Malware Analysis Report

2025-01-18 04:28

Sample ID 231203-bkpndsgg81
Target LethalCumpany-LethalCumpany-1.1.0.zip
SHA256 17d3c427c27e9fe420fba45c21d52c2df2042284751364053bb34d0b48278acc
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17d3c427c27e9fe420fba45c21d52c2df2042284751364053bb34d0b48278acc

Threat Level: Known bad

The file LethalCumpany-LethalCumpany-1.1.0.zip was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-03 01:12

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-03 01:12

Reported

2023-12-03 01:17

Platform

win7-20231020-en

Max time kernel

294s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\system32\schtasks.exe
PID 1896 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\system32\schtasks.exe
PID 1896 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\system32\schtasks.exe
PID 1896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 1896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 1896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2756 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2864 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2864 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2864 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2864 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2864 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2864 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2864 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2864 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2620 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2620 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2620 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2620 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 864 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 864 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 864 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 864 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 864 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 864 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 864 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 864 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2824 wrote to memory of 700 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2824 wrote to memory of 700 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2824 wrote to memory of 700 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 2824 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 784 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 784 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 784 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 784 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 784 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 784 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 784 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 784 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 784 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 1128 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 1128 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 1128 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\schtasks.exe
PID 1128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 1128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 1128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2936 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2936 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2936 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2936 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2936 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2936 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe

"C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fpdVirwRNlci.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hnhFk7fhdijK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gGbvl9BwatK4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\b5yDMkREBVs9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkRU4DBhbqrU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lq7flRgS1VqX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cTX5nFYFgoKn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\g5NQyBkt9dFs.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fo9dqIyN08ES.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E3wFJlgCesAw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oui5RqI0o0NL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oLrBki14JESQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TKho1CjnTeCm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aVMRgECE3VaG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MrhJYBM8iV41.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kCCWrPilTFtU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WKkXLOvmOmCx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lzWnr55pgE3b.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0lemZy83vhVE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1ltZSEeu4N1n.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqCderUEv21J.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WC9nSKs479EF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

N/A

Files

memory/1896-0-0x0000000000A50000-0x0000000000D74000-memory.dmp

memory/1896-1-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/1896-2-0x000000001AB00000-0x000000001AB80000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2756-7-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/1896-9-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/2756-8-0x0000000000DC0000-0x00000000010E4000-memory.dmp

memory/2756-10-0x0000000000A90000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fpdVirwRNlci.bat

MD5 2b33730e585d1b6f8becd95914c9b44a
SHA1 7aa0be4544413a7ec2628c4e2f60428b6c8c8f16
SHA256 cdb98c69b16763f8a5cc0333e52957ca223206520b9592bcdbef57eeece8962a
SHA512 cf3910b7009def86f8a4a90144dae23050e68cbe22659e4a86a7beb626c6ae298595d4846efccaab6fb7d00d2f10f85bc110e1b96afd5f9f54daca3f4195fd67

memory/2756-19-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fpdVirwRNlci.bat

MD5 2b33730e585d1b6f8becd95914c9b44a
SHA1 7aa0be4544413a7ec2628c4e2f60428b6c8c8f16
SHA256 cdb98c69b16763f8a5cc0333e52957ca223206520b9592bcdbef57eeece8962a
SHA512 cf3910b7009def86f8a4a90144dae23050e68cbe22659e4a86a7beb626c6ae298595d4846efccaab6fb7d00d2f10f85bc110e1b96afd5f9f54daca3f4195fd67

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2620-22-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

memory/2620-23-0x000000001B040000-0x000000001B0C0000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\hnhFk7fhdijK.bat

MD5 5fd9d51fee296852b013dbe511d0e3e0
SHA1 4682de1222188f5aa9bf38c8cafd294ebb290f12
SHA256 09c2fe2c8acb09da18e312d909d8399210aa43533269decf93e9b6c46a12c9ef
SHA512 56e7a7602595f3dc3584d560875489a4ef361840b0f2ee3548b4362cf338c1f6f4f6c8df148d2b78220b37ce84e355a38f51d836a6218709bed3ef0641ee1b8a

C:\Users\Admin\AppData\Local\Temp\hnhFk7fhdijK.bat

MD5 5fd9d51fee296852b013dbe511d0e3e0
SHA1 4682de1222188f5aa9bf38c8cafd294ebb290f12
SHA256 09c2fe2c8acb09da18e312d909d8399210aa43533269decf93e9b6c46a12c9ef
SHA512 56e7a7602595f3dc3584d560875489a4ef361840b0f2ee3548b4362cf338c1f6f4f6c8df148d2b78220b37ce84e355a38f51d836a6218709bed3ef0641ee1b8a

memory/2620-34-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2824-36-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gGbvl9BwatK4.bat

MD5 cdb7cc8cdcdafb4ff436d9159c7055c9
SHA1 129643279fc450f81cfda92c8341de6959743c25
SHA256 b55adebda9fb1595d76d29d895c819d3eaa5942645f774e1ae9ab6acd45a29c6
SHA512 5a70e68dd59ac0ce54de38a253157af7796e41c4a068f6a40f04afb16ca068ec9bee866851a308811c9f8472804ad7f14426048543c796db9c5bfa3454c21467

C:\Users\Admin\AppData\Local\Temp\gGbvl9BwatK4.bat

MD5 cdb7cc8cdcdafb4ff436d9159c7055c9
SHA1 129643279fc450f81cfda92c8341de6959743c25
SHA256 b55adebda9fb1595d76d29d895c819d3eaa5942645f774e1ae9ab6acd45a29c6
SHA512 5a70e68dd59ac0ce54de38a253157af7796e41c4a068f6a40f04afb16ca068ec9bee866851a308811c9f8472804ad7f14426048543c796db9c5bfa3454c21467

memory/2824-46-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1128-48-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

memory/1128-49-0x000000001B280000-0x000000001B300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5yDMkREBVs9.bat

MD5 19083bf4c0d3a8c6a4f5618a02b905ef
SHA1 569309f9b66e87441947a7110a75a9ba094364e8
SHA256 35ca92afbc40ddf1d87f47c4d75f6b686cc712348abd26b80bc81894e5590f55
SHA512 d299ea0f42528d5b592def07a13f0c10239090e5efdf831a85fc72d9a4f939b5da09695f9294e4787b5551f39e67ba16a01caabc03a63c4d4a6a7f74958380ce

C:\Users\Admin\AppData\Local\Temp\b5yDMkREBVs9.bat

MD5 19083bf4c0d3a8c6a4f5618a02b905ef
SHA1 569309f9b66e87441947a7110a75a9ba094364e8
SHA256 35ca92afbc40ddf1d87f47c4d75f6b686cc712348abd26b80bc81894e5590f55
SHA512 d299ea0f42528d5b592def07a13f0c10239090e5efdf831a85fc72d9a4f939b5da09695f9294e4787b5551f39e67ba16a01caabc03a63c4d4a6a7f74958380ce

memory/1128-59-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2196-61-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/2196-62-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkRU4DBhbqrU.bat

MD5 08bf52d7dadd7eba0a365299b1d554c2
SHA1 ac7a268623c4094796f03b72b764fe679c1f91ba
SHA256 62e905d70ac200e17fa7d20f4aee6c3be9e908d15df11e9277c134ba0c8240b9
SHA512 7f8f1949ebccf2e04da11a8520cc5ab9daa70c7b264c4a685ee09e67b52429a74ffc2994585d377d1f24993b1b8a4ac978de563aebd044aecb0fb4072ca096e3

memory/2196-71-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KkRU4DBhbqrU.bat

MD5 08bf52d7dadd7eba0a365299b1d554c2
SHA1 ac7a268623c4094796f03b72b764fe679c1f91ba
SHA256 62e905d70ac200e17fa7d20f4aee6c3be9e908d15df11e9277c134ba0c8240b9
SHA512 7f8f1949ebccf2e04da11a8520cc5ab9daa70c7b264c4a685ee09e67b52429a74ffc2994585d377d1f24993b1b8a4ac978de563aebd044aecb0fb4072ca096e3

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/804-74-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

memory/804-75-0x000000001B320000-0x000000001B3A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lq7flRgS1VqX.bat

MD5 d7b20458626f49129fa1425dbb3dbe19
SHA1 21731813c64de1f4b92def0a962da4422481089c
SHA256 b02dc651971b8897833b15912281c4b96eb2ca08dde2b6fc72b8e2ee184ba771
SHA512 ded248b66f6b444e9587f08afecb19435971ba4ab1d56361c65033cdeab45e6ba49aa0116ec501f1047b835553fc0bd6944bc250fb0bad96bac9fec77fb7b140

C:\Users\Admin\AppData\Local\Temp\lq7flRgS1VqX.bat

MD5 d7b20458626f49129fa1425dbb3dbe19
SHA1 21731813c64de1f4b92def0a962da4422481089c
SHA256 b02dc651971b8897833b15912281c4b96eb2ca08dde2b6fc72b8e2ee184ba771
SHA512 ded248b66f6b444e9587f08afecb19435971ba4ab1d56361c65033cdeab45e6ba49aa0116ec501f1047b835553fc0bd6944bc250fb0bad96bac9fec77fb7b140

memory/804-85-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/912-87-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/912-88-0x000000001B1F0000-0x000000001B270000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\cTX5nFYFgoKn.bat

MD5 c1be81d66fb8c97301121f6dbb47b576
SHA1 31f04f1fd37324e1ead34ef80bbaf17640958406
SHA256 0186b4d2550dad4b6e673756d94758d3cab5b0f43750353b940ddcbcc70f150b
SHA512 43bbdde127ca01d83353ad9169a7ed954ecc2e26e57c0dbb8774c0eca7c48561433060e4b8addcbd9c75d40d8bed3e1fffed6092cf33d9356a32cd63ea56e6b2

memory/912-98-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cTX5nFYFgoKn.bat

MD5 c1be81d66fb8c97301121f6dbb47b576
SHA1 31f04f1fd37324e1ead34ef80bbaf17640958406
SHA256 0186b4d2550dad4b6e673756d94758d3cab5b0f43750353b940ddcbcc70f150b
SHA512 43bbdde127ca01d83353ad9169a7ed954ecc2e26e57c0dbb8774c0eca7c48561433060e4b8addcbd9c75d40d8bed3e1fffed6092cf33d9356a32cd63ea56e6b2

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2004-101-0x00000000001C0000-0x00000000004E4000-memory.dmp

memory/2004-102-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

memory/2004-103-0x000000001B300000-0x000000001B380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g5NQyBkt9dFs.bat

MD5 572a2a1709cd45567c773ca93a5429e0
SHA1 370c08786cb11783b4d2177ec698da86cc538a79
SHA256 218bd7fd45312eea0e70c02dfe1fd18b942d78967289ad69d7ae1cbea43ea5a0
SHA512 77693f29230ed8416048ff55f00e84569c999325ead895696a4308a2a1f0631c42f33bf3772ba58640bfcc39012cfecdae4080e727594b388773b602a39677f0

C:\Users\Admin\AppData\Local\Temp\g5NQyBkt9dFs.bat

MD5 572a2a1709cd45567c773ca93a5429e0
SHA1 370c08786cb11783b4d2177ec698da86cc538a79
SHA256 218bd7fd45312eea0e70c02dfe1fd18b942d78967289ad69d7ae1cbea43ea5a0
SHA512 77693f29230ed8416048ff55f00e84569c999325ead895696a4308a2a1f0631c42f33bf3772ba58640bfcc39012cfecdae4080e727594b388773b602a39677f0

memory/2004-113-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1232-115-0x0000000000F30000-0x0000000001254000-memory.dmp

memory/1232-116-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1232-117-0x000000001B380000-0x000000001B400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fo9dqIyN08ES.bat

MD5 7b35b0998cd20931b04c78f4d76cd652
SHA1 2d98cab356c77bde7fee1a2ab7d197628ba4676c
SHA256 a06d2987e008b3e8a5967bc92217f551bd49888689db94e8cc4afbf0cd5fb691
SHA512 86fb7a29d5b4e90f2c4eadbbab2c59e71d6530c66efcea2c4bf221ed6013255ea6ece2bb4eef212d7aa08aacdaa7ad2cd5890d08baaf80e1cd647a5992f1b6f7

C:\Users\Admin\AppData\Local\Temp\fo9dqIyN08ES.bat

MD5 7b35b0998cd20931b04c78f4d76cd652
SHA1 2d98cab356c77bde7fee1a2ab7d197628ba4676c
SHA256 a06d2987e008b3e8a5967bc92217f551bd49888689db94e8cc4afbf0cd5fb691
SHA512 86fb7a29d5b4e90f2c4eadbbab2c59e71d6530c66efcea2c4bf221ed6013255ea6ece2bb4eef212d7aa08aacdaa7ad2cd5890d08baaf80e1cd647a5992f1b6f7

memory/1232-127-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2828-129-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E3wFJlgCesAw.bat

MD5 27ab9e31ed4eab6e5d9c1ca380a40dfb
SHA1 421bc0dc277d3c4e84ea236ed44b357dcd78963d
SHA256 d1ddab0902ca7a3c3f4b8352ee17c5a58a52e18e84a5c4b82b1b7daae6a9364d
SHA512 f19f6ef87ddb297e991b61a7295eaf1c366dc1335816b945b8b4cb0b9af0ae07a487404fb490da6d9b4195d8d3e639b5b015e3938ebc0e8d07a74190f031701a

C:\Users\Admin\AppData\Local\Temp\E3wFJlgCesAw.bat

MD5 27ab9e31ed4eab6e5d9c1ca380a40dfb
SHA1 421bc0dc277d3c4e84ea236ed44b357dcd78963d
SHA256 d1ddab0902ca7a3c3f4b8352ee17c5a58a52e18e84a5c4b82b1b7daae6a9364d
SHA512 f19f6ef87ddb297e991b61a7295eaf1c366dc1335816b945b8b4cb0b9af0ae07a487404fb490da6d9b4195d8d3e639b5b015e3938ebc0e8d07a74190f031701a

memory/2828-139-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/320-142-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/320-141-0x00000000003A0000-0x00000000006C4000-memory.dmp

memory/320-143-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oui5RqI0o0NL.bat

MD5 f54421e54c839e88171ca27fd1be5161
SHA1 60197b5ad4f3bed7a3e2044a59c5b6f9c605782e
SHA256 fa8a51b00e88cc8a6f915cb98b107bf92054c76f3cfd951d49797be14bf0b21e
SHA512 c5ea23ba756a6dfb0444676d140997a9674e9081d3a0538d69b4091a37ce247720981aeec14995816a99b33faf9dea4db25035f9ae5275feaef21139cfac6bd6

C:\Users\Admin\AppData\Local\Temp\oui5RqI0o0NL.bat

MD5 f54421e54c839e88171ca27fd1be5161
SHA1 60197b5ad4f3bed7a3e2044a59c5b6f9c605782e
SHA256 fa8a51b00e88cc8a6f915cb98b107bf92054c76f3cfd951d49797be14bf0b21e
SHA512 c5ea23ba756a6dfb0444676d140997a9674e9081d3a0538d69b4091a37ce247720981aeec14995816a99b33faf9dea4db25035f9ae5275feaef21139cfac6bd6

memory/320-153-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1916-156-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/1916-155-0x00000000009A0000-0x0000000000CC4000-memory.dmp

memory/1916-157-0x000000001B440000-0x000000001B4C0000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\oLrBki14JESQ.bat

MD5 6a53a9bd19aec80a0dc8d5edc716e70e
SHA1 3000abda3262cc499d4841d5fa99fa7b9ec851e9
SHA256 1e481a426fce15e68908c4edfd4c9e028415e9ceed768cad0d3fa71d92b3cbc1
SHA512 964b95e70de2e2a5fce7e30d1d9c5a83b49d7c1ccd195626ae2ce0b9e590b78d80fd7e455eab3de5deb0b434f19e5ab4022bfabbf5c4b94b261bff7894e31fd0

C:\Users\Admin\AppData\Local\Temp\oLrBki14JESQ.bat

MD5 6a53a9bd19aec80a0dc8d5edc716e70e
SHA1 3000abda3262cc499d4841d5fa99fa7b9ec851e9
SHA256 1e481a426fce15e68908c4edfd4c9e028415e9ceed768cad0d3fa71d92b3cbc1
SHA512 964b95e70de2e2a5fce7e30d1d9c5a83b49d7c1ccd195626ae2ce0b9e590b78d80fd7e455eab3de5deb0b434f19e5ab4022bfabbf5c4b94b261bff7894e31fd0

memory/1916-168-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1644-170-0x0000000000B70000-0x0000000000E94000-memory.dmp

memory/1644-171-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/1644-172-0x000000001B110000-0x000000001B190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TKho1CjnTeCm.bat

MD5 a173bddaa9d249d04bf2b1252bbd0637
SHA1 b505de9e99dc5bdc5057a81676957bd8ee6d225a
SHA256 44e5b0f245d7790d681b9958edc8b6ec62937318f47b050d8f39ba60bd1a9c53
SHA512 174738f37b7df2d34756fedc8cf738698f7981bea4bbcb5023fc374119b59d37ddcdbba7a59f5025d00c78d2cc24a1e3d10989365e4c141958b99459e85dec60

memory/1644-181-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TKho1CjnTeCm.bat

MD5 a173bddaa9d249d04bf2b1252bbd0637
SHA1 b505de9e99dc5bdc5057a81676957bd8ee6d225a
SHA256 44e5b0f245d7790d681b9958edc8b6ec62937318f47b050d8f39ba60bd1a9c53
SHA512 174738f37b7df2d34756fedc8cf738698f7981bea4bbcb5023fc374119b59d37ddcdbba7a59f5025d00c78d2cc24a1e3d10989365e4c141958b99459e85dec60

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2508-184-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2508-185-0x0000000000DB0000-0x00000000010D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aVMRgECE3VaG.bat

MD5 0b31a42d81e5dec7dc151785fde90ba0
SHA1 58ca101d3807216d6f6875b9b0563fad2aeb40eb
SHA256 8e71620ea4a6798249913a4907d4ec7ee8f904bfabf29eee4d575dca3874c015
SHA512 b4e1113cc19f5a1c4a1411a5e968295535a74d9c8027ceead622b7ac175ed23c8459e44c51952bea90f782ccef303e2ed3c50e9c7d47bb002aed435aaf1559b6

C:\Users\Admin\AppData\Local\Temp\aVMRgECE3VaG.bat

MD5 0b31a42d81e5dec7dc151785fde90ba0
SHA1 58ca101d3807216d6f6875b9b0563fad2aeb40eb
SHA256 8e71620ea4a6798249913a4907d4ec7ee8f904bfabf29eee4d575dca3874c015
SHA512 b4e1113cc19f5a1c4a1411a5e968295535a74d9c8027ceead622b7ac175ed23c8459e44c51952bea90f782ccef303e2ed3c50e9c7d47bb002aed435aaf1559b6

memory/2508-195-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2492-200-0x000007FEF6030000-0x000007FEF60A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2856-203-0x0000000000F60000-0x0000000001284000-memory.dmp

memory/2856-202-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2856-204-0x000000001AE50000-0x000000001AED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kCCWrPilTFtU.bat

MD5 d31ae2394fa707f5465f3c719946d6ea
SHA1 f52f1305bc3c8f2b43936e7d7f3d732baff0d9b6
SHA256 3610af47be4198369460f3f1ab4a698522e60cf0d0a9c9ab40dd0f5522f48768
SHA512 25975b921c606dce12ce53a6390df42758ab066971105c4c0be18ac4e96650d390f2091b4a4a6fe53327f043a4aa651cd89ea05284f510e07529e3d92f409cb0

memory/2856-213-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kCCWrPilTFtU.bat

MD5 d31ae2394fa707f5465f3c719946d6ea
SHA1 f52f1305bc3c8f2b43936e7d7f3d732baff0d9b6
SHA256 3610af47be4198369460f3f1ab4a698522e60cf0d0a9c9ab40dd0f5522f48768
SHA512 25975b921c606dce12ce53a6390df42758ab066971105c4c0be18ac4e96650d390f2091b4a4a6fe53327f043a4aa651cd89ea05284f510e07529e3d92f409cb0

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2656-216-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\WKkXLOvmOmCx.bat

MD5 d7d78693b8e761b911077f5f99c19512
SHA1 d5a3f1c06f1c29be539c2d967dd0a7396f7fd169
SHA256 3d71138a3e07f23a3dcdb02390babbf00a03e4f1d8b0d091fd3cc617725bbd8f
SHA512 dea8b778af419e3fccd8876cc3085e3964146359ace23ac89dd776896a972ae12246d4db760ee3f11a35c188d4785798c65221e7f724132c3348eae4f4d60f07

memory/2656-226-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WKkXLOvmOmCx.bat

MD5 d7d78693b8e761b911077f5f99c19512
SHA1 d5a3f1c06f1c29be539c2d967dd0a7396f7fd169
SHA256 3d71138a3e07f23a3dcdb02390babbf00a03e4f1d8b0d091fd3cc617725bbd8f
SHA512 dea8b778af419e3fccd8876cc3085e3964146359ace23ac89dd776896a972ae12246d4db760ee3f11a35c188d4785798c65221e7f724132c3348eae4f4d60f07

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/752-229-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/752-230-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lzWnr55pgE3b.bat

MD5 273848098d3708e8d0b3332e1663727c
SHA1 548f9448def08582f686202fb064ddfa36cd727e
SHA256 954ac2ee075f48b2fd9b46c37cfe8457d706ffdda8ebc33633ed56e9afcc3244
SHA512 e585a7952b0c84f618b817bd2beb5923d42961f7bc86e0bf53a6f457977a71703c1a3f9b838f050fd0c66be3c5f9ebe50caebeb2bf8abf398905e460d1b68872

C:\Users\Admin\AppData\Local\Temp\lzWnr55pgE3b.bat

MD5 273848098d3708e8d0b3332e1663727c
SHA1 548f9448def08582f686202fb064ddfa36cd727e
SHA256 954ac2ee075f48b2fd9b46c37cfe8457d706ffdda8ebc33633ed56e9afcc3244
SHA512 e585a7952b0c84f618b817bd2beb5923d42961f7bc86e0bf53a6f457977a71703c1a3f9b838f050fd0c66be3c5f9ebe50caebeb2bf8abf398905e460d1b68872

memory/752-240-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2384-242-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0lemZy83vhVE.bat

MD5 5552fe1b16e9e9f021b290a29141a00d
SHA1 421016294f0d0fb3a998c4fd696feff23978ef4b
SHA256 d97d80d9e3584a5bc54bf0c361d53bac4276308ceea8cf1abd1992eee6275f25
SHA512 f85a372df7855d9f434e5792691a2643152d342dd814f10b06361d779598021f47e0cdfd6bf0a1aea46c7e6d389ad142462c364c5dd6ffb7c911f2cc6d1a3454

C:\Users\Admin\AppData\Local\Temp\0lemZy83vhVE.bat

MD5 5552fe1b16e9e9f021b290a29141a00d
SHA1 421016294f0d0fb3a998c4fd696feff23978ef4b
SHA256 d97d80d9e3584a5bc54bf0c361d53bac4276308ceea8cf1abd1992eee6275f25
SHA512 f85a372df7855d9f434e5792691a2643152d342dd814f10b06361d779598021f47e0cdfd6bf0a1aea46c7e6d389ad142462c364c5dd6ffb7c911f2cc6d1a3454

memory/2384-252-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2060-254-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ltZSEeu4N1n.bat

MD5 260b658efb0eed5eb9d4ff7e6e2ef587
SHA1 6730ca88f3d1a65ba1a0e4feb8706bbfd85ea931
SHA256 22955c368ef60de3f86345eeb18cd61b8af3915b358bf3413b282e8e57adb588
SHA512 60ab2522d63f12f0158b8a0af840e785fbf4c429a20ae06e3ef13f5c575d8f0f7e575b194c826d604cd5e2692d0ea34de976615240c3c45aa30cd87eeda01737

memory/2060-263-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ltZSEeu4N1n.bat

MD5 260b658efb0eed5eb9d4ff7e6e2ef587
SHA1 6730ca88f3d1a65ba1a0e4feb8706bbfd85ea931
SHA256 22955c368ef60de3f86345eeb18cd61b8af3915b358bf3413b282e8e57adb588
SHA512 60ab2522d63f12f0158b8a0af840e785fbf4c429a20ae06e3ef13f5c575d8f0f7e575b194c826d604cd5e2692d0ea34de976615240c3c45aa30cd87eeda01737

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/648-266-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eqCderUEv21J.bat

MD5 a37cfcef40f9d9c993c66113d5a40c57
SHA1 23d3c0143c398c9494b4d97b7c9202f034c15d5c
SHA256 2d21cc2f8351b09b23d7e2da545fe6399f32352c5524bd52d5287e836ea39c7b
SHA512 e2c87767c6106e99362a9e5bb093ed8069172b39c7f73ae7b70724bc7b65d66be84dfdc1b7c3e8261d37214588bbcb50cd1f10f5f0db129fc9d8af5e54d6bd98

C:\Users\Admin\AppData\Local\Temp\eqCderUEv21J.bat

MD5 a37cfcef40f9d9c993c66113d5a40c57
SHA1 23d3c0143c398c9494b4d97b7c9202f034c15d5c
SHA256 2d21cc2f8351b09b23d7e2da545fe6399f32352c5524bd52d5287e836ea39c7b
SHA512 e2c87767c6106e99362a9e5bb093ed8069172b39c7f73ae7b70724bc7b65d66be84dfdc1b7c3e8261d37214588bbcb50cd1f10f5f0db129fc9d8af5e54d6bd98

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\WC9nSKs479EF.bat

MD5 45140f26943522b7a3cda5b2e7aa4905
SHA1 5ffef4ffdfe1dfa21fb4366181ec8aad4f84969c
SHA256 d98a88dfa71e3d9644ea0b84e9bb9519e411b8123f2946e7f9cd0274f6fcb133
SHA512 8fc6d4cc354b7bc3526b2a0fb98d06dc78e25160297fb0f2f61949a51da6c824a81c5cd81dcdc4e94a410524e5d52adf59f46c8405f13ae661acc50f6a3de594

C:\Users\Admin\AppData\Local\Temp\WC9nSKs479EF.bat

MD5 45140f26943522b7a3cda5b2e7aa4905
SHA1 5ffef4ffdfe1dfa21fb4366181ec8aad4f84969c
SHA256 d98a88dfa71e3d9644ea0b84e9bb9519e411b8123f2946e7f9cd0274f6fcb133
SHA512 8fc6d4cc354b7bc3526b2a0fb98d06dc78e25160297fb0f2f61949a51da6c824a81c5cd81dcdc4e94a410524e5d52adf59f46c8405f13ae661acc50f6a3de594

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-03 01:12

Reported

2023-12-03 01:17

Platform

win10v2004-20231130-en

Max time kernel

299s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2660 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2660 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2660 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4708 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4708 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4708 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4708 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 1044 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1044 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1044 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1044 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1044 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 1044 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2248 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2248 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2248 wrote to memory of 660 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 660 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 660 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 660 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 660 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 660 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 660 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2796 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2796 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2796 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4312 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4312 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4312 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4312 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4312 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4312 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 3708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3708 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 3708 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 3752 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3752 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3752 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3752 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3752 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 3752 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4568 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4568 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4568 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 548 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 548 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 548 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 548 wrote to memory of 368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 548 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 548 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4608 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4608 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4608 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4192 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4192 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4192 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4192 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4192 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4192 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe

"C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Il806Jm7yne8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Re5KMI6wW3h8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gt7YQNYUqKj1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmHPWzle3zC6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65O5FiYZXoIl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMMn23ZKrxmI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PlWcqpVPQCDF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWbobNUBRGEX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T1oKeUmHpzbl.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88RvB909yIp0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JLtnMCKBmOHC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ac5pdvMfNXKN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qvKqHfYnVMsM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAEeyDOzdiQa.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NjnnPdaAB4jU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rBZeHovO0fvy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pHKoLpQaRfvt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SN9ZyHo7e5DK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6YEuayCubRjZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMPKnKDF1n8H.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFm5FN0mKmKi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQnUjnh5EA9n.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\trlpnNYGYNif.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qorYvB6TaubC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7SbHhDIJBMvk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ss1jEtDo1zsK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7XwxDzxGRH9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V7qxQj920Vza.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l99qMAK6oT89.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwxt3OyvtdwR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp

Files

memory/2660-0-0x0000000000DC0000-0x00000000010E4000-memory.dmp

memory/2660-1-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

memory/2660-2-0x00000000019D0000-0x00000000019E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4708-9-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

memory/2660-8-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

memory/4708-10-0x000000001C070000-0x000000001C080000-memory.dmp

memory/4708-11-0x000000001BFB0000-0x000000001C000000-memory.dmp

memory/4708-12-0x000000001C640000-0x000000001C6F2000-memory.dmp

memory/4708-17-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Il806Jm7yne8.bat

MD5 ef9d0499c09f779cb0bf5e7a855cdd84
SHA1 1dcab9f5a168cc59897c28e22aafd27dccad9c73
SHA256 84969d1773184cafb492a40caa3c7271e4e584ef8586087d5c2790aeab6601d1
SHA512 e50d085f7d9c53fb46559e4a58a133c70bb8c09d8f33b4a55c7187fa867bee9420b9500b7a218b5fa1e884d4920c313df8a490906136c679f07d1ed2c2bb5220

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LethalCumpany.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/2248-21-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

memory/2248-22-0x000000001B320000-0x000000001B330000-memory.dmp

memory/2248-26-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Re5KMI6wW3h8.bat

MD5 b824ad13922cfb29488fa17fffb0d7dd
SHA1 6532fbfc8c945470310b08651fbba1a23819c5a3
SHA256 dba256a854797133b0c5d4e8692fd1785cdead1fbe723936a63d33d6f30a651c
SHA512 0bee4751413581c2646f605f1d2026589012338eb2f80cf13c08c225e8d01d29f7a758d7648eda35881f860bd9581445a7a7f028a21254029f683f05f7b62aac

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2796-29-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

memory/2796-30-0x000000001BB90000-0x000000001BBA0000-memory.dmp

memory/2796-34-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gt7YQNYUqKj1.bat

MD5 72d614536fbceab63e7c69430882eeeb
SHA1 322b8fcbd0291c86bd035523f7d0dfc91b6de428
SHA256 67265ae763d936cb658e643721ab16bdbb31659dd8052f8384476ffcdbf22c83
SHA512 5ae30e084788c791b5ce1842bd3b2df26b210279044357d69f8be4fc20e5f953f5fca6b9b5489e48dc2a904a77cf345c657928817bb252fa59c2c3e3e7faebe9

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3708-37-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

memory/3708-38-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

memory/3708-42-0x00007FF9AC700000-0x00007FF9AD1C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DmHPWzle3zC6.bat

MD5 9cf94316d06b25dfdf60ab239b005a06
SHA1 988f251e0cfa431cdbebb204194e43ef958597c4
SHA256 f9cbd1b396b3c73a9ba30aaba95ef9e752a4e21833373ab3096903e4982a58f3
SHA512 fa649f519c65a5fa71e725fb565d7402676d66531cc0863fdc24b3a6a45e6b0033783ade4cd924cf17bb52413e4c7855ab993fbbda4a44bf7bde58494a893d4a

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4568-46-0x00000000035B0000-0x00000000035C0000-memory.dmp

memory/4568-45-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/4568-50-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65O5FiYZXoIl.bat

MD5 9db710994d2a732ae31f44bb4d087011
SHA1 d5b13216a789ed90eaccabf19bedac5cceaaa22d
SHA256 039947847b8fa7f7a13d96e7a01d546f27b7c43f201c039e840bb09cfd09ea4a
SHA512 47b891117cee758b2b212c8d957db564737ddaff2d6f63f3d495a2255f0f2dd2953cfdf90420c4080d3bdb79421689ee92c03b201464efae40cd9833104b7c0d

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4608-53-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/4608-54-0x000000001BB10000-0x000000001BB20000-memory.dmp

memory/4608-58-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HMMn23ZKrxmI.bat

MD5 5ef96d0842c4eb09e71da7fad1a41adc
SHA1 2519eff0f980ecd5ab505eb936410f5106ad01ec
SHA256 b4c9aa7484bef6a1b65481d242b0d6e2ec18ead2314878afb191bbbcc02c886a
SHA512 a9f7ec094c2edb7b81625ba4f99ab30201219ae01a938b1f8d3af4120bb8db6036ea4d02d40f859fe1869bc1714a99e97ae5607d5c23be8e6ca593533bd96ad8

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4764-61-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/4764-62-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PlWcqpVPQCDF.bat

MD5 bf9af80515e144af3b8b6370789fb2e5
SHA1 70df22be484e8300a7a7e199d00693e2ccf11834
SHA256 dfb8ce335d1d567187a1d7c21c9794e4a8743c5babc6493eb33b3e620812849d
SHA512 3aa5976325597fdc2aba98ec75c4069a2a46ace0a293160a5d77c529b60f725f4b443bfee17b73a2fc6fa78d2ba75bff6bbccdbe531f903047c70ab2697672ec

memory/4764-67-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2224-69-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/2224-70-0x0000000002C30000-0x0000000002C40000-memory.dmp

memory/2224-74-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MWbobNUBRGEX.bat

MD5 735dd7b4521be06ae296f51304498940
SHA1 e7c7d56f31c0e8971228cda2a95787f7e00aee3c
SHA256 63340e79059ee12ef5f530e11f97aefc499fbc2616a12acc89369cbaa7863e29
SHA512 e797c9363945e86f98c1c1c24d82ca3450a821e12822611a30c7fbc78d5114834a9cef829e629536aad5a93bd977b86512f6af2fb344416be45e614a2b550384

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3600-78-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3600-77-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/3600-82-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T1oKeUmHpzbl.bat

MD5 37cf823113dcdb117c04ebc7ae576666
SHA1 d2f49543ce6094506064c4b11559abc256395be7
SHA256 14ad619b9dbc31726776e4e641b3b21eaa1d5465dc0b41d1a814508d647ff662
SHA512 56727934d9c9993b9cf2ba7948d08ec0f859f64400bf002397d1d6539b42c6b803758728b4484cbe52854bf65ec0dbb473c64d72b0cc548c035ca03cb1e18c96

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1056-85-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/1056-86-0x000000001B320000-0x000000001B330000-memory.dmp

memory/1056-90-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88RvB909yIp0.bat

MD5 43376ce08de629b7fcd8ae812b9a7a58
SHA1 2672cd11710d6c0d593337c61005c47248f1c701
SHA256 fb1b5b8f21fd0edacb4e366c58efd80a1da6403598c3e151f15a320260efda43
SHA512 e1eab5d469bb1469cf077875fa073eb676736aa8ad1e06fb6d97a98fa082d76e8df3d1d34a3af064a6f40b77d1869853ba2e195f7e4a97ec34c71a6569bfb3b4

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3180-93-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/3180-94-0x000000001B8F0000-0x000000001B900000-memory.dmp

memory/3180-98-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JLtnMCKBmOHC.bat

MD5 3cff770fd222b3c2a347a465c8246646
SHA1 bccb8a7d0398032a855725b2a5948a3454298909
SHA256 cbb37aa15d44dbb7192df3aa6624d58415fac404f4b255d4d81a57e7b85b6705
SHA512 291a49cc954f9156c39877ab40d3cf95c584d5208efa28df595d28d415ee288d4adaec50c2f54dd8c96ea19a6cb7946a7c4be0ed7e3e945831337ac10cd4945b

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/864-101-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/864-102-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/864-106-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ac5pdvMfNXKN.bat

MD5 ed852138dfba33b874b838f2a8dbd4d9
SHA1 0a44f49ceeda7709b5c56211eed38f4fbd8ba7db
SHA256 8c23ac4cef530b42e90f648acfe5bfcbf7a2ef8344ec91be874a6ce6dfeb3e79
SHA512 2be55c79015c248945e6f1b127e27d6dd8b1ba3a8c3245798a57cf10c59ad7f2438260629aae185552386d3a042ff7ba05dc144ed3a6b11140e5935d85f99a0b

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1176-109-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/1176-110-0x000000001B010000-0x000000001B020000-memory.dmp

memory/1176-114-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qvKqHfYnVMsM.bat

MD5 3bb400deac565c32832a4616abde7fda
SHA1 81639a2155831caa3e23c9bac470c9b63f095ada
SHA256 682c1e73769d7a350202907f3ce47ea652212d7f0b2695f21cbbddba4483eb9b
SHA512 c62e28e47914cbb99d2d802cec4c066d03125983d0c891fb8fd302960276dd1e4beea553bb0fcb6f1e65d1375e9fc3e25860bd33c601425edd8c81a7a12b241e

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3788-117-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/3788-118-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

memory/3788-122-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QAEeyDOzdiQa.bat

MD5 664c35ab84ae974ac0e87d7bdbdc3a49
SHA1 35c1fa0a1424c5d7cd0a0036165e4f93577cfa63
SHA256 9e0bc1847013285779f56574441d037ab3bafc6966e14eedb761c3dd02840034
SHA512 c70480954f8d84c1afec42ddf09d9fbb00726780050020b73ba43ff1397499e9dd8b1049bc938f2480e77a73d2e62db569042e65fbb48c1486dd44205144d197

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2756-126-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

memory/2756-125-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/2756-130-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NjnnPdaAB4jU.bat

MD5 7f18659efa3196f593ab32d699f49c08
SHA1 0d61161e208e850b5f27172d7d7e4ee498a6f00f
SHA256 8bacfb8de5fe12e93142f6ed7a4b9729abf5acf0f6e5dee4bb9fc7d6c97e8f50
SHA512 93020f02e5059d453a323f1bddee409183b84c33ee48e6c87284910c49b1899d9125f4de94d5efc41f1d238100807afe12f5655194de3af18f16ac6582e1e1b2

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2716-133-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/2716-134-0x000000001B370000-0x000000001B380000-memory.dmp

memory/2716-138-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rBZeHovO0fvy.bat

MD5 e95b18c8eee4a742659149886d3fa7dd
SHA1 abf53a0c93abe097a8a34b0aa7030efd027609e1
SHA256 7b742b2f380145671707854613b2c1cf67a110c40954bf846f5b6f388a07ca24
SHA512 10e5cfd183ba39b4602b1b68ee1a6827823e70402ec8bff2e7763f4d3a8b28f6e56c744461a8ae2f2e2b303be28c5963c63fe418e4b5a5b7af492e235b2fb8ac

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4172-141-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/4172-142-0x000000001BD60000-0x000000001BD70000-memory.dmp

memory/4172-147-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pHKoLpQaRfvt.bat

MD5 6ce48e623d5aa88856cda3d7ac58f6ee
SHA1 49fb6322a5645d72c6212621036ae6b6c377b535
SHA256 3247e4776b52facc692a0f691aa301f0fc419b288a15bacaebd766fa0b420499
SHA512 a7bdd60033b36aa017bed9c23e6ad21ad5ca7c1dd5bc07a2badf682798a055316a0dd09379bb4238a8fbbe573b73a9c613cd47a9101ebcbab9966f5547102a48

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2916-149-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/2916-150-0x000000001BCC0000-0x000000001BCD0000-memory.dmp

memory/2916-154-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SN9ZyHo7e5DK.bat

MD5 46170273d33f2bc6a15600c700be4645
SHA1 a67824075b0dd2993d9b0fe29819d22291c3413f
SHA256 a36d18d31c1dd98e37752e999e3791fd76630018932cd654d84ededa148acd90
SHA512 4c45b405d198d7329cbce8cd3f1dd4a4e07860d37cbb8cf8bd450c99d4d8ee3d4ca6ee4e3cda05fa99e4d9d8ef12668caa532d8e389d569cd859f75b1338b8d7

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3136-158-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

memory/3136-157-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

memory/3136-162-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6YEuayCubRjZ.bat

MD5 b81d4bb4839ae6fd4fd14826d6512f6b
SHA1 c572850912db9cd08a3ecf7a1dc1d5d1b28f8650
SHA256 65dd93bfdf76a9585ab295cc0e10546aa0f8ec2707207afcb2f7a5f26583d9b4
SHA512 a7be9584a8d812c92af87343142806d6e9bec330c16dda82d173902cefbafa60d677c84f5782cdd0ed6e524862e0892c16aac65b572139a58880396cff0fa8af

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3988-165-0x00007FF9ACA80000-0x00007FF9AD541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gMPKnKDF1n8H.bat

MD5 a5409aecdcdbe4ecd5c844b115c44738
SHA1 8f16c3080472f99ddc34bd5973b4b58f6601621c
SHA256 ce9020c100fd63c48de8ca8a15be1dba4578e1d4b527ae96e6ebcb98ecf6125a
SHA512 2c0d83dd3a412356e18972f0b04e4931353192e46fd917d1972a1af296e3a9b94d3cf49dea1dd8efa1baf7417cd1d1e9170e56a5b8bf8b5edbb84caa498c74de

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\AFm5FN0mKmKi.bat

MD5 f30184bd75fa3182cdcb25c389e413fb
SHA1 1489225414ddf4de2fb8975edb719a324cb6394f
SHA256 5d3b59a99046b4257a5fb7d4d950be923fd91e6499841608146092c8606a13d0
SHA512 74795cf500f58a2953884dc7db172f13d86f19ed8dac8b8f8d176bda0666927d6d6a765d001f81cf39ce52a5f536da56f19f99ea4d02b8ca59a77d9f595a134c

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\mQnUjnh5EA9n.bat

MD5 60486dfcf6ae5c2b27b65940fd831aa7
SHA1 19d811cee59258a1b958ddf2e676975a374f4d8b
SHA256 0719a55b1b01333c82438460f903b0309e37327a026d4e93c8c90f5546b98607
SHA512 b106a9a3f1df0606e461e8615322c2d114eaaa8e6f80013c8bc9186e426cdbba043ce6b99f592bf4e48063e2828e9a1635d4f04a66818f72b2557d8d391474ea

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\trlpnNYGYNif.bat

MD5 5044ab4203011d80c186dcccdbb659b8
SHA1 0d531907f689e5fd42db60e3452489c257736585
SHA256 1fb8f94d5bc3052aa8962a8e306cb6ecb96fa1ae6a8ee0a3902e0cdc30600351
SHA512 714f751161f6a593669bbb278bb15d842453efe9775880782916f9c6db6685c582f4a8cb5bd896f88376e9e546729fd30ee03bae0d57f996927c710a02e0bd1b

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\qorYvB6TaubC.bat

MD5 a7bf16db87731b2498ba39b31ce162dc
SHA1 7480311cac452282610e850462839bc8b6468d2a
SHA256 ce7982f48d148150b30d5d9146e415d00e5e4a2d16ae3074a1b3faf05d2a4830
SHA512 1a12f4c03d8abc92561a7639b4ec980ab4e4ed49026977cbdcc0c48f0f9fbfd78c727f51bcb71ed1f6b38d531a776b1378df846ab2720092662dd291789b6b5c

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\7SbHhDIJBMvk.bat

MD5 8208b1046db1d6092cc4a584a8a01c6e
SHA1 bdb854622146089316e959b4b0f4e7a285fe089f
SHA256 aa75c87f821fe78b90dc4e177ce1ec8ff543a76cf169c261c75675702bc1b67b
SHA512 1f97d55c22668d44cccdf640d293f0bbae7085c00f0a965842ec898058104588305b1259f7dab14817af2495728f82d921ca3f2cc40b63e419a83774c6aafbd0

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\ss1jEtDo1zsK.bat

MD5 58a6e4e6e4b18bc481089fb6d1fce063
SHA1 33c3dfedbcd6ba3f597f71ccf009a2fa8fd702ff
SHA256 77e586cb9e945c86afe3bf69c7e73b6109cbce5097c7fc47f31a5bf4e1b4d838
SHA512 b5e532ff373f3b50df1661103d84ebb73374794735cc9c32f48e199eb05300b4078aed1e275d5ec68b028d9fde1bafc3ed604f2da9ac713dc8db6d8acd9f1f69

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\W7XwxDzxGRH9.bat

MD5 031dc556fbf1f202bf1b66685416481e
SHA1 64f0edf7be47847c6c7a45c21a371c862b825107
SHA256 40719cde6ce7727cbc369dfcbc0cc1047416e2004f755926ab142e2ef4426f79
SHA512 79cbc814417d87637a9b6373c0ebd251c984f7ad944602db4acbc0ff8b5c0154e4c142b2d5cc8d2e776152f4a0d4e13f34a45b37f6dbcbf65ca3e0f4058ea31a

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\V7qxQj920Vza.bat

MD5 2a413ff478c853c6a0da11701fa0605d
SHA1 fa98e6452fdb4f158eacf1b3e5c4098004f748be
SHA256 b86ef947cde14695dbe2b1bf8826a2f67df6114ba6c4000e57aa982e1da9a1dd
SHA512 787432d28e87774ba1cabfb2f6f6735a60aff9e6bb7c9716e26c9bd0feed0ffbab319590f8dbcf19fae52379797b2693652d5f85d5e57476b9c03e4290d3e423

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\l99qMAK6oT89.bat

MD5 429aa718035b603e590c57939f732aa5
SHA1 1e53a5de64cc11fc7f160607f56a2f4fd68d8e71
SHA256 6194614afeb27d44b470f0a66e0498fe2a9391eed4ab834f2c42492432e2a955
SHA512 141dfc9b7fa3e1c326af7ae55cf2826d7f37546b21fe49ef8c2bf752be14cb7010bac6a49c5b4e6862a3feee3074522a9312bb86ac28f1fb9f858ef3aab4b3cc

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Temp\xwxt3OyvtdwR.bat

MD5 c979415d9d09df6c2e284dc48b9ebfd3
SHA1 46a98166ced111c50ef5127c4d019e27c9224c41
SHA256 2244f8dbceb4a697c69d780bb4a82700354ffeb1cc7f62ebdeea9c6f6cda100c
SHA512 fff03cb4f1405af614a01db2ffe424cef73e5074877abc930543c636c7795223b58ee2cc0fc51de2e0bdecf9222e1880e55fb3aa5c669b09ee085eb8e028bcce