Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 02:17

General

  • Target

    2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

  • Size

    3.1MB

  • MD5

    4522bc113a6f5b984e9ffac278f9f064

  • SHA1

    392ec955d7b5c5da965f7af9f929b89c33409b03

  • SHA256

    2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

  • SHA512

    c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff

  • SSDEEP

    98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:224
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0niEKtseB4s0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3048
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4964
        • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
          "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5024
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4504
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eo0pNbHoF3sE.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3636
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2520
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2040
              • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2736
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3984
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZsGCXWfkmHP.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4320
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:3964
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:908
                    • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                      "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4008
                      • C:\Windows\SYSTEM32\schtasks.exe
                        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1964
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v0jxSmRunVvq.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3988
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:1360
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:2516
                          • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                            "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                            9⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2028
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:4280
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jtyo3hbw6FYH.bat" "
                              10⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2780
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                11⤵
                                  PID:4140
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  11⤵
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:2416
                                • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                  "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                  11⤵
                                  • Checks computer location settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:3824
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                    12⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2832
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qdf4EwNSzD0V.bat" "
                                    12⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4560
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:4292
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        • Runs ping.exe
                                        PID:4904
                                      • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4660
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                          14⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1580
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4s0GEDbdakzu.bat" "
                                          14⤵
                                            PID:4016
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              15⤵
                                                PID:5012
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                15⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:2836
                                              • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                15⤵
                                                • Checks computer location settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2896
                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                  16⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4832
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jlcpmx2uJ5H4.bat" "
                                                  16⤵
                                                    PID:1916
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      17⤵
                                                        PID:4564
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 10 localhost
                                                        17⤵
                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                        • Runs ping.exe
                                                        PID:4432
                                                      • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                        17⤵
                                                        • Checks computer location settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2188
                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                          18⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2656
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FVkrhhUDhiLT.bat" "
                                                          18⤵
                                                            PID:1004
                                                            • C:\Windows\system32\chcp.com
                                                              chcp 65001
                                                              19⤵
                                                                PID:908
                                                              • C:\Windows\system32\PING.EXE
                                                                ping -n 10 localhost
                                                                19⤵
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:3112
                                                              • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                19⤵
                                                                • Checks computer location settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4940
                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                  20⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:380
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L2f7q6HI3axY.bat" "
                                                                  20⤵
                                                                    PID:1456
                                                                    • C:\Windows\system32\chcp.com
                                                                      chcp 65001
                                                                      21⤵
                                                                        PID:3732
                                                                      • C:\Windows\system32\PING.EXE
                                                                        ping -n 10 localhost
                                                                        21⤵
                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                        • Runs ping.exe
                                                                        PID:4724
                                                                      • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                        21⤵
                                                                        • Checks computer location settings
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4728
                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                          22⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:4488
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGmM1VklnZrj.bat" "
                                                                          22⤵
                                                                            PID:2028
                                                                            • C:\Windows\system32\chcp.com
                                                                              chcp 65001
                                                                              23⤵
                                                                                PID:4524
                                                                              • C:\Windows\system32\PING.EXE
                                                                                ping -n 10 localhost
                                                                                23⤵
                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                • Runs ping.exe
                                                                                PID:1532
                                                                              • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                23⤵
                                                                                • Checks computer location settings
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1404
                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                  24⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:4324
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mVFY5wwmx5cI.bat" "
                                                                                  24⤵
                                                                                    PID:1064
                                                                                    • C:\Windows\system32\chcp.com
                                                                                      chcp 65001
                                                                                      25⤵
                                                                                        PID:3836
                                                                                      • C:\Windows\system32\PING.EXE
                                                                                        ping -n 10 localhost
                                                                                        25⤵
                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                        • Runs ping.exe
                                                                                        PID:1968
                                                                                      • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                        25⤵
                                                                                        • Checks computer location settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1252
                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                          26⤵
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:4588
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZnlXNqcGTEu.bat" "
                                                                                          26⤵
                                                                                            PID:5028
                                                                                            • C:\Windows\system32\chcp.com
                                                                                              chcp 65001
                                                                                              27⤵
                                                                                                PID:5012
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                ping -n 10 localhost
                                                                                                27⤵
                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                • Runs ping.exe
                                                                                                PID:1464
                                                                                              • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                                27⤵
                                                                                                • Checks computer location settings
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:1328
                                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                  28⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:4968
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lrzNvp7xhyop.bat" "
                                                                                                  28⤵
                                                                                                    PID:2076
                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                      chcp 65001
                                                                                                      29⤵
                                                                                                        PID:4332
                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                        ping -n 10 localhost
                                                                                                        29⤵
                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                        • Runs ping.exe
                                                                                                        PID:3396
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
                                                                                                        29⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2236
                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                          30⤵
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:868
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2WoD9pXw45TM.bat" "
                                                                                                          30⤵
                                                                                                            PID:3136
                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                              chcp 65001
                                                                                                              31⤵
                                                                                                                PID:4056
                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                ping -n 10 localhost
                                                                                                                31⤵
                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                • Runs ping.exe
                                                                                                                PID:524

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\0niEKtseB4s0.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    31b27f1c1ed670f7a2fc33122a88e89b

                                                    SHA1

                                                    d158f2156521ee23d8275f5c647b1a7facab220b

                                                    SHA256

                                                    b469f81c9ac2f51039349783390de5b8ba43c044f3a8d02f889a9fd0244bd47e

                                                    SHA512

                                                    80de61a5ee874a2cde67f3924112c6e170d731549b4c1c028e346fbb550dade786e133696f2ed2d791f42aa96b3fb9eed219d2e0b0943df6714e23164482b8dc

                                                  • C:\Users\Admin\AppData\Local\Temp\2WoD9pXw45TM.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    fffdb517ed82d33328700cf74f905104

                                                    SHA1

                                                    603d57151acab7813b2bd90f34127a5103391c8f

                                                    SHA256

                                                    5fcf8bd352cb9ad5e86cfa38f9bc96f6e768950b94a8ea82e4b9cc5e4f47e2e4

                                                    SHA512

                                                    56a0ca86d0547f926ddcde9f0f370ff2379fb838211ce5d7f89cc3780a919629f83c72e8d3e708faa92a49905615ef2ef6b53437adc8b00974f72ee81a30c503

                                                  • C:\Users\Admin\AppData\Local\Temp\4s0GEDbdakzu.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    92b108c731d8aee27dc92667ea138922

                                                    SHA1

                                                    8748f3871fc124f3afac3a1c8d7f5b25099da506

                                                    SHA256

                                                    2127ab25304c8e93f8c4002e177e4952c67a1b91718074e9b9cca321b6a57393

                                                    SHA512

                                                    6285dd48a4a554ed62243c948790eef667224bd59d54098506d9eefb1248f57a34221d4b1d1433d57b25fe75efde724a781fd22e94c3ffc77774c77ea8969a7e

                                                  • C:\Users\Admin\AppData\Local\Temp\Eo0pNbHoF3sE.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    684bde3293e09d7a2ede9d7049448441

                                                    SHA1

                                                    b2f8534d0ebf9507ee7d9e9b83d6185bc7e8623e

                                                    SHA256

                                                    5785cf9d37d185762f42b05659e59a49cd3a72ac4539ea540d10f8f4c60e34a9

                                                    SHA512

                                                    1dbb0504ce89ed87df773882f4bdccc60d6169e8a60a9e1b17f4152b383abbe587d8f5ecd053bbc14dcf2bd4992dc0e094ecedfd993746ef3484251048f22d92

                                                  • C:\Users\Admin\AppData\Local\Temp\FVkrhhUDhiLT.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    84fc0d79318cb8a6a2934d412a607894

                                                    SHA1

                                                    b48d588e5d3d0c1a2ac3a60158b17e847fe6a8ce

                                                    SHA256

                                                    d6e1d68e214e455051bd60ffd2d3ebf380c185ab0c648a0230479f2e40ebe97e

                                                    SHA512

                                                    a63ae8501272c63874f763cbb40e521cf96ac1fa333ac2bd33123ae4b2a8308b2d0f20da7d4be163ba0bd132b54ed5a3ce8d9efc62a103d916f867e220c28135

                                                  • C:\Users\Admin\AppData\Local\Temp\Jlcpmx2uJ5H4.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    9a6a1b7c95f69c3fa439369b5969e17a

                                                    SHA1

                                                    14c0bfb39e653e10a3d62810aabe4f5dd5daa981

                                                    SHA256

                                                    ff47c4daa92b542d0f7adfa3adff15edf970952808e2290931c6ef24361e1481

                                                    SHA512

                                                    dd76d115777f41deeff1f5001c66d54d593ec015797530c425bc0c358f83302c158c85cfb1cddd4226d04e0e20374c783e75020cc895982f96590296c073d2be

                                                  • C:\Users\Admin\AppData\Local\Temp\Jtyo3hbw6FYH.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    b205e7a48eeb2069da4c8ffed2b4b75f

                                                    SHA1

                                                    c30825b63e84253f0331583b1e7b3e30a78f105d

                                                    SHA256

                                                    c603000fca4a3ba5be70d2af69f1f74521d10797ea1c6006bd0d96f6f5d76a0c

                                                    SHA512

                                                    a7159359c85882427624998eba9846a5192eaa8a1e7b7b4e419af1a8fdc332ef77a8e05ff5b1704caa80ce8227527d99b52d46c6561b38105cea57ddc32db980

                                                  • C:\Users\Admin\AppData\Local\Temp\L2f7q6HI3axY.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    48e50197ec853df9a67ad799d4472e1c

                                                    SHA1

                                                    24959f33794a9fc34d5379da3707584a313af8f5

                                                    SHA256

                                                    d86dc764f2fb1650c55249b89d45276b9b008bbc7a9e1a08c8e745761ecf475a

                                                    SHA512

                                                    b98057cc5d3aff8577ef3647aee39c61edfadf0ef348e8030a35d8e095c8df842327e546c90ae4126feb070528b597ecaf8955dfcac0e3bc34eac3acb28093a2

                                                  • C:\Users\Admin\AppData\Local\Temp\LGmM1VklnZrj.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    f5a69c96cdff7bc9a8f5832b7013803b

                                                    SHA1

                                                    926ea409692747ba5bd80dc141cb02210cae5a95

                                                    SHA256

                                                    cd546b5e9ddcb8ddab158f3e90a5b76f9b7558345de412ea768fd6dd31972a8a

                                                    SHA512

                                                    8fd994e9007d8e06a354494caf999ae9967be9e25a9d5108356421a146eca8772a0cdae2e3df4883cc7856b931a76181cf876cee955e720f896ddc20c323c9e8

                                                  • C:\Users\Admin\AppData\Local\Temp\Qdf4EwNSzD0V.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    3359f0cdd14f16e54667bb3422b78515

                                                    SHA1

                                                    fa5327eb2ba033fa0b43c823ee28d60bff28b124

                                                    SHA256

                                                    bf49b5268ac615899e4493700adb1c139ae3b09f1554fbfdab6cb47f47a4418d

                                                    SHA512

                                                    bd467575edef54d983a9c869f2eb30185dcc94b5e6a9fd8a3fb7428c6d1b5681dbdfad459ac20f28fae4932155fac385636b33c2b7f2cd434e531072dbfc47c7

                                                  • C:\Users\Admin\AppData\Local\Temp\lrzNvp7xhyop.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    14d4cb8f5208b033800c67d61bed0d93

                                                    SHA1

                                                    27768cc3883bb89025750d707b0035bc1a89aefc

                                                    SHA256

                                                    4b77b95b406efb38beab563e0a136ce956fe3a6ba83e8d988999b8d7f099141a

                                                    SHA512

                                                    ab9021a752495c15cba0f1259b449c8dbb632d2dc441372610f5385217dc6d844f984e6f5c1ea55819b2c28ae42e292dff533f5bd20e446274e52f97c0e0428d

                                                  • C:\Users\Admin\AppData\Local\Temp\mVFY5wwmx5cI.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    f6e5a3701fdffbe3a3f0f79eb947a381

                                                    SHA1

                                                    5240c6c60de7a4d0cef46b366b529c1d697338a0

                                                    SHA256

                                                    80c11728b9c517cb958bd8ba885f9b00cea1ebb4e3c4a77aebd1b49af2313fa6

                                                    SHA512

                                                    5a569ba2f88685acec747c2f409af1295b5c89e8e4e65c97def4eacfeed988df038d08c1e513521b9fba0f164d18be55759adbf2ae52f977aaf27e04cde49b5f

                                                  • C:\Users\Admin\AppData\Local\Temp\qZnlXNqcGTEu.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    a8d19d88c6ef60838e0a83be7ed8ad7d

                                                    SHA1

                                                    835a67d9aa6f924de8191244099429c170de8d4f

                                                    SHA256

                                                    56ff73c2ff95219e871aeaf159865deb530cabd61bd2170e6af314bd6291e0df

                                                    SHA512

                                                    718fd651c0350732cace5f966d400ebbc9477acfaf7c720cccb2438d0beb0fc270956cd99f1562a4b00566a36da7e92791a3b136f918e0e67e44d8d6d84a89ff

                                                  • C:\Users\Admin\AppData\Local\Temp\qZsGCXWfkmHP.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    c63495a28f00b0d909d9263ade716ad8

                                                    SHA1

                                                    57dabd751000cba6d7391cf5a3b022c0115cf075

                                                    SHA256

                                                    7d7eed5cbf371c423547eb5a8dabc58b5e4972906d22f44f8d0805af2706c20c

                                                    SHA512

                                                    a7119cf5dc51ed1a34313c347dbebefa6caff0516f652479ec4d4db440a806eed0e6aef54bcb3954bed33115355d13398f0b2b5edc59d8a1b90ce5f49bd4f3b7

                                                  • C:\Users\Admin\AppData\Local\Temp\v0jxSmRunVvq.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    36c26598b08e146ab49c8931f8cef273

                                                    SHA1

                                                    1882676b86c7887a9f92529d1a6e723a68894b8d

                                                    SHA256

                                                    04c5c6f0432e87b2518dc231b6ef5a9a4fa5980f1d74951684dd22ab3517405b

                                                    SHA512

                                                    75c5bacfc5feaf88611ace74b371f6c4d1c4a37b1ea0050901ef1a9ab74c7f606ca74831f0a95acca1dabf9311199090ad838a3cb1be79156f31b2c97f473247

                                                  • memory/4468-0-0x00007FFDB5643000-0x00007FFDB5645000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4468-9-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4468-4-0x000000001C370000-0x000000001C422000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/4468-3-0x000000001C260000-0x000000001C2B0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/4468-2-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4468-1-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

                                                    Filesize

                                                    3.1MB