Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 12:28

General

  • Target

    ImageLogger3.5.exe

  • Size

    3.4MB

  • MD5

    55fed3c2f548f0a0beed666f20a01d97

  • SHA1

    e2908aeb63e17405b95c05a06a886813e1d4d594

  • SHA256

    cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

  • SHA512

    2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

  • SSDEEP

    49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes
  • encryption_key

    5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4984
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3308
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMeXeHD1FG8C.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2032
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:764
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4248
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3112
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJwgZAVDT5UB.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1984
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4940
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4340
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:928
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2648
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1gpttesxFtC.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1560
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:4516
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1716
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1036
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1360
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN9JdSfQPnNP.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3708
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1368
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4180
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:1444
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4068
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7wANeKTQATlR.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3340
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4884
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:868
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:752
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2744
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8gizbFKcuC3K.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3348
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:444
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:2888
                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1068
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5104
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CthvZUgGd1ym.bat" "
                                            15⤵
                                              PID:3848
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:1056
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:4900
                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:1156
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:392
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O9CzcwsbbzpJ.bat" "
                                                    17⤵
                                                      PID:2100
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:1340
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:3540
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:232
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3328
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9gY5AtFjuGwQ.bat" "
                                                            19⤵
                                                              PID:3100
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3996
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2704
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:2572
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3104
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neE4cTRhAsgq.bat" "
                                                                    21⤵
                                                                      PID:3580
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:4820
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:5084
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:3340
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3920
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYbMHc0siWyF.bat" "
                                                                            23⤵
                                                                              PID:3512
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:4688
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3064
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:2936
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:1632
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWLXSEUi2YJJ.bat" "
                                                                                    25⤵
                                                                                      PID:4624
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:4876
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:1004
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:4788
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3780
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYzskin3vXmC.bat" "
                                                                                            27⤵
                                                                                              PID:3220
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4860
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:4372
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:1712
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1848
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w1l1AeknUJ6S.bat" "
                                                                                                    29⤵
                                                                                                      PID:3088
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:1964
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:4532
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:4180
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:1464
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I59tnl9g9aDq.bat" "
                                                                                                            31⤵
                                                                                                              PID:3308
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:3564
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:4252

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\7wANeKTQATlR.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    6458ef9194d22dfc8a5f82be9bc69e34

                                                    SHA1

                                                    c221326a7e0eabf6e2b5ddc6265808689c3b3d17

                                                    SHA256

                                                    696a735ab2defb756b2a587e0ef7b9d8bd4bd3c2bdc41961445dcf492261c086

                                                    SHA512

                                                    049a506f944ff6c2aaafb1fc7eb6f4e098b3ea759c4976d65ef65648aa4148da7cdce2de9d558db1daf40b48c8fc4b1cbe53cd16cae0f7be4b87f00b2407810e

                                                  • C:\Users\Admin\AppData\Local\Temp\8gizbFKcuC3K.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    68d75dd237f975a7a3362e13970d34c5

                                                    SHA1

                                                    3cf10e7d25c8b05dfb3077ab7e7f782220b706c1

                                                    SHA256

                                                    0cf533846794f0630a953503e46729cf4ab2ed17e49cfd187987ad3f24c13543

                                                    SHA512

                                                    63817d4aa9ada367b3c83375ac2ca44d0dfb738bdec7eb9eaa008b46e83c3e1c22d806cac7f66b28922808586983755777330d351841963355d33766c412a1a7

                                                  • C:\Users\Admin\AppData\Local\Temp\9gY5AtFjuGwQ.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    c8948d641692e7f018a86d801b037b58

                                                    SHA1

                                                    baca4fec543310a82a245bb72bad1e6027679101

                                                    SHA256

                                                    a8e8533739c23c9957fdc1c68495e66feb5b053a458e19b4a10ce17c3e200eb7

                                                    SHA512

                                                    385aeca43f090af3a7ae63c45a89e9777d321802019247cf4b23d59913d295c263dd42f279477b93151bb0bafba10690033572abcdc2625a4552abff705f1487

                                                  • C:\Users\Admin\AppData\Local\Temp\BJwgZAVDT5UB.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    bba8e53614f1956b564aa90801b42528

                                                    SHA1

                                                    7f5a08b8112cde8692550009745e1e215246345a

                                                    SHA256

                                                    d24a5723111b8ed50e3e4e99e306f7840a08ff60bb689cddc0de913954001439

                                                    SHA512

                                                    eadec04f45965d214f034e964a821cb429656dee2bc1750815a151cfd40ea4c1621ea2b9c6e6d598a85334e59908be8da40ad7a739194e4eb3ee3b8cec4bbf01

                                                  • C:\Users\Admin\AppData\Local\Temp\CthvZUgGd1ym.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    84eb00ef4a29c459059b6efbdfa95658

                                                    SHA1

                                                    a06d7d365c0cf550262ff6b80b19619d4d728c78

                                                    SHA256

                                                    5dd8fa567dd0e419674887695a2221df9fde542380938d86004e7c753df93986

                                                    SHA512

                                                    b51f017080303466804f079edf6d2d9f2e5308c47099afe50e6c7505c75c8f38fcd9aaa1b179f017da98390365990fa01a3da1386b1ff7e1669bbdc48ee90093

                                                  • C:\Users\Admin\AppData\Local\Temp\G1gpttesxFtC.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    cf4648ce19b337558dfc64d7ff793379

                                                    SHA1

                                                    d482437d7f54bfb1b0df4f5dc8bc49a196f0878b

                                                    SHA256

                                                    4ec49d3493fd74ae9f11935148315be36100765211f067761ff7fc852a8654b3

                                                    SHA512

                                                    e760cf456d4918c66363a494f51756716eac7a34dd76d3cfc843ddfa6ff13ff10adb200a23042591d9d5d5e219151063c0206f3f8a57c7bd742e4fbd6cd8f46f

                                                  • C:\Users\Admin\AppData\Local\Temp\HYzskin3vXmC.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    49bb198ddf9ba241119ee7ca5b909aa7

                                                    SHA1

                                                    e6177a21266ed268a6a697b0eb5379429aceaade

                                                    SHA256

                                                    6e04964d11c6485ad593a7bdfd77c5fe03136adefee049051abdae928c48ac5a

                                                    SHA512

                                                    466ce600df84c841438c32290814f2889415d859010c0de3fa1766ddeaad2ef2478e4c41e1d6fe3a9b2c6257693f25560bf9e1ba7753a60b0bac97a74903d1d2

                                                  • C:\Users\Admin\AppData\Local\Temp\I59tnl9g9aDq.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    f2c5be7f2ef7e520b9db4c5b20b2e8df

                                                    SHA1

                                                    8fc1e7cfb5ca242be2e19f044dc0314b6daf3d48

                                                    SHA256

                                                    84bab5f3b2ad1c6d32c59c7815aa454a6c4d7ff913a0ab86d32e2f17594f5553

                                                    SHA512

                                                    7b771e6b07c348e29aa709d39335bd003865ff6af1a4eff54ad6b0c3e0aad81e7a263ea00f31d3f4735090923acf99f5f33d4f5c16f107fcd22cf0e0536e6b84

                                                  • C:\Users\Admin\AppData\Local\Temp\O9CzcwsbbzpJ.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    349c29795f6eaa66713dd469a8535768

                                                    SHA1

                                                    c19c802f9ac0447c9d8f3caef44569a858e6e435

                                                    SHA256

                                                    892b2c401aa43271427998d68743f51b75317f122136fd3b3aee28114c8cc644

                                                    SHA512

                                                    ed3ee0741ff39ec4d3f9ea19bf7c9463491625f5bf1b08b5f780fc86540ad88d6ad7f5e9cfe37fa70a16ab18cc6957f9f204a6a1372fa9be0b9b17a462a61ebe

                                                  • C:\Users\Admin\AppData\Local\Temp\neE4cTRhAsgq.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    0a6583f853d060aac6adaa236300f54c

                                                    SHA1

                                                    849943564d3daf67a5faed429b0d4533ebc59bc8

                                                    SHA256

                                                    5da0a06234715c13e340a4a7188e6de2fe3d612d2a42fea9b306960ed121115b

                                                    SHA512

                                                    8f7b6f752bc8f88fb63b9383c0e97755a478c58dab534f45ba3fda83926ac110cf6bb7545bd0cc716a874f227dbe66becff055e8f59da82801c0c9ee9c3c2c27

                                                  • C:\Users\Admin\AppData\Local\Temp\pYbMHc0siWyF.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    93e3c88e9f79dd6284a3254254dd717d

                                                    SHA1

                                                    eea320db69ea19929d3597b8c22944fccd52de9b

                                                    SHA256

                                                    470f000af53010df4ccb4308249340f85049683bc706e1c5912e28d8a30d14e4

                                                    SHA512

                                                    67709a7b5ef31af3d40ad96347cb201943e7df5805cdfb5c3512bbef59365b727f699d47eca8fa6f05da48a9348454481b77162752b1b0eab7517beec2f56241

                                                  • C:\Users\Admin\AppData\Local\Temp\rWLXSEUi2YJJ.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    682384d493d910adbff53d76afa0c28e

                                                    SHA1

                                                    822c88943962d9d302019c8cf9bf39c8ed368b10

                                                    SHA256

                                                    16aace6acabb1145b05d7d77a862bc466a6e9e993eb555fe3d5fd0fa300129b6

                                                    SHA512

                                                    7dd53357256975360e0ec374575ddd3c5e59fd2f9b70e9a1ff9b76a3a3e7356f58ec853ec5ef873a697f79498cd3ae21a073903a64061ed60c383dbe786431ef

                                                  • C:\Users\Admin\AppData\Local\Temp\w1l1AeknUJ6S.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    9ea14ad45d594237150d1ab78054dbbf

                                                    SHA1

                                                    a62076d5719d3462d27d75c7fbb1f6026ea85c87

                                                    SHA256

                                                    ebc552540f3fa8291d1b5d109180b964c91f11ec67f41f449f77c2f101ecbc15

                                                    SHA512

                                                    978ba35254be869ba70fb675d272c78cd396e6c50538d96234197b89a714d6cf0b443ba9b9aa8837a2a942edc18416ca205e0e425b6e5b0243c1433e10d4221f

                                                  • C:\Users\Admin\AppData\Local\Temp\wN9JdSfQPnNP.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    ce4ee6fceb7cc645d68fedcfd04ae116

                                                    SHA1

                                                    a0f87cc041cac3dbba36a72a9c3fd80622d1ed1b

                                                    SHA256

                                                    cf1a3bbafc9eb52f7fe7a5a8e0398018bc79a0e25355bdcf5cdad8ac9dfb40ec

                                                    SHA512

                                                    e431f5e1b29189fa079fb81db1bd08416bc81ac6ca35206fb4c354503b530c9be37ee6bf26e0d03f735c09d520c0075ad61b96431bacfaf4264fcd465843a182

                                                  • C:\Users\Admin\AppData\Local\Temp\xMeXeHD1FG8C.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    ada91f157c5740f393a188b54f8bd5cc

                                                    SHA1

                                                    93c7a4ebce0451d85ee2aa0cf5609dbda513ccc8

                                                    SHA256

                                                    06f9418fb54cbf04a81f4ac75761a55bfad6e216744763469283aca63435229e

                                                    SHA512

                                                    b84ada4d18c7b45856b3bb1c79d833aa83c0aa45c5be11393797624ffd1ae402b94f6bcccfc5ae1a482ff1fbad9dc1a45be31ea0b320f5b80c9cf1eba674cd01

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                                    Filesize

                                                    3.4MB

                                                    MD5

                                                    55fed3c2f548f0a0beed666f20a01d97

                                                    SHA1

                                                    e2908aeb63e17405b95c05a06a886813e1d4d594

                                                    SHA256

                                                    cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

                                                    SHA512

                                                    2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

                                                  • memory/2704-10-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2704-0-0x00007FF99A613000-0x00007FF99A615000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2704-2-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2704-1-0x0000000000970000-0x0000000000CD6000-memory.dmp

                                                    Filesize

                                                    3.4MB

                                                  • memory/4008-11-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4008-9-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4008-12-0x000000001BCF0000-0x000000001BD40000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/4008-13-0x000000001C510000-0x000000001C5C2000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/4008-18-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

                                                    Filesize

                                                    10.8MB