Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

RevsExternal.exe

windows7-x64

10

RevsExternal.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/12/2024, 09:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RevsExternal.exe

  • Size

    3.1MB

  • MD5

    abdb9928a2443e939fd0e3b2758fac86

  • SHA1

    963518e3d31b32ade1faa2d3ad4a5f29f4a94718

  • SHA256

    36ea2fb6f0b7279ea15e54dba6d2c41a00bc3f56e26a59e1bf21867865b2e2db

  • SHA512

    3b21a68634fe6c467de89614a7719aed29d664d83857dc3f9684eaa96a155e349aa471bf2bd7a526e201de4805ce2072224de0bb6763490fce6da61b089eb2bb

  • SSDEEP

    49152:Xvluf2NUaNmwzPWlvdaKM7ZxTwi0zBBxLSoGd5THHB72eh2NT:Xvwf2NUaNmwzPWlvdaB7ZxTwJz8

Score
10/10
quasaraurarealdiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

AuraReal

C2

tcp://auraboyy-27610.portmap.host:23133 => 4782:23133

Mutex

23455755-5d9f-40df-b240-406c00706fe9

Attributes
  • encryption_key

    2482B7514A53EC61E5CFC0A64CF01CDEB49C6056

  • install_name

    Win64.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Extras

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RevsExternal.exe
    "C:\Users\Admin\AppData\Local\Temp\RevsExternal.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3752
    • C:\Windows\system32\Extras\Win64.exe
      "C:\Windows\system32\Extras\Win64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2940
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCjA57eLMpZX.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1008
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4044
          • C:\Windows\system32\Extras\Win64.exe
            "C:\Windows\system32\Extras\Win64.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3836
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:828
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xPig9kNXsmPO.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1620
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2104
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1076
                • C:\Windows\system32\Extras\Win64.exe
                  "C:\Windows\system32\Extras\Win64.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:4600
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1512
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nktyGP7ATK5W.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1744
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1940
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1536
                      • C:\Windows\system32\Extras\Win64.exe
                        "C:\Windows\system32\Extras\Win64.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:4488
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4776
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIvWAUdaB8uV.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2788
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1640
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1476
                            • C:\Windows\system32\Extras\Win64.exe
                              "C:\Windows\system32\Extras\Win64.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:3576
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4640
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\90zlDZLTMsoC.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2668
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4996
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4656
                                  • C:\Windows\system32\Extras\Win64.exe
                                    "C:\Windows\system32\Extras\Win64.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:4016
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4452
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a5UnxGEqRLup.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2492
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:2692
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:2020
                                        • C:\Windows\system32\Extras\Win64.exe
                                          "C:\Windows\system32\Extras\Win64.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:4028
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2876
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEVSwFUdogON.bat" "
                                            15⤵
                                              PID:672
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:4128
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3428
                                                • C:\Windows\system32\Extras\Win64.exe
                                                  "C:\Windows\system32\Extras\Win64.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:3324
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2320
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R3v9QxMfwsnf.bat" "
                                                    17⤵
                                                      PID:4444
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:2716
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1684
                                                        • C:\Windows\system32\Extras\Win64.exe
                                                          "C:\Windows\system32\Extras\Win64.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:3168
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2456
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UVN7hMS3JTOx.bat" "
                                                            19⤵
                                                              PID:4988
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:1632
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:4040
                                                                • C:\Windows\system32\Extras\Win64.exe
                                                                  "C:\Windows\system32\Extras\Win64.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:3668
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:852
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmVrx32L0RL8.bat" "
                                                                    21⤵
                                                                      PID:3960
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:552
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:828
                                                                        • C:\Windows\system32\Extras\Win64.exe
                                                                          "C:\Windows\system32\Extras\Win64.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:752
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4812
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQezohrdrcPS.bat" "
                                                                            23⤵
                                                                              PID:2696
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:5016
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:2980
                                                                                • C:\Windows\system32\Extras\Win64.exe
                                                                                  "C:\Windows\system32\Extras\Win64.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:2360
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:704
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5RSTZZVLd5J2.bat" "
                                                                                    25⤵
                                                                                      PID:4604
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:1556
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:2400
                                                                                        • C:\Windows\system32\Extras\Win64.exe
                                                                                          "C:\Windows\system32\Extras\Win64.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:5088
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1172
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sj1tW5ZEfjMI.bat" "
                                                                                            27⤵
                                                                                              PID:2536
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:1820
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:4796
                                                                                                • C:\Windows\system32\Extras\Win64.exe
                                                                                                  "C:\Windows\system32\Extras\Win64.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:4544
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:4956
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OtLb1a2Lsnd3.bat" "
                                                                                                    29⤵
                                                                                                      PID:3976
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:1084
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:2468
                                                                                                        • C:\Windows\system32\Extras\Win64.exe
                                                                                                          "C:\Windows\system32\Extras\Win64.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:4040
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\Extras\Win64.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:1796
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4f2grJPk11Ry.bat" "
                                                                                                            31⤵
                                                                                                              PID:1680
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:4092
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:3260

                                                  Network

                                                  • flag-us
                                                    DNS
                                                    8.8.8.8.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    8.8.8.8.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                    8.8.8.8.in-addr.arpa
                                                    IN PTR
                                                    dnsgoogle
                                                  • flag-us
                                                    DNS
                                                    217.106.137.52.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    217.106.137.52.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    172.210.232.199.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    172.210.232.199.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    4.159.190.20.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    4.159.190.20.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    95.221.229.192.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    95.221.229.192.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    58.55.71.13.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    58.55.71.13.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    56.163.245.4.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    56.163.245.4.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    241.42.69.40.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    241.42.69.40.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    172.214.232.199.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    172.214.232.199.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    83.210.23.2.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    83.210.23.2.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                    83.210.23.2.in-addr.arpa
                                                    IN PTR
                                                    a2-23-210-83deploystaticakamaitechnologiescom
                                                  • flag-us
                                                    DNS
                                                    22.236.111.52.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    22.236.111.52.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  No results found
                                                  • 8.8.8.8:53
                                                    8.8.8.8.in-addr.arpa
                                                    dns
                                                    66 B
                                                     90 B
                                                     1
                                                    1

                                                    DNS Request

                                                    8.8.8.8.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    217.106.137.52.in-addr.arpa
                                                    dns
                                                    73 B
                                                     147 B
                                                     1
                                                    1

                                                    DNS Request

                                                    217.106.137.52.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    172.210.232.199.in-addr.arpa
                                                    dns
                                                    74 B
                                                     128 B
                                                     1
                                                    1

                                                    DNS Request

                                                    172.210.232.199.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    4.159.190.20.in-addr.arpa
                                                    dns
                                                    71 B
                                                     157 B
                                                     1
                                                    1

                                                    DNS Request

                                                    4.159.190.20.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    95.221.229.192.in-addr.arpa
                                                    dns
                                                    73 B
                                                     144 B
                                                     1
                                                    1

                                                    DNS Request

                                                    95.221.229.192.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    58.55.71.13.in-addr.arpa
                                                    dns
                                                    70 B
                                                     144 B
                                                     1
                                                    1

                                                    DNS Request

                                                    58.55.71.13.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    56.163.245.4.in-addr.arpa
                                                    dns
                                                    71 B
                                                     157 B
                                                     1
                                                    1

                                                    DNS Request

                                                    56.163.245.4.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    241.42.69.40.in-addr.arpa
                                                    dns
                                                    71 B
                                                     145 B
                                                     1
                                                    1

                                                    DNS Request

                                                    241.42.69.40.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    172.214.232.199.in-addr.arpa
                                                    dns
                                                    74 B
                                                     128 B
                                                     1
                                                    1

                                                    DNS Request

                                                    172.214.232.199.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    83.210.23.2.in-addr.arpa
                                                    dns
                                                    70 B
                                                     133 B
                                                     1
                                                    1

                                                    DNS Request

                                                    83.210.23.2.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    22.236.111.52.in-addr.arpa
                                                    dns
                                                    72 B
                                                     158 B
                                                     1
                                                    1

                                                    DNS Request

                                                    22.236.111.52.in-addr.arpa

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Win64.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\4f2grJPk11Ry.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    fb7533e71b850c60f9ef22417b0bfd41

                                                    SHA1

                                                    4f9e262e6d24a77b2d9e26c457a9d6f67b497cd2

                                                    SHA256

                                                    791497b8ded13136351c006bbdfbfd13aedfdb5e2b8ee2e7e016f11b17a423f7

                                                    SHA512

                                                    db19e5903644406c53b37015d2edb5e9395181a45d35043253a3e6f7cceb4e4f5381fbe4abaf08f01b71a7a5746f66723093a015002f8b2689803d0d638659c8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\5RSTZZVLd5J2.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    1978718e61920a4b6584a98ac52d9e17

                                                    SHA1

                                                    76df0793a37e14011ca38795247a3b427d7b1df5

                                                    SHA256

                                                    166b33109b598d4923ac7fb4e5bc5ef4e0ea48692c535566299471543a9fb7f4

                                                    SHA512

                                                    a16993919a43a1d954b65c983aca7db0f6c1be7e5c6ce0ef76fe73dac043ae53cfa0774c2096ba3f92d8df5bb0153c383bc2edd81af926d6394b12730f39a947

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\90zlDZLTMsoC.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    9b302bd64596f565e3bd1d0c46aa1abc

                                                    SHA1

                                                    099221da313d09370f3dbdc38cf695737c9e603f

                                                    SHA256

                                                    444841f5d385cfcea4298e6cdb3a097af74f53b4886aba1fa31bfb35da7f1bfb

                                                    SHA512

                                                    7cd7de9e87c757e408aa3d99726c22d90d9c035063a77991b23ce2b4a26a5040344f71833d723bd4abbc11dc4984c2810f91fe5c7286ab008f8c326fb547900c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\OtLb1a2Lsnd3.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    dbdd15446ff169613aba8d60fb95f403

                                                    SHA1

                                                    9ce97174aef464b42ab4f2a944b4d18cd0e9e63f

                                                    SHA256

                                                    89aaecc7788ba9147b985047a9786bc3e3936d02981f5d65c147cbd02b26fa2d

                                                    SHA512

                                                    3a1d428a559c901803f78b2279549b49213f69a65e04bf327066c8f5b9d2c057ac53968a595fd9adb6a38a2412c31ccfc670d362ecc37fa3fc08bb5c13a93707

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\R3v9QxMfwsnf.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    fbf73a2228c3d2d55967b4e567d320b6

                                                    SHA1

                                                    98367ac114397ae8fcab58887099abcb56c855d0

                                                    SHA256

                                                    eef33f3dae7cd7d42e93bb8749eae20d0f0a3e1483c9d25c1ec14ce7fcf9652e

                                                    SHA512

                                                    083bd3afe74e53daeaea0ab039dfd4db9c5ac57bae53901fa0a9317194781508a169c27eea8cd6398d78081f3fa8888d28cdb95609f958c36b9f4981d76184df

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\Sj1tW5ZEfjMI.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    b65082eb8a9ca1bc660eaf99e4542fe0

                                                    SHA1

                                                    4c940c0e8522f055b553c5bd65a494df7320c72c

                                                    SHA256

                                                    f12b4685571a1de33b9eabdcecbbb3c8a69d5ef82a432383417b3a3f3e3ed641

                                                    SHA512

                                                    7e7b268ae0ba3c934a6478f8aca9d26081a41463ff7b1e3acff620bc476885df88ff995055bd07e7fa4257c3ee78e79c6f5df5172386ba43e9781084e0c840d3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\UQezohrdrcPS.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    a862c646e65b27547542f4e33ddab3d2

                                                    SHA1

                                                    03a0abeeeb4285009021fbff0b06df7238cb1b43

                                                    SHA256

                                                    287fcc978d5622aeb437759b71de69ace903c23d987837a9e38b8bb59f49b349

                                                    SHA512

                                                    34e915dc197bffe43abc6ed9546bb54f85e8b77dca489a509373d6c365ad3f5951bc5c5cc2b17abd918d219caf12b82384be9eecf3ab014f4111daba03aee7f2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\UVN7hMS3JTOx.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    37c5a71c34723afa03182d6c6c3800ef

                                                    SHA1

                                                    812fc0278a2d2c6d08b915bf959bef42358e7706

                                                    SHA256

                                                    538fc75386b033dc1192d79ed92c97644550f1a8d6a10b7ed1d8ea05649bb599

                                                    SHA512

                                                    f59b46ec97e5f72b0f2eee50c890f862f67b80f8dae1c2c4425e3acbeed8fb4976cd59e6b18b2df7a6c0a1a693c4396252f4cc16989d3e1e1416bddc3c5bee7d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\YCjA57eLMpZX.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    de2f15bacedd8c41802bba14d5f9f0bf

                                                    SHA1

                                                    c9c3c67337ebbd4804f0fdc256d5626c0633ac7f

                                                    SHA256

                                                    44f87221c321164a52c6b914fb4479f7f6790e4226a22b2b6a64ee5b7b3c81a0

                                                    SHA512

                                                    03919d2b5ee7c5c1996a2a47f093fc164277e5e6180b765fb788d90f3e8f7e976b5db821179daf52637fc1d98a213b3a6589f09f8d9f888b9a3e1d6e565b5582

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\a5UnxGEqRLup.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    ec4dfd70c38ed17a792414a06c15ffe5

                                                    SHA1

                                                    e3c5d937e90df51ef3dd83a593aa41e4ac796ecb

                                                    SHA256

                                                    de8449fc1a653a4cf0292f691099157539ff22d578931f530ad3024bd4350038

                                                    SHA512

                                                    41deebf2ee6bb7189f6bb30f6c5e7775eab2d4a29f274336d9828a4472190db34ec79f3d5dabab9b68e74ca243c166eecd9968a2dc62220e50bda9ae37b677fb

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\bIvWAUdaB8uV.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    b30e94cad4bcc6a9f539687e79de2409

                                                    SHA1

                                                    1035a6a59dcb703c2a585a6e7980746395c58fd8

                                                    SHA256

                                                    d202c84e0a84480d989d2ba17a05a245dbb581843c3bd34164578dd1419d2fa4

                                                    SHA512

                                                    32f73ea8b4ebe0dbba318712a58771658ad3c64c7f1d707df54b3d9c24a0e342e82f6a41d81c7a86dd66785281f1249ea9a8295e9dcb19e313deaefa7107ecc3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\nktyGP7ATK5W.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    ef92a0897f5ff7021c309b540c685424

                                                    SHA1

                                                    d1f8b01bbd8d088fe1d177361cecd58f795de7a6

                                                    SHA256

                                                    3744cb1daa003924c6aa3b11840be43d1d0f5114fc4db6f8e776deff207ae9f7

                                                    SHA512

                                                    4d5ab6e0f5eb622a69dcc3bdf5378730fa3e59b364f9560cfd9ceeec1286acef4207e8b97e15af582942e2103e1912033a14286f3addc2b4fd3efcea4782a198

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\rmVrx32L0RL8.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    61d2bb144d40e4e591c162d77087f581

                                                    SHA1

                                                    463df9920b8b8595160dbba11e4573e84cf6c78f

                                                    SHA256

                                                    573332ca56abde23d3ba44b4ed65865738c2139ea458ef726155cc1193a55df4

                                                    SHA512

                                                    a18670460203f3cad63d6166434615074b408504e0eb20b8248114b7937eb438815ad782accc0e8631a0f95637b62d906d18d27b85914ba4ddf7fa08e95db88e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\uEVSwFUdogON.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    20f985445192aca2e68767cfdae219c7

                                                    SHA1

                                                    6d03a73151b799a95ffce301a8fe3255acd82ac7

                                                    SHA256

                                                    58ca08679ec7865a64eaabe140d56cc22efd62349fe8a1c60521191d282d0284

                                                    SHA512

                                                    bb3a8943b3b9ebea304442bc6003c516202a9ffd64b316a2c9a6efcb6557ea363f1245e26199cfc120f2f5d8ed889575386e7b0fe19bc04c87175d43756330bd

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\xPig9kNXsmPO.bat
                                                    Filesize

                                                    195B

                                                    MD5

                                                    d8c130e951ec441a91640a3bb93df30c

                                                    SHA1

                                                    17ba7bff1c033691c3bbc33d2e900dc6e03feb93

                                                    SHA256

                                                    e2c654c6cce7c2e5e0374d1071dcc49023cae99d5a85fb4502fa198e9616ad44

                                                    SHA512

                                                    f7b6e3b992f3f1dd597f134684e5c43c840a33cd8dd376a5b4cc655f644a26b4ae6e0b683ee8f1bdb39f72dd45199585ccde5a23c16014b37da923121e230d90

                                                    Download Submit

                                                  • C:\Windows\System32\Extras\Win64.exe
                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    abdb9928a2443e939fd0e3b2758fac86

                                                    SHA1

                                                    963518e3d31b32ade1faa2d3ad4a5f29f4a94718

                                                    SHA256

                                                    36ea2fb6f0b7279ea15e54dba6d2c41a00bc3f56e26a59e1bf21867865b2e2db

                                                    SHA512

                                                    3b21a68634fe6c467de89614a7719aed29d664d83857dc3f9684eaa96a155e349aa471bf2bd7a526e201de4805ce2072224de0bb6763490fce6da61b089eb2bb

                                                    Download Submit

                                                  • memory/1788-18-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/1788-13-0x000000001BF50000-0x000000001C002000-memory.dmp

                                                    Filesize

                                                    712KB

                                                    Download

                                                  • memory/1788-12-0x000000001BE40000-0x000000001BE90000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/1788-11-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/1788-10-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/3884-0-0x00007FF8A8573000-0x00007FF8A8575000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/3884-9-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/3884-2-0x00007FF8A8570000-0x00007FF8A9031000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/3884-1-0x0000000000570000-0x0000000000894000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                    Download

                                                  We care about your privacy.

                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.