Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 12:22

General

  • Target

    Image Logger 3.5.exe

  • Size

    3.4MB

  • MD5

    55fed3c2f548f0a0beed666f20a01d97

  • SHA1

    e2908aeb63e17405b95c05a06a886813e1d4d594

  • SHA256

    cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

  • SHA512

    2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

  • SSDEEP

    49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes
  • encryption_key

    5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4872
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozLdC0ZkXzMh.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:760
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4972
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4516
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqasXV6uMR7J.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2416
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4016
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:1356
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4924
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gALF8mkBJaZ6.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3904
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3392
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4880
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:3524
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3412
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPE1e0NIzN5A.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4432
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3996
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2732
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:3812
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:3480
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boaB1R457nbK.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3040
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4456
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4388
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:4452
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1580
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dTdpsmbyrWUX.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4224
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:3780
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1428
                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:5108
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1088
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoP32BfQ7nXd.bat" "
                                            15⤵
                                              PID:4744
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:5084
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1476
                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:1072
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1388
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IX9AXBNQyN30.bat" "
                                                    17⤵
                                                      PID:1184
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:4944
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4268
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:1532
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1936
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LlOh5ZoOUwtn.bat" "
                                                            19⤵
                                                              PID:4764
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:1504
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:4880
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:4748
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2172
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGHLKphyvV2T.bat" "
                                                                    21⤵
                                                                      PID:4160
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3688
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4728
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:748
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4988
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j4kPnQYENWxI.bat" "
                                                                            23⤵
                                                                              PID:392
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3480
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:4164
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:3504
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:64
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obVTVGaWQhVG.bat" "
                                                                                    25⤵
                                                                                      PID:732
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:1580
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:1524
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:3532
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3780
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96WsQeybAbtc.bat" "
                                                                                            27⤵
                                                                                              PID:2200
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:1812
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:2136
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:1848
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1164
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UtN68XG00Bi.bat" "
                                                                                                    29⤵
                                                                                                      PID:1304
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:1700
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:2792
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                          30⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:2808
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:1548
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QL0LRWTe3YXr.bat" "
                                                                                                            31⤵
                                                                                                              PID:4972

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  8f0271a63446aef01cf2bfc7b7c7976b

                                                  SHA1

                                                  b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                  SHA256

                                                  da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                  SHA512

                                                  78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                • C:\Users\Admin\AppData\Local\Temp\2UtN68XG00Bi.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  8e1bc7e0909d20dcf5d19b9bfabfeff9

                                                  SHA1

                                                  3c3d29995133dd50e99930ef2e63c2bb43a84ba2

                                                  SHA256

                                                  cddef336993b2446c422ed8c795ccd2b0e034fbf4bd35bb6a45d06a93dc67f6f

                                                  SHA512

                                                  503299b68d922a5a85fc50a4907229f4f361c3d5c73c12494281a5a6dafb4d1a12ec70e9b6e2301cec4a1132ab681ec0e0fad68d676068935692360d1809758f

                                                • C:\Users\Admin\AppData\Local\Temp\96WsQeybAbtc.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  0d2c64b1e08c6b6f1a59421d585f0c32

                                                  SHA1

                                                  3f1c3903eb0bb937721aef972b77a9375c0a1598

                                                  SHA256

                                                  4d5447da8d6b045949b223c377f2e950f1de2ec4f3e4699361cd501e3b937e84

                                                  SHA512

                                                  d4cea23a72e5299a540e4707ad1f1b8d46a9cbf6ffb572f773db1b9e79ee2392f32d807ae971234609b1039f16087f13c4ac10b70565e156761e609eb5cb7afd

                                                • C:\Users\Admin\AppData\Local\Temp\IX9AXBNQyN30.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  82b7435192791ea3445ad447884b0aa9

                                                  SHA1

                                                  82738188b540f87e57a520805de130a4aa1a8d6e

                                                  SHA256

                                                  a5ee745ce39ea0f239a04a723e7516f818a49df1a358f3ddb098d77f0b8d59e0

                                                  SHA512

                                                  0cb1ad1f9fe4762d39fad0a401ac0ab862039f11b6652efd66e587b7987a86ba559bab451bf77ac8f20ddbfabaa68420c10ad83204a36d3cdff82e010103a5ed

                                                • C:\Users\Admin\AppData\Local\Temp\LlOh5ZoOUwtn.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  2855ca329e8e5333c7c6238daca15b80

                                                  SHA1

                                                  44f6201c9b0d5f116651c744387b7e1aba4a0e9e

                                                  SHA256

                                                  f4517cf1b405c11c3d5f47d7ccf8c52fcf0ea0446a6e1b89427d17dd08b74dc3

                                                  SHA512

                                                  254599a6961810eecdb4c0be7f0b86a51ef1f34f3d1afab3ec6bdf6a7583748a710d26ce7d6253760e3c087c883fe4a13a7d5fc679eddf775a52343b803fdf83

                                                • C:\Users\Admin\AppData\Local\Temp\YoP32BfQ7nXd.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  b2a2da78b5980c665e6306ceebc1bae1

                                                  SHA1

                                                  24eb667ff00c76e2d5a08b12a18bea95da647f53

                                                  SHA256

                                                  7fc813f48a480dc71d165d6f9b9ada05fdba97fce2193e9c273ca5a58c6190ef

                                                  SHA512

                                                  3a066340fed855627de24e4c41cf3774d389caab58f1a6bc2e889280523beaa9c158647db4946941ead2c16a95f161a6960a3cd1740a6bf0e2bf90b85e4c8e7e

                                                • C:\Users\Admin\AppData\Local\Temp\boaB1R457nbK.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  e8373cef22ebc3a9ba18c9a28b5f3c86

                                                  SHA1

                                                  700edfcba221b0c71d1f3e3307d0189669692e70

                                                  SHA256

                                                  b251f8db294013b86819e2c9e4d59ccb73985812e9660b956de75baa81509ba6

                                                  SHA512

                                                  406d36a230881da044c2175a62f4b57abdf14e3337619352469745fa5eb13d0aa983fc5df71c2cf12b75912d86df7dca4fc3db2543b86d26855d51cd7e6aedd8

                                                • C:\Users\Admin\AppData\Local\Temp\dTdpsmbyrWUX.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  2b40faf79add6ad4e16bafcf7c73de4e

                                                  SHA1

                                                  d9540eab467e3d730c023cc19db6e84e8a3b9cf0

                                                  SHA256

                                                  871f73a31b20a6967629493d2debb21f9e3856e73fc0edbb39387fdf15a5d8c1

                                                  SHA512

                                                  be10bdb4bf943719291b9e4836e8a81e0d9e78538813d5971c9d10201b1e0067090d8a3544718bffb7e8aa7626d0a77101c81a26749cc13c22953b75dd97d628

                                                • C:\Users\Admin\AppData\Local\Temp\gALF8mkBJaZ6.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  8d019c123d0a21dc3173c487c7fb98db

                                                  SHA1

                                                  117b02835e1fe17f56db297654251807bfa868b7

                                                  SHA256

                                                  9c40e6962f99c9b8f7e7f43f69abd57f59312699dc5ec7307e248b691bbde336

                                                  SHA512

                                                  d6b364ddd5946b060d24bcf616d1a37744df5c475f6746e050e4c7e2276bfe229c8aeb1d41f369f93f552f62f04b3c5e96bfb71afc93fff8faf075bd2c7e8c4d

                                                • C:\Users\Admin\AppData\Local\Temp\j4kPnQYENWxI.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  7370c9e6095d01c19635a61c024d7cfc

                                                  SHA1

                                                  f7f84824b61ac8ce21cac4eb6f659c71f11eac34

                                                  SHA256

                                                  98d3e32679ea1b463e17917644f2f61039224b4f8d840844f1613598d0978120

                                                  SHA512

                                                  fc56032c393366d6cdc493ef1ebe4b0a3fd14e4699acb944c8d38155904c43c89645dca23c06dcb4574e50e6f97f6d2de3843940433c0396b190277c9490f108

                                                • C:\Users\Admin\AppData\Local\Temp\nqasXV6uMR7J.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  6a4eca497e1f71df6c4f80f552c60a29

                                                  SHA1

                                                  3f7f98e4cc08789f12e1264373a9bf7c3beb8df4

                                                  SHA256

                                                  015dc628f33498f591447340702d628db85a71c2f98808d7085e77ceadd7d0c1

                                                  SHA512

                                                  e295ef2a551b25208951df81844aed2e3ae9b332102b969d5042f4a7d60d7ebca7893f21812c867229a547a4373b16be02ae8ac61f142ae55cd0fdfcb5ab3ed2

                                                • C:\Users\Admin\AppData\Local\Temp\obVTVGaWQhVG.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  b3cfc67794b04ee506a507c8670087ec

                                                  SHA1

                                                  98b3a8a3da9c655e1de6e0255301ce8c764a452d

                                                  SHA256

                                                  f25b989f8407a55f0ad785503e4452d32aa907d76180daf94a422b94e6d6d5db

                                                  SHA512

                                                  3b68e207c5b3dfe93632736784502f0229779d1546cd6312b13f74ac0d26ed8cbacdcf38e2c4f117d740d6bfa32194b6f6752e6ed66fb61e5dda61aadc53d3b0

                                                • C:\Users\Admin\AppData\Local\Temp\ozLdC0ZkXzMh.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  9c03471f85ab04182da2b84a934a2b0b

                                                  SHA1

                                                  979486eee7a05209045aed3d6cb95ec2d2c8d4eb

                                                  SHA256

                                                  67c9dd1a6f009f4e6d055c4ea5c5d93136a43c1f9a56a686f68c9b29c8a3a3c4

                                                  SHA512

                                                  9b91284487fe89a6393e117876bef85315362434cf6b41d013a5e6640b9e78b57e42c2425b0ca880015e03dfd681cc05af7b506d0794afed5ebb1fd6cadc09c4

                                                • C:\Users\Admin\AppData\Local\Temp\tPE1e0NIzN5A.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  38c0a34fc2855fdbb1a768cecc8517ab

                                                  SHA1

                                                  a7e191675ae661949d9f43a7938f7b49ec345f8c

                                                  SHA256

                                                  bb9148bffa28033d4ed2d305d5521b74a03f1843a4196258bbcb41689f8c0fe4

                                                  SHA512

                                                  9032b80e064899955eaf3877b408ad6adc88775c73993914c0677d4e9183810aeba0a2ccec5c7efc2f45d9fcab3965563d4e5d3b584f95626f6daff018a02953

                                                • C:\Users\Admin\AppData\Local\Temp\uGHLKphyvV2T.bat

                                                  Filesize

                                                  207B

                                                  MD5

                                                  f36a40b0e046333fa26e4b4d6ab25fde

                                                  SHA1

                                                  4ffb5553f8a480db90a467add3bcb3b8b3adc6ec

                                                  SHA256

                                                  83373f0ef823d99461bbe9d7ee95fda926d47a1c05d1d5294d07750666a5e2ab

                                                  SHA512

                                                  3ad07703740bb71ff8ad5b0a65821faa147d70ba20e4d11298bea6bdbc88c0313f3b4e35e9578d45d94af506c0aff684965f18619c4b5efea7c584aefc8932aa

                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                                  Filesize

                                                  3.4MB

                                                  MD5

                                                  55fed3c2f548f0a0beed666f20a01d97

                                                  SHA1

                                                  e2908aeb63e17405b95c05a06a886813e1d4d594

                                                  SHA256

                                                  cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

                                                  SHA512

                                                  2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

                                                • memory/1932-9-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/1932-0-0x00007FFF0AF23000-0x00007FFF0AF25000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/1932-2-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/1932-1-0x0000000000A40000-0x0000000000DA6000-memory.dmp

                                                  Filesize

                                                  3.4MB

                                                • memory/3888-13-0x000000001C230000-0x000000001C2E2000-memory.dmp

                                                  Filesize

                                                  712KB

                                                • memory/3888-12-0x000000001C120000-0x000000001C170000-memory.dmp

                                                  Filesize

                                                  320KB

                                                • memory/3888-11-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3888-10-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3888-18-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

                                                  Filesize

                                                  10.8MB