                                                                              30⤵
                                                                                                                PID:2148
                                                                                                                • C:\Windows\system32\chcp.com
                                                                                                                  chcp 65001
                                                                                                                  31⤵
                                                                                                                    PID:1524
                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                    ping -n 10 localhost
                                                                                                                    31⤵
                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:2932
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                                                    31⤵
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:2128
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                      32⤵
                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                      PID:2144
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\l0jZ1ShHJPM9.bat" "
                                                                                                                      32⤵
                                                                                                                        PID:2304
                                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                                          chcp 65001
                                                                                                                          33⤵
                                                                                                                            PID:2820
                                                                                                                          • C:\Windows\system32\PING.EXE
                                                                                                                            ping -n 10 localhost
                                                                                                                            33⤵
                                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                            • Runs ping.exe
                                                                                                                            PID:2944

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\48wtayyFiQZy.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            44b20909ed096c3b029dc7cc320d722a

                                                            SHA1

                                                            2769ea4f915be52b0c11c7b1ed2ac293880d29ba

                                                            SHA256

                                                            7e5779def370abde5ec5b7697c09952323c2e9b0eaf9419a137c2dc389e0f673

                                                            SHA512

                                                            d143b217312667c6212743e23c92ce58e5f31aa4252f4d32c2398f807b59f964f8f2eddfc5fc76080289e4bb9eb85a2f9cb64e07633c06b27806f606e59b7c6c

                                                          • C:\Users\Admin\AppData\Local\Temp\92Zx5I5a5ekL.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            4b2708b084d00a5d1d278c76a6895ae2

                                                            SHA1

                                                            88ef73c1c796578d73402302047dc5648aa2b29d

                                                            SHA256

                                                            d3e304831a56f58247316b4a64fbf70b50ce5f54fae461a4fdc6eb0495e1a992

                                                            SHA512

                                                            f855430536cb2993869c1964dc1c75352d27cb0aa1ed9a8be6ffc4f64384ce6cdbf32085c896d786321461375be19633ad1898169fd7ff9cffcbbabe3a76f21c

                                                          • C:\Users\Admin\AppData\Local\Temp\ANi3XxNo0NTs.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            96b8a154295216aff126f794463349e5

                                                            SHA1

                                                            ece45d7c462d25f1fecbb5dfa0ac4d653530e8d9

                                                            SHA256

                                                            66782f88d32062d0d8e941c8465646b12aff9db13f215545a2b0baacf1f48931

                                                            SHA512

                                                            3242a817a5f60801b6cf9fae517ee4449ca5b1121e059059e05de2efc0b848d0cfbb676a165bcfc8e905eb18b65ce2fcb5b68290697a5e0abfc890b5c0d0c3dc

                                                          • C:\Users\Admin\AppData\Local\Temp\EXx0XClvmNhJ.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            cab21fe11b63ac36b72d2706b5cfc46e

                                                            SHA1

                                                            043024851abe41d496b49ae6d6f1d774883ab05e

                                                            SHA256

                                                            c681ef095531c50ee9a992904e8c642a367e5c8df6ed1b6c91823b6b4377b958

                                                            SHA512

                                                            73265b6e57286720b89c4d291e7e76f17949bc0b46d74f74fa020f9220acba69538ad8e207a9e45d6395d754be876c1041a1fa2de0b7bb1c25636c4deaa24c84

                                                          • C:\Users\Admin\AppData\Local\Temp\GF3VRkVReCvf.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            322b5e6ba0aeb4e7ffcb3be800d7ba81

                                                            SHA1

                                                            f885da2cc87e17c7bb0f6c7c905f7e29d8aed1a9

                                                            SHA256

                                                            225cf63c76e917190d87b5fe232e7fbbdaeb669e3e700e3e21715dfb7c9d5c3c

                                                            SHA512

                                                            aca62b52f05d49299b850db978f2b6b9b0555461a4b28e8e02864d762c34eb5e9fc0a396b33f267410b2a9c83ef17bd632a1a9fd74f9ec75ea0a3fbcee7c5ecc

                                                          • C:\Users\Admin\AppData\Local\Temp\GS3fJs2sh2yN.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            4622f36b1561c73fbbbe56e3eb78ce1c

                                                            SHA1

                                                            92675c0ea5fffed71ecd9451ba5c296524bcc310

                                                            SHA256

                                                            94e5ff5cc6a9540901ed37570bc974029c5ad9ad5d3eaed06f534cf140d4b06f

                                                            SHA512

                                                            3119fa47cf4409f735d19be1c8480aa50a8cb2ff747cb8501114ced112aadd74aa3173e2a0665289c470d1fcd71714c0b4055c311bbff14073451e4fcceb6b8e

                                                          • C:\Users\Admin\AppData\Local\Temp\HLWAxVjtYzCy.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            d7b1bc3ff8c157e4d93fde37d7729d3d

                                                            SHA1

                                                            0f6185505927d7a0571f7901d3fc3d90de34b759

                                                            SHA256

                                                            0f43cf834d5a0cf734906723292c6b7fcea34db7edbd31e2162b98c228b3258d

                                                            SHA512

                                                            2cc6bd4d4c7ea24c0c4797b8e0322b298735cacfee115a2bf0a0471eec07b21a7dff63f581c5735ebe70e489e6c7b1f729a8cc9c41b6af0c4a1204ca5568703c

                                                          • C:\Users\Admin\AppData\Local\Temp\SaG0fAA14Arj.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            098bcaea1a9c4b49789b6a37445c137d

                                                            SHA1

                                                            c0b3eff1c887e72a8edd67c9009bfcec1e8e0088

                                                            SHA256

                                                            7d0d8a39857ecfcd510c35fe08ee736d50136270bae5eaac918560ca26191dd6

                                                            SHA512

                                                            409bad2ecfd9321a68594628c6545c20afffb1a8377239c8e77cb1def5aa42e53f56cf4006b8bb216e7c33fb5f880da901b3f5eb2cb2b542f89a84af8ac7d63b

                                                          • C:\Users\Admin\AppData\Local\Temp\l0jZ1ShHJPM9.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            46a87abc8c228a08879354ff08d55f11

                                                            SHA1

                                                            445ba955e17d6c9ac67b2cc020687fd24f238cb4

                                                            SHA256

                                                            288942bbfa1c1fa2db461c657e243c12d3cbf8454b685c37250546eb542dd8a5

                                                            SHA512

                                                            395e91097c1ed1a4f4ab7bc49a95e49f6ffb851aaf538948796db7a577d2ef306df9cfb7318762efd242f9ec0bd56a08f003f73800103c74a386e50fd664c24c

                                                          • C:\Users\Admin\AppData\Local\Temp\lHo96DIHh2hU.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            3c438eb387961d6f763b3989f810124c

                                                            SHA1

                                                            5151f25d1158e524e550e96b301c2ff53d79d879

                                                            SHA256

                                                            b456838333e953eac64510c10f4fdb9cdeba79e8ba62900380fadc8f266f7960

                                                            SHA512

                                                            2a03439b171a88a16314ac22cbf8e1af58797bb68dd4fbea9d0fa7b87bd84df67047fdb67e788a2b31747e585e2b5d3dd2cb461b8ef09cd7a96df221172236ef

                                                          • C:\Users\Admin\AppData\Local\Temp\o36AhZiYGKHS.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            eba90f952b7ebaab40afe935417d23df

                                                            SHA1

                                                            f014c38637aeb6b25284e0f01ee2f78087fc5a7d

                                                            SHA256

                                                            496645c70a17021c84678a14a1af66eca884fd5d9ab45d9262d704bd79534dd2

                                                            SHA512

                                                            63a6e7771fbc63cccb9a7d885058e90de53a7ddd9ae22a2b8d0739d325da4fa5cb143012556f540e86c73e1256c8fcb72bbd640c5a40a08b5a09eeb399c928a6

                                                          • C:\Users\Admin\AppData\Local\Temp\ttAw9eBFecnK.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            40700a53f2596a1b555ac8422ba1e45b

                                                            SHA1

                                                            7db8469baf6f0e4dfbe47797709c6359a6e01b5e

                                                            SHA256

                                                            4bacb6b43f9104ef750feb843b6873165c57820196e98f766efda1548c1c8835

                                                            SHA512

                                                            6249cc4797205cbac9443002ee6c4fe59511faed2572e8c1057b56a201e7a93301bb2543edc984df07563f604dde7aee29d2d1ea9c874f4153f2ee3b065fb234

                                                          • C:\Users\Admin\AppData\Local\Temp\uLlMm0FSvYMz.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            0603c338f42d0e6e91b8edf00a9ef1da

                                                            SHA1

                                                            6d01cf94dcd04352b08b7041a904babe0719bcf3

                                                            SHA256

                                                            6cce43ee2b7511f01b8f9929b9a81200d8eb5863609e99657130c1fcbdfc9304

                                                            SHA512

                                                            c8f10cb7942c1819274bf7cef1ce7e8d0ddca939658a846700f6c2cccfa7d47ff6d87d56d839ee52dffa8f10cc4cd862897ad9b15df806fb08bd902cff945b5f

                                                          • C:\Users\Admin\AppData\Local\Temp\uiBd0Gn66lhR.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            0393c831967ce3f81bb68cbaca8d8482

                                                            SHA1

                                                            b9a1c42663aafb1750811a40397e98a1cbd22725

                                                            SHA256

                                                            7379ad835a7cc0770d9929bbbea37aa905e3111f16bda31e699f45c88b1103e1

                                                            SHA512

                                                            e71034a915d5785703617c46c5e9c6885b5c3897e94de1a6a50a65322c751e0ac6594550abab8bc2d2f8c05b62fba490aab70cb97eca68110c5db55f42381c61

                                                          • C:\Users\Admin\AppData\Local\Temp\v4bvnQ1WtZje.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            93140ad0e85731f81a29e7a45daf6eb6

                                                            SHA1

                                                            dfc2df0c04637dda2b226882cccd65ddf77460b2

                                                            SHA256

                                                            3f7171ce14de68847bcf53613a268043cc9fb951dfeb40aca4cee76a186a6ef8

                                                            SHA512

                                                            d7ba7d65f1b72505991e2730abee6ea6ed30d7a37d2bb10f8730c1b55e4598c82a1bfe1af0c0ef346930ccfa93d70947a1aa53e30f4bdb24be7bfd8987fce34e

                                                          • C:\Users\Admin\AppData\Local\Temp\wQcti4YtZ2qd.bat

                                                            Filesize

                                                            261B

                                                            MD5

                                                            e89db0135f68c1c3b0c6ff5dd6b1d370

                                                            SHA1

                                                            0ee8bb6ba763ad2eb5bf72afb37d488f84dec46d

                                                            SHA256

                                                            2aeaac218f027953f13002d1ea8b9f10124b0645f93ee3c2702be11fe1b31361

                                                            SHA512

                                                            7b5531bdb1faf3a3adb0f3537d83c0fda14210bc73b72dbcc659a24de23e0fb3ff5be92a1b27069a3e2c025cf5553557109c2d99c76cedae0dc73683859c00ff

                                                          • memory/940-54-0x0000000000E90000-0x00000000011B4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/1752-82-0x0000000000F70000-0x0000000001294000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/1944-33-0x0000000000290000-0x00000000005B4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2128-151-0x0000000000180000-0x00000000004A4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2268-111-0x00000000000C0000-0x00000000003E4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2272-132-0x0000000001270000-0x0000000001594000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2356-12-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

                                                            Filesize

                                                            9.9MB

                                                          • memory/2356-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

                                                            Filesize

                                                            9.9MB

                                                          • memory/2356-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

                                                            Filesize

                                                            4KB

                                                          • memory/2356-1-0x0000000000B00000-0x0000000000E24000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2396-44-0x0000000000D70000-0x0000000001094000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2560-121-0x0000000000E20000-0x0000000001144000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/2716-13-0x0000000000390000-0x00000000006B4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/3060-23-0x0000000000ED0000-0x00000000011F4000-memory.dmp

                                                            Filesize

                                                            3.1MB