Analysis Overview
SHA256
7d4360572b15734e1a337f5ec11ce5d27f3fe0da3b308b5f6a4f52c4c6ede872
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:19
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:19
Reported
2024-06-14 06:36
Platform
win7-20240611-en
Max time kernel
1041s
Max time network
1046s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2832 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 2832 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 2832 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
| DE | 193.161.193.99:54169 | nexosmith1231-54169.portmap.host | tcp |
Files
memory/2832-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp
memory/2832-1-0x0000000000E70000-0x0000000001194000-memory.dmp
memory/2832-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | e9ae93609972ffe5da8353a5e3801d09 |
| SHA1 | 425e18db24e72cb393c29a554c13672418912ba6 |
| SHA256 | 7d4360572b15734e1a337f5ec11ce5d27f3fe0da3b308b5f6a4f52c4c6ede872 |
| SHA512 | 3a1ec7883cbc7f9a0f2cc9f53636daa0cac9807e780de4f61ca64932b43393f8037300fbdc9ae9d5a0cffb9deae277c3383c512bae9dead2c78148aaa5c392cb |
memory/2832-7-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/3064-8-0x00000000000E0000-0x0000000000404000-memory.dmp
memory/3064-10-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/3064-9-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/3064-11-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/3064-12-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:19
Reported
2024-06-14 06:36
Platform
win10v2004-20240508-en
Max time kernel
1044s
Max time network
1050s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iV1zIRFzrRaV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ToqNmoA7PrK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKvNji6b02Hi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xje6nTtj2ast.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ljX7zZsYK50Y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKY5tLjp7shY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOlmryrIetHe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T99ZDw4cF7WA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DA3X6K5XtWeB.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PFlVgv1XsyHP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmF9dPR3RpUv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda98e46f8,0x7ffda98e4708,0x7ffda98e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCYODJgxCCTU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0SwA3CRRwXBC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7970779122530318117,14853157331273164835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0t499jaG5s2h.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mI1Zw016Zx2C.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D0LzSg24nHg0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2wSAmeBr0FvR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ljPiKpJVg9Ip.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bno44Qpq0knT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQPWmtzQMQGW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkAk7WQz9i7t.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Juic4YfzRoQH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QJpKhxS8zk7P.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOZZHKPDVW59.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLbSsRfEZ5mq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgGirNyVHq0Y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0efOYvR5Hxs2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOCw8gkNx7sm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gdk5wmOlwsop.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKfLz4fyfHPc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mauMF4YzQJkD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bN58HObjlHfp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sgsa84TGXLVv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HXRNdnVjayPX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\getUoT9ypikK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O22fyfChhpAf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOMjHzwLA8RG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ufJj03S5MQcA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QFp3ZQxeGo3d.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZgXbEyP5chf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSd2OKXqUDO3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ExZfVf7HRKfD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8a023joq78P8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o299sDhl7Xyc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JJtVe682zUm6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGJCZSl0IU4E.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1asFAZkZXROV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pDrkjzASYHg3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIrcdgOnW2z5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fS1bzIa0Qu0s.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xFad5U21p53c.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
| US | 8.8.8.8:53 | nexosmith1231-54169.portmap.host | udp |
Files
memory/2772-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp
memory/2772-1-0x0000000000630000-0x0000000000954000-memory.dmp
memory/2772-2-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | e9ae93609972ffe5da8353a5e3801d09 |
| SHA1 | 425e18db24e72cb393c29a554c13672418912ba6 |
| SHA256 | 7d4360572b15734e1a337f5ec11ce5d27f3fe0da3b308b5f6a4f52c4c6ede872 |
| SHA512 | 3a1ec7883cbc7f9a0f2cc9f53636daa0cac9807e780de4f61ca64932b43393f8037300fbdc9ae9d5a0cffb9deae277c3383c512bae9dead2c78148aaa5c392cb |
memory/1564-9-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
memory/2772-8-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
memory/1564-10-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
memory/1564-11-0x000000001BE10000-0x000000001BE60000-memory.dmp
memory/1564-12-0x000000001C3E0000-0x000000001C492000-memory.dmp
memory/1564-17-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iV1zIRFzrRaV.bat
| MD5 | 78a13d8c545994c4b89cc77b0d309392 |
| SHA1 | 96be9cbad647148e7b511f39d1d33bb585e08d2d |
| SHA256 | 1bc077fa5c29926ae2a1cc7042dd6537e659b3676e436cfedccdcbc48aff31ad |
| SHA512 | 87d719d8120b3d2b964940734bf7c2a08588baca139fe3395c7205a7d5c754c1e79b933a1bf78a4e06bdeea724b377c5dee2a2c9c73cf40870062c54f4fcafd1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\5ToqNmoA7PrK.bat
| MD5 | 21ae3b1d858035b123503e552aa01dfa |
| SHA1 | 50feef56d5e8d332f836716c2c15a9ccd1b12979 |
| SHA256 | 621a9dd99fb448b3ef099d8c13e7e3e2eac8d6b1ed0683513224cd29e06e52f7 |
| SHA512 | c529e71c9a55bf6a00e0a9a9930ccaec81900b230d9144045b3613121093aa4dc3c655b90e7206280d517f7958116002a7c3f4614e2ee86295eb7301b0244ecc |
C:\Users\Admin\AppData\Local\Temp\vKvNji6b02Hi.bat
| MD5 | 5335c52343077f902160f027e97af5ae |
| SHA1 | 5b1c8fa7f2cb3a2180301a43e0f7369df7664d85 |
| SHA256 | faae2e9f3ed704827a0771fc5b3adb7e618c9106a5aaa8b68339ab4c4a26d009 |
| SHA512 | 1bd65703d81bf4fd190078bc877b4fd6a5f3f127cda393a0488604ec5817f0abdd3c13199bf4b49257199634c48ada18088397e0a9669d5a08825a5bae3f8f7d |
C:\Users\Admin\AppData\Local\Temp\Xje6nTtj2ast.bat
| MD5 | 7c12c1624cf07bfd84927cbe6770642e |
| SHA1 | 96edcb450f73f8f213c5f6399659f5c15cff4268 |
| SHA256 | 3d9a6032536e77bba01873e536cc406a65fca943b6c92bd4ae77505751440f49 |
| SHA512 | d7f1e6089dccc569174c4a5986b504fac7c51ed2edce2758c6454da40c72e0e3d45c11ec0bbd22ba387687da0cbb1b74ebc173809c9a57be2e2731879194b0ea |
C:\Users\Admin\AppData\Local\Temp\ljX7zZsYK50Y.bat
| MD5 | f5124f2a49dcdd63809d8472b41ce69b |
| SHA1 | 0385fe1725d9d251f9c9884a42ee48357d40aa21 |
| SHA256 | 98427d9ddc367ed0a0d18f9479f2426064c5a9354a1ccb7fe11fd409c5eae3bf |
| SHA512 | cd7a3de2e8b68ae5679523887bb837615583d82bd18ee54dad9387d8e3ebc1cd3e2946f8e0b96161cc0fbf7852c68d70f5b86c87fa21086a21c183868afc6389 |
C:\Users\Admin\AppData\Local\Temp\bKY5tLjp7shY.bat
| MD5 | 42541e7238b415bf17931f193b292b11 |
| SHA1 | 4468118eb87010bc0be9a3d80acb9e4658ccb086 |
| SHA256 | 441116231a4b05b2a6b505a43e36f5d0fb174529fbd31ce723db7b9b57f995cf |
| SHA512 | 5873bd19b2f968f0c0e6c24e0f745b8d108ff5bac4097e511311390f203e595121f536d1863c2aee36d48b36d043bc88d6b681c9e029a2fdd63403468e9f3968 |
C:\Users\Admin\AppData\Local\Temp\SOlmryrIetHe.bat
| MD5 | faf67baf7a8a1defddc0988ad79ea368 |
| SHA1 | 44e60a9d5f0443affc87a0e54014b73dfc7ade09 |
| SHA256 | b5010d1ad58666064392dcbcf52633edddbc8eeddd0decb17760de82cdc4e8c3 |
| SHA512 | 075fac574e00a82c5c18f72433dc04ebb97c7c650288825eef772d656deb14801bc5c1792690df5d1f5d56ebd64e0b13740f3004b4f8e818bfcff31c995cd1dc |
C:\Users\Admin\AppData\Local\Temp\T99ZDw4cF7WA.bat
| MD5 | 7ebf9ca52040fbb039c17bf0292d1ba7 |
| SHA1 | 65363c7048dc88a1293cccb4a7590be7cc8aa4dc |
| SHA256 | d941c3165be0a923a98a808b8c20222fc73f1002bd8707d6034040d8db179eda |
| SHA512 | 28e771946ff2733f6806709b3aa430abba9bdf8f46d1470624fa69fb04749abecb7ef0f473211d1eacfbcbbb67d7bb7753dda6397579db6a1800118ee250a2c8 |
C:\Users\Admin\AppData\Local\Temp\DA3X6K5XtWeB.bat
| MD5 | cab000f6bcde737ec3f7953ea58fd9b6 |
| SHA1 | aafa77c583333f5042e83338e415600529f0fe6f |
| SHA256 | 71ef21ca74eccb0117e84e4657a6d9f4525d92a4cc0b78143d77c62520c07dc2 |
| SHA512 | 983ebecec51885c6bfdeff785b0d5339ce313344d23fe6ebb4651e42ca26b7f3cb4e75064294b92827c1069bb76021625d309c65a1f03cae73d283329b963e37 |
C:\Users\Admin\AppData\Local\Temp\PFlVgv1XsyHP.bat
| MD5 | 2ff40e65b8907fbf6dc61b0b2dc60128 |
| SHA1 | 5adc83bf4351d3db52543c2b7733032dbf95f67f |
| SHA256 | 65ade44c8faea76eeb1ec4deb302338acce45348e524b7bad222641600af2d00 |
| SHA512 | 005c1072c13f3fe24cedf4af0403e6770f8e70340101c32c91bdbb15cc4ac20503534e5988d9005bff00a38b9e61cba8de9f4714b3913512431ee541144b1703 |
C:\Users\Admin\AppData\Local\Temp\WmF9dPR3RpUv.bat
| MD5 | 587c3e62a300132ba2e822ee759f8d9b |
| SHA1 | 1f8be5d59f9312e9882f4d10e8c08b6ec0ed6809 |
| SHA256 | 52f0de8fc0b735fe00dd56f0463c9bca80d62c7994fe4fb0bb037e09f1ec28fc |
| SHA512 | 11a44302365d31747bb575b883ce184d4d872582c271d5cfab1a26c5de533ba53dcbcafe03d45d58db3725384d29eead068eaf9ef74b9be69adf3d63e26615a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_3548_LBYZKYGGRONXLDXM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bffa942dda153d9770fca12585e1cb01 |
| SHA1 | bcfe0993417cbe0289d743edcf1279f3592e2245 |
| SHA256 | 58074cd473373ac07528202bd7b9d8b8db961c31eab6dbbe824c90815ba26158 |
| SHA512 | dc90efcc0677cfbe95ed7391680bd2bca73dcc00a24e60c9ffccc10c803754eebd1308da9cafe09a7ac19e51e1ec6c523b9a59c670af4b434b7ceef7b3d66e30 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 40a911d2da61bb6136699aa0e6e96c2a |
| SHA1 | 81f7f6f8f2fe647e6f5a143bf087ca392c913e70 |
| SHA256 | e5df9014df7f5d5a542d80818e9fcc8274fc032d6df408384d3f9f55672b374c |
| SHA512 | 26972371ab3ae62d6a5d457bc9d75c70f8f96603486ebcfa85781979069dd87251f7ce68747773c6e71c5460b3be15f58611e313881b516fa5be6fc4d2f30e19 |
C:\Users\Admin\AppData\Local\Temp\iCYODJgxCCTU.bat
| MD5 | 8f2a603d4483eaeeb186c1ae044f2913 |
| SHA1 | 8a1936b47c645c06c2e1bde1244ec50de4e46db1 |
| SHA256 | b6cdee602f380c73096fbfec56cb7d788ae2a3187f7bccb29d274109cba2549d |
| SHA512 | bfca910a1e89ed3815b4a1acb9f7dc43082212617446207e9f2b78b54a0f22a47a4f54356bce2921e63a1f18d299731f982ac9e5a53746052445b480a2cff10f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5ff7dca469d0f3a8a2607bc2a16a9629 |
| SHA1 | ad0f3346aacf2f5ef3d7968999a8bb7d5e59ec11 |
| SHA256 | ba253cf94b490efd263870417755723e02cc62bb1eaba94ae6021861362998a8 |
| SHA512 | 815799b8f5867bb612781169cd81e31e947931aabebbf81b943366609c400cff1fe6ac2aceec531a1dccc42af8080adf21a23f3d94dbfbcf2c26f8bb8eeb7c63 |
C:\Users\Admin\AppData\Local\Temp\0SwA3CRRwXBC.bat
| MD5 | c5cc28dd7317941297f8ac010cea9f89 |
| SHA1 | fd0a3109c88ee34804d80c78ec33fd2f07e4c9ab |
| SHA256 | 2181e9eb0f40abb4f783f3dc03633188a6bbfb7b1e417a139fcc11ac4de114f3 |
| SHA512 | 8e78c9146efdb2ec10eaf8e16ef86e243643c1617799f684f26634c3327cbce8acf0d0060fda84abacad0098be0ef08c49c040f538a9e39cafeb88b3113d9940 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 17d4eb211dc8ff366910c80d30cd5f02 |
| SHA1 | 6831108132bc1fa786c7cd85198a544797fb174d |
| SHA256 | 582ee6a9cd88fbf258124476854c6db8457d77a0ffdf9e2099224b7f939a69a6 |
| SHA512 | 4473fd0eea0e049c6fa4d9384499b94518e3bae98b79ab903b75ed0f5b0f92a292227e42e6dc9c8c3a0e515349e099e90628c3a75034730878e8060361a8687d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d66614a7e909759b5e2830d7c5a4c840 |
| SHA1 | 7cf0cf2197140d0292593935df7362090eb4887a |
| SHA256 | 932b84b6937724b7326bdf5eb98b1c20749b3a98afcc18186a552b28ce38e1f2 |
| SHA512 | 951d6dfc02ef545396400835b0f20fbd1718744490631b2723a0aeae4feac59f50390e57df339f0c6ad3254c6e5de3fa9ea7028fab08e204c262865c68c2af0f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | 9fcaee4ef380f9a11a9c9b720a52ba9f |
| SHA1 | cbd6a4e78ea513bb8d9a9c3f0c8c137725980a2d |
| SHA256 | c5755a7c6dc63cf7ba831c43d466d90e628e190d4cfcc559ece78f8727a8632f |
| SHA512 | d46a79e952c2e8abb33203515513d682b58ea8149027a4fa885e76c5464620edccac7ef7008db1e14124f93ba89a48b917c1df3b56e0a67d463f14dc2b2e0016 |
C:\Users\Admin\AppData\Local\Temp\0t499jaG5s2h.bat
| MD5 | 3746d5bac21524a315c539f64669180c |
| SHA1 | 926977fae837675b6a1a10c6cca1b2824e350d40 |
| SHA256 | c24725e677162749a81c078bbcdbf686d6a675fadc707d01ae9f46e59cfc5093 |
| SHA512 | 7cea6cb1078dd075c57ccac4703fe0c8e9f2c77ac6b7f0415404072f055e9fc005bf081555e5f49c5d6421ecbf2eb4f7f1aefe95ab6d81527b2fec3ea4631975 |
C:\Users\Admin\AppData\Local\Temp\mI1Zw016Zx2C.bat
| MD5 | eb453dd1a3d97fd9d37570ca31656d1e |
| SHA1 | da8f56d66a5485e6d4f8e3bcc185e38dee0437df |
| SHA256 | 49201554a818172656e511eabeae8c402552b1a6af38bfb75e2303508c436215 |
| SHA512 | 7ff6cbe6ba0ec1f673fea75f388ada803a66b6fe1d7fc63d6502a4013fbcdd44e1b8ff35e894bc1cc366481a4cf4c5766e69c7f34eb58cb82ff608ad498f9460 |
C:\Users\Admin\AppData\Local\Temp\D0LzSg24nHg0.bat
| MD5 | 5cee076b691b0247767a4cf9d6977740 |
| SHA1 | 65b7afb0d7e17481bd472574199a3f9d701e527d |
| SHA256 | 6e5020338d9d80c45075407979887bd5bee4661b30c0bac5bebf8ea34b452046 |
| SHA512 | 0a3dd12f43214daf742820be1ff27b1260729b41e433f8a035c85ff588c94ed92e532b3b43802373adc745279d9d13aec7f9613515771c128fe5e637e612f19a |
C:\Users\Admin\AppData\Local\Temp\2wSAmeBr0FvR.bat
| MD5 | f864ceddb75cc102f108aabb1896fc4e |
| SHA1 | fd7cd5e106fc2a8f679b2a525927c3a8dc705187 |
| SHA256 | da6c45d05cd5123852f5758ffee3b0acd9553274822e506dcc4506da214f90c8 |
| SHA512 | 42420044f0231433b017d9d56be1900ad3e81744acc367345f78832c215c8340dd16ec967a8006e3481cd75f6242f679f02e09de431fa0db309d028b95b7fbdd |
C:\Users\Admin\AppData\Local\Temp\ljPiKpJVg9Ip.bat
| MD5 | 7da4aec00a750963c633aa14b089b3e2 |
| SHA1 | 05758e73de962d3c3cc87fabef6b41531a875323 |
| SHA256 | fdadabb41a8acb3221c22a4cec9f23a9a779a7f5b42d618967cae65945ea37e9 |
| SHA512 | 2d02257ecdf44b60a558a34d467fe2b3036c9edb881200485624d03ebcad40ec132bc967a4deef3134146504b3165a179cecde325b4b4f31c4343a37b7c6af3e |
C:\Users\Admin\AppData\Local\Temp\Bno44Qpq0knT.bat
| MD5 | 10aeb3aa8386d4abca102e02fca47590 |
| SHA1 | 9508f0239a97912571692dbb637108bc53450799 |
| SHA256 | 5913736356804596f488edb5f00a31fca42e0eb2bf487a76b02457277d39f44e |
| SHA512 | cbfff38191a63772924814c9c5da1b7618f927e450937b6fb972a6f2e0e292c03cc705f45c80493c4163ea3267fba1e4e3b7b9141795a8f24f50c04e04f28950 |
C:\Users\Admin\AppData\Local\Temp\SQPWmtzQMQGW.bat
| MD5 | e30846b1523e96d210db5708d01a3f1d |
| SHA1 | 9164b06d1ad35c8f4c44c7bfaebd8c06c4dc2e46 |
| SHA256 | ba2960f91eeebfd27ae05c1e21ab765ab67911dd6e1bf5f0c385f3444939920c |
| SHA512 | 8a9876a6f486f972070a85420bef661153954ae3f07dbb3c00d56fa7e2fefca4e24c72143b80086f6c2261b5041603f68c7f03840d08c92aa96fa1b7274d5594 |
C:\Users\Admin\AppData\Local\Temp\zkAk7WQz9i7t.bat
| MD5 | c8bdafcf21562ea70c1b71b50a8d7a2e |
| SHA1 | 5555290423b59402aaf80324393145392a03563f |
| SHA256 | 17825e12f095830295624eb468052247baef74ea718c5a1d7adb939dba549995 |
| SHA512 | f0afcd8ae0b99e5a51c4407f0f14b9928519974ffd194d1c8bea2512ae69441f730a1b7c2e8b00f25cd2b69379ded419bf6718d80cd0b0ef9335b34f68fe4a30 |
C:\Users\Admin\AppData\Local\Temp\Juic4YfzRoQH.bat
| MD5 | ef985a474bae65f256a845e9b87d6a0b |
| SHA1 | 6d1472689c910e6a3ba81c2e9808e7818b9f3366 |
| SHA256 | 351bb07ded60473ade650cf9fc0a02100e93c87604a2497edb2534c32e55e612 |
| SHA512 | e97afc7627d4c26c41272cf7d52a2aa42e54e02872a2e92ed5b3fb0dce9b420e822793315a985e4a89b0e7dd08cfb444a0cd2f7e1c83b7e88392717f19c7c304 |
C:\Users\Admin\AppData\Local\Temp\QJpKhxS8zk7P.bat
| MD5 | 59014b7007b66905211f086c218c4e73 |
| SHA1 | 0ea2a4c6b0f95b27bfafdd512262dd5cb82d3557 |
| SHA256 | 2a94cfdd1cc83f7c340fd0c1c85493c064cde39aa7a87a8995162fe41e1df2a3 |
| SHA512 | f3ccf7e70b43a6a3e2742c25b471c186faa6fe984b9a7bdbd542f35454d9304c8213afa7026d1111e3be4645961ad873d93974bf8cd345a604283d8adcefd613 |
C:\Users\Admin\AppData\Local\Temp\cOZZHKPDVW59.bat
| MD5 | a51d8d7a195a715a600686ee16d2199c |
| SHA1 | 5ddfa6aa3f219c16a2ff365347a2275fabcb6f17 |
| SHA256 | 6046e57639bbe90956172d6c4ca1488c8b78b005a61f7b24bb68790b9db97fcc |
| SHA512 | 13f179f3f1f659a0657b318c69bf88726af68f1b6f49b88a11c5fffca02faf97da87f1d5e027c73efb9dddd9f822f36ca32601399c79b500d7f43eecc9af179e |
C:\Users\Admin\AppData\Local\Temp\CLbSsRfEZ5mq.bat
| MD5 | 53810adf06ce4269aab70828b290dd48 |
| SHA1 | 0a19bd0cc03fc13682e78cd5c867105352b23786 |
| SHA256 | 10533b4b8a19dc4bfa6064d8bf5e5184c5eeba6aafcbb82d8260de6099d1ccb6 |
| SHA512 | ebf7e5e8f7a518cc79489809b7c991a2c648d02ce6835ad9992dc1f5601b0a68c07d6a43acbef413cdd60b6e5a6b51f75954c39c81346e1dddc9d48176903b95 |