quasar | 5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe
Size

359KB
MD5

c820d74f7c81a37b97c9bfc22e65c568
SHA1

76bf7b427b0c1f2fc63315d1fd1645b387860659
SHA256

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693
SHA512

4b11ea4632c685159e6eed1113c2d7e4617e866f93615fa8fef1e6484f9b0fff7105422739ade962f37549b2b76ccf0a75a436dccbe7abbdd10dcf493d2ca9c3
SSDEEP

6144:b4up0yN90QEV9DKkTB1rF2yCnsYvAVQOtRsmkwzMf4u+bb9BDjvb:bky90DdKkTBJFrYvWQsR9kwpNbb9Vb

Score

10^/10

quasar office04 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

maximazorreguieta.no-ip.info:3406

queenmaxima.zapto.org:3406

Mutex

QSR_MUTEX_FAc01gnRthaGJO3mEj

Attributes

encryption_key
6KdEgYSDGAflKInAE9Az
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

Processes:

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe
11	ip-api.com
52	ip-api.com
69	ip-api.com

Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1506554485\1506554485.exe	family_quasar
behavioral1/memory/5020-31-0x0000000000AE0000-0x0000000000B3E000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2276 powershell.exe

pid	process
2276	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

1506554485.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5020	1506554485.exe
4460	Client.exe
2372	Client.exe
772	Client.exe
2004	Client.exe
4920	Client.exe
2860	Client.exe
2624	Client.exe
2012	Client.exe
1040	Client.exe
3292	Client.exe
3208	Client.exe
4316	Client.exe
4056	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
52 ip-api.com
69 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
11	ip-api.com
52	ip-api.com
69	ip-api.com

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4272	4460	WerFault.exe	Client.exe
3996	2372	WerFault.exe	Client.exe
2620	772	WerFault.exe	Client.exe
4064	2004	WerFault.exe	Client.exe
1488	4920	WerFault.exe	Client.exe
3944	2860	WerFault.exe	Client.exe
2680	2624	WerFault.exe	Client.exe
2560	2012	WerFault.exe	Client.exe
3816	1040	WerFault.exe	Client.exe
1672	3292	WerFault.exe	Client.exe
2624	3208	WerFault.exe	Client.exe
4332	4316	WerFault.exe	Client.exe
2660	4056	WerFault.exe	Client.exe

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEClient.exePING.EXEPING.EXEClient.exePING.EXEchcp.comPING.EXEcmd.exeClient.exeClient.exechcp.comcmd.exeClient.exechcp.comchcp.comchcp.com1506554485.exePING.EXEPING.EXEchcp.comClient.execmd.execmd.execmd.exechcp.comchcp.comcmd.execmd.execmd.exePING.EXEcmd.exePING.EXEClient.exeClient.exePING.EXEcmd.exeClient.exeClient.exechcp.comchcp.comPING.EXEchcp.comcmd.exePING.EXEcmd.execmd.exechcp.comClient.exechcp.comClient.exePING.EXEClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1506554485.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
700	PING.EXE
3364	PING.EXE
3696	PING.EXE
4052	PING.EXE
644	PING.EXE
2580	PING.EXE
3332	PING.EXE
1492	PING.EXE
2284	PING.EXE
428	PING.EXE
2972	PING.EXE
1724	PING.EXE
3052	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1724	PING.EXE
700	PING.EXE
3052	PING.EXE
3364	PING.EXE
4052	PING.EXE
2580	PING.EXE
2972	PING.EXE
644	PING.EXE
3332	PING.EXE
1492	PING.EXE
2284	PING.EXE
3696	PING.EXE
428	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2276 powershell.exe
2276 powershell.exe

pid	process
2276	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exe1506554485.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	5020	1506554485.exe
Token: SeDebugPrivilege	4460	Client.exe
Token: SeDebugPrivilege	2372	Client.exe
Token: SeDebugPrivilege	772	Client.exe
Token: SeDebugPrivilege	2004	Client.exe
Token: SeDebugPrivilege	4920	Client.exe
Token: SeDebugPrivilege	2860	Client.exe
Token: SeDebugPrivilege	2624	Client.exe
Token: SeDebugPrivilege	2012	Client.exe
Token: SeDebugPrivilege	1040	Client.exe
Token: SeDebugPrivilege	3292	Client.exe
Token: SeDebugPrivilege	3208	Client.exe
Token: SeDebugPrivilege	4316	Client.exe
Token: SeDebugPrivilege	4056	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4460	Client.exe
2372	Client.exe
772	Client.exe
2004	Client.exe
4920	Client.exe
2860	Client.exe
2624	Client.exe
2012	Client.exe
1040	Client.exe
3292	Client.exe
3208	Client.exe
4316	Client.exe
4056	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.execmd.exepowershell.exe1506554485.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1316 wrote to memory of 2192	1316	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 1316 wrote to memory of 2192	1316	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 1316 wrote to memory of 4232	1316	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 1316 wrote to memory of 4232	1316	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 4232 wrote to memory of 2276	4232	cmd.exe	powershell.exe
PID 4232 wrote to memory of 2276	4232	cmd.exe	powershell.exe
PID 2276 wrote to memory of 5020	2276	powershell.exe	1506554485.exe
PID 2276 wrote to memory of 5020	2276	powershell.exe	1506554485.exe
PID 2276 wrote to memory of 5020	2276	powershell.exe	1506554485.exe
PID 5020 wrote to memory of 4460	5020	1506554485.exe	Client.exe
PID 5020 wrote to memory of 4460	5020	1506554485.exe	Client.exe
PID 5020 wrote to memory of 4460	5020	1506554485.exe	Client.exe
PID 4460 wrote to memory of 4588	4460	Client.exe	cmd.exe
PID 4460 wrote to memory of 4588	4460	Client.exe	cmd.exe
PID 4460 wrote to memory of 4588	4460	Client.exe	cmd.exe
PID 4588 wrote to memory of 4856	4588	cmd.exe	chcp.com
PID 4588 wrote to memory of 4856	4588	cmd.exe	chcp.com
PID 4588 wrote to memory of 4856	4588	cmd.exe	chcp.com
PID 4588 wrote to memory of 3696	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 3696	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 3696	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 2372	4588	cmd.exe	Client.exe
PID 4588 wrote to memory of 2372	4588	cmd.exe	Client.exe
PID 4588 wrote to memory of 2372	4588	cmd.exe	Client.exe
PID 2372 wrote to memory of 5032	2372	Client.exe	cmd.exe
PID 2372 wrote to memory of 5032	2372	Client.exe	cmd.exe
PID 2372 wrote to memory of 5032	2372	Client.exe	cmd.exe
PID 5032 wrote to memory of 1368	5032	cmd.exe	chcp.com
PID 5032 wrote to memory of 1368	5032	cmd.exe	chcp.com
PID 5032 wrote to memory of 1368	5032	cmd.exe	chcp.com
PID 5032 wrote to memory of 428	5032	cmd.exe	PING.EXE
PID 5032 wrote to memory of 428	5032	cmd.exe	PING.EXE
PID 5032 wrote to memory of 428	5032	cmd.exe	PING.EXE
PID 5032 wrote to memory of 772	5032	cmd.exe	Client.exe
PID 5032 wrote to memory of 772	5032	cmd.exe	Client.exe
PID 5032 wrote to memory of 772	5032	cmd.exe	Client.exe
PID 772 wrote to memory of 3564	772	Client.exe	cmd.exe
PID 772 wrote to memory of 3564	772	Client.exe	cmd.exe
PID 772 wrote to memory of 3564	772	Client.exe	cmd.exe
PID 3564 wrote to memory of 1616	3564	cmd.exe	chcp.com
PID 3564 wrote to memory of 1616	3564	cmd.exe	chcp.com
PID 3564 wrote to memory of 1616	3564	cmd.exe	chcp.com
PID 3564 wrote to memory of 2972	3564	cmd.exe	PING.EXE
PID 3564 wrote to memory of 2972	3564	cmd.exe	PING.EXE
PID 3564 wrote to memory of 2972	3564	cmd.exe	PING.EXE
PID 3564 wrote to memory of 2004	3564	cmd.exe	Client.exe
PID 3564 wrote to memory of 2004	3564	cmd.exe	Client.exe
PID 3564 wrote to memory of 2004	3564	cmd.exe	Client.exe
PID 2004 wrote to memory of 3836	2004	Client.exe	cmd.exe
PID 2004 wrote to memory of 3836	2004	Client.exe	cmd.exe
PID 2004 wrote to memory of 3836	2004	Client.exe	cmd.exe
PID 3836 wrote to memory of 4876	3836	cmd.exe	chcp.com
PID 3836 wrote to memory of 4876	3836	cmd.exe	chcp.com
PID 3836 wrote to memory of 4876	3836	cmd.exe	chcp.com
PID 3836 wrote to memory of 4052	3836	cmd.exe	PING.EXE
PID 3836 wrote to memory of 4052	3836	cmd.exe	PING.EXE
PID 3836 wrote to memory of 4052	3836	cmd.exe	PING.EXE
PID 3836 wrote to memory of 4920	3836	cmd.exe	Client.exe
PID 3836 wrote to memory of 4920	3836	cmd.exe	Client.exe
PID 3836 wrote to memory of 4920	3836	cmd.exe	Client.exe
PID 4920 wrote to memory of 3292	4920	Client.exe	cmd.exe
PID 4920 wrote to memory of 3292	4920	Client.exe	cmd.exe
PID 4920 wrote to memory of 3292	4920	Client.exe	cmd.exe
PID 3292 wrote to memory of 4600	3292	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe
"C:\Users\Admin\AppData\Local\Temp\5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe"
1⤵
- Quasar RAT
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c echo.
  2⤵
  PID:2192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c exec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\1506554485\1506554485.exe
      "C:\Users\Admin\AppData\Local\Temp\1506554485\1506554485.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEwGkzYJrMfk.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZ6bcYN07olr.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1zxXUD4FDghB.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUL42GeukiCw.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4052
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JBsYND9zSP50.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:644
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dx9YbO1pbzcd.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3hco2oiMElTM.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A4iF1H4pukj7.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bY6maJeURmEs.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\drA39AR3Iw3D.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQ6yqbunV0gN.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KW0IdXlvBU8Q.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MM8A43L0dioM.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 2220
        30⤵
        Program crash
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 2244
        28⤵
        Program crash
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 2212
        26⤵
        Program crash
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1684
        24⤵
        Program crash
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 2224
        22⤵
        Program crash
        
        PID:3816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2236
        20⤵
        Program crash
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 2248
        18⤵
        Program crash
        
        PID:2680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 2208
        16⤵
        Program crash
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 2248
        14⤵
        Program crash
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2228
        12⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1684
        10⤵
        Program crash
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2224
        8⤵
        Program crash
        
        PID:3996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2268
        6⤵
        Program crash
        
        PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4460 -ip 4460
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2372 -ip 2372
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 772 -ip 772
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2004 -ip 2004
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4920 -ip 4920
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2860 -ip 2860
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2624 -ip 2624
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2012 -ip 2012
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1040 -ip 1040
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3292 -ip 3292
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3208 -ip 3208
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4316 -ip 4316
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4056 -ip 4056
1⤵
PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1506554485\1506554485.exe

Filesize
348KB

MD5
774abffa512e65d0480febc6b7a36c6f

SHA1
be462048acddb3bafab2ce4701de54d34f1c651d

SHA256
fdbf14923ac9154fe7bc1d19191f2506c6004fb30478ce00e90cc684d27fd794

SHA512
5f3807d98087d113831f528712b654d6f4d1448d306ca20aa9490d6d79c40bf35a8b1aacdc04f788777e32db2505fabf43ebbf64f5d426cb798a0d20d533d83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zxXUD4FDghB.bat

Filesize
207B

MD5
2b731799d1704b209f1e2e61cd877e97

SHA1
d1e9b987180adfb7dc7abd15fb9414f4af2f20c3

SHA256
bf056f01e8a602c7ccb92b0949e23cc1227da58eaba3f9ef69f7a626002b5aeb

SHA512
c67a589087c18b88701942be986daec7d564fdb2d5e7a3c8050a98eabce89bab3e539880bd9c5fd1feba06d0e9e4678cb84b6ec1c76e81a970a3db42f8fe5302

Download Submit
C:\Users\Admin\AppData\Local\Temp\3hco2oiMElTM.bat

Filesize
207B

MD5
844da7d4314b995f47b82a4843699653

SHA1
f468370296046781be19f0d5e339dd22e8803ac4

SHA256
2b36a488a0d365dcd8a3a80a1cd3ac000cd6feafae803d50748d9fb97a1926de

SHA512
e8bf85e2aff7a6ebbaead8c1dd83ec1cb5e925252a26fd6c577c7d4201e256614edcfb3bbf4526dfa0749d05f4ccb782401fc2056919637d5cfeae1ed7bc2ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4iF1H4pukj7.bat

Filesize
207B

MD5
c282aaa8c52d7db5fd621c444eae33c7

SHA1
3e5d755cbb07660cb12f97f3c82d68aa81e489f9

SHA256
4aec09c5875aa29573ac8d020a8e5603aa6661c6e3fb75e6e51666f9b4286697

SHA512
8a3a424c5c886a3b942e4daa5c8635c9e9dee2029e0b20b084fb52ebd26617188bffc4d4c0005c30e8d67e1b690101dfae90e5bd59a9028598714c61161bc104

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dx9YbO1pbzcd.bat

Filesize
207B

MD5
6aed2453795ef7226e9d0d414718c907

SHA1
6374352203183a357c2d59e901af3da8d1d81a57

SHA256
def090ead59b025345d8d0434fda74e73dc7a052c977fea724d63f0fd2f2d5dd

SHA512
d2d6b4f5b1993d9a6e0912523e7aaa2157468ece0b8901723e751aa0700378945fab0ffb66689b32873d6d4374c8abbdc75d3e8dbaaa5712aa03fb69b3b58502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
464KB

MD5
8f7653307cb1e48ae70869a63abb6025

SHA1
b9cf5e61504b4dcc13d1f6b1fb7e289e13ae201c

SHA256
19a2cab7d9682eee7242a8cea36d7ffd72893cf48a314c77b5fb06820e84042e

SHA512
0981e02e7a06e6f0794e4f26388dcb7a511af2e3a1cc37eeff5c10d1af26f3fb29b78f40f89618acb7b927a425db1ade46b81c111d2d14076a611a533db28fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBsYND9zSP50.bat

Filesize
207B

MD5
bca9a4a7c42e134d22a17f2de3086767

SHA1
acc170b704701b4c4e8314fe54182e2fbc48f884

SHA256
e03e75f9234d47abfe32f508e2417d8bdbaf26780533d78c582fdd23c549f60e

SHA512
23b36dc57fdeda9cac7ebbb3edeb7d2160635fdfe02e65fb76082ce5da1eba941b4236099179a5839df6410ee0b9b49eb91d5d912fde7fe9cdffcf327e528941

Download Submit
C:\Users\Admin\AppData\Local\Temp\KW0IdXlvBU8Q.bat

Filesize
207B

MD5
66af36f9668ab05266bd0da5f9fdb570

SHA1
fc2cf041716ed341eb99e8191fa1e400f8d93918

SHA256
149a651febb291453252905b3b4fb4ffe636b56d49c8400f106d8db1ef783feb

SHA512
7a5bf663401f5187be59e6bdec826151a92f821f5caf7e9a2f15edf626ed2ceb3a9d34e640ee5f5f789686171347d9ab2607eea701772406eb9fe9aa0d1e7d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MM8A43L0dioM.bat

Filesize
207B

MD5
3211f2d1c2e4624a7585437d59f29476

SHA1
6ab72ae58835e663fc5506ee9046f5cc9661b992

SHA256
65fcac36c9a843942fdda5c8940d1fb8980f2c9ca3a5f3731079e2b3cd2d2323

SHA512
89612776e2d1025207ec90b72c7559b25311a832477733c772ab07d610f6f4e54aa636aae2e6f0e6577c24fbfa5ca6b38526e003195f360a356b8d83febad364

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUL42GeukiCw.bat

Filesize
207B

MD5
78b12d10da410809c18e412a1a381dcd

SHA1
e714fb2089032217a6e36093a79dbf8bb556e9e9

SHA256
c12fb36a71f29781838c33e8a21750678cbd2c273745ecb8f476b7426eab7441

SHA512
cd1070d9ec292503fd921738eca2749796f142d32faa9deb3632eead23557d2372a841dc63915936f1d74dfd7d2d21bf2cbb4ec408b95f7b15716b5f3c02b5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5z41q1hc.bbw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bY6maJeURmEs.bat

Filesize
207B

MD5
f7ef7408ca6e7bf861ec1a7d43feecbb

SHA1
70309690ff11ab151651375fc1a521b74a5ca4c5

SHA256
ddd191dfa91f56b7e523532b12252a328437a326b2d4eb0239f91b309d1719c5

SHA512
7873942b7d44884872e92995a43ae43082925ec220938098837d9f46b33407a38a6a2a549e6bc799798656e52e24f1a03d123994b97051ad3de8ea0d6bb2fde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\drA39AR3Iw3D.bat

Filesize
207B

MD5
6c23b2ec549bcddb4b7b6e5cab50c3ce

SHA1
f3617c3af01fc6ff778e3a2ef4966a645cfd63b9

SHA256
6ed9f63e170e1a7017a19a66fbc230873fd03bcbd22b94c9d553bf8f51b8d474

SHA512
cdbf5c64f4059300e2aa4ad9be9b909c666ad768fb982f1691ef822809c1d66b811a637a2a8c1fa5d192d53347dab2d58b4f70af5138bde6e19904a8f44ed9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQ6yqbunV0gN.bat

Filesize
207B

MD5
0721e71ffe1c03a8bfbe08a4b4dfc259

SHA1
5719ac346d02673e39dc40d6c254de31d7cfebbc

SHA256
898b39491d7f6e8854c0dc37104783a6d1424d10c7b9aed141df459dbfb88c89

SHA512
ec0dec59828a426c79b0fa3f5c49009627979318c9a0edcf655559a03e24514cf1581339a69e369d8cda116cc31d9082895b6d22b5b849c0958eb164bbe6f165

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZ6bcYN07olr.bat

Filesize
207B

MD5
4f9e4e229ef2f4adcda9f54c855357f8

SHA1
79a9e551585067120a5d2a094d00cc7cfc9c977b

SHA256
8ad6a6f636c1b888bae0699eaa85f815bfef3347a2b93aa753819c69c0a5230e

SHA512
46dccf82211e12128dcb48ec4f93c981c5c615b87b2ae69e1fbef4336c6830f0f612dfed3e48d992da08fdac50fc2f19e7d1eb70f782544b5249808e008e95c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEwGkzYJrMfk.bat

Filesize
207B

MD5
269ee89a547c001b57b2b0b87574b07d

SHA1
d59cca6f68cc923fc1d37d5a32c50b2e44f9d5fa

SHA256
9c4c4c11feb11189b7c71bf57ba77ffbba2e5cbc7811e6bbe1a39bae6bbf8df6

SHA512
3fe3ee85de22f140d9cf3268d4766c42e7970fe6eb2612be3fabbe36952764551e0ff8780ad097b5c55285dd2769b6c8e171f8df2c4cd898e0eb7001f7bad92a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
abcac935f93cec8cee70f8ce75d97d97

SHA1
25ab2f16c1acfce297ecf1cebb285b68d265eab5

SHA256
d830db5605d135f5f9282122bc29d95c41a8f32eb981a7f84552421206e8ab2e

SHA512
11892ba11efc166b44b5fad6eb9fb3e66f14b373fab647f6a881280a6c1229eb4faa173c94d5d464962f277060b790579397e9d91426e6f5252847e2c8ab900d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
4d0c20fa2262628eec63d67436f46b7b

SHA1
152d352a770fde3d13211176f69c23596ddf0a37

SHA256
a29891e9f42046efdc097b753e0cffd022033e4f3c6e904d4829f79c4012b2d0

SHA512
a97baf36a9e70641d8d9bd3fdd0120fb69a5f9a487412fbdc93b2c27fc93b8b898b96e3e2acb67a423c386e0bc0264962e0c7bc9d2beff54f3321d6698822de3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
be96163d76323242cd5c6bb5b8a10945

SHA1
fa42b3f4da98a7375a12b970d791dceeac9d677a

SHA256
bcff526baecd574c94c26980117f49fd9c1271f0663608cce974af8abf13126f

SHA512
e19155dbd37755cb2d21e4e1488bd166f4f14f97019683add4fa61743d4c679915af6026914bf97565616a801319d417c4882338692e7b62c23a3cca003cab8b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
4829821bcb15810975475bbba04a10f7

SHA1
aa048944c6a389c06c8a2f403c3639d32fb9c4d3

SHA256
63b7ac6c1a3101b74eb884bcd5bb127699bd1c63ddb8f717fa3b60a83ee57880

SHA512
a145e2c88558f39b5b883c0bdc14713f6cd60826dedf76b2388aa2a4b4c3ff80611f905b90e1093e7dc66606b7acfb02a3f2bb06d97fb7658cf1dd696d2ef4e6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
7d33d525bb1bfc0505b6af82e5535ec1

SHA1
c68ac352ec14aa54a531ba96053a13a6b949c90d

SHA256
03f322a3ab7e4a2e1cbd2aa192d72abbc9cb21e9cd4cd9c3b7502f697ff06556

SHA512
45305c57f48be46ad6073ca68a581ff552505f2a059bc233cf23b20c54d76e662e28c78cc9b09d282bd9bfacb63f3a82a1ab9ca7373b3953b7882adaa34a3a23

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
28cbe708aaa4dfa7b8bf2d041db42ddc

SHA1
5e9d0838b250ee2427ae47f95ef5cb875afc8842

SHA256
edf33607c2dac7365f92764e48f82197885384b968dc6921054131bd107dc723

SHA512
17de2161d48d14cd1d9781f64ba911144ee85f61db8dc1f374c00ba43908f8695f271b82a9acb8187d3e15f5a9a208c5d637bbbd3088930c53cabd1a9a4db14f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
9b20bd9d9e1150b54f7c30365e9c7092

SHA1
dc5f2e904b3f5be1f57b46c2e02713deba6d67ae

SHA256
4092e66ae2112a6b308377a1c5ba82cdedfc0950a624616355ba72e3dfd2f641

SHA512
423f2aacef55bba3770a89e548f44d36990e8fdefea733eb1cd3a27ce0ed8d065698a38b11e1b5752ab966389c4d839bdfba334eccbdddc07959264af019cb1e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
b06b85c3da063ca148490b5f1cef824b

SHA1
d111941e963c723e157ded26143ff3cad2b359b8

SHA256
b0fc24356d82165e6f6e4273f408aa210d5e08e59fadcf99aec23607b157a0ce

SHA512
1f4c14b32e275a3b8ab50a5ccd0466b83eee202a592f47ab2ae854025fd942eb38445b87a954cbc2169f552030ab49b4cbab159c382a723130470bc7f6b787e5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
fa6388187657e4df34c7b28a1cbaa9f0

SHA1
8118d2a58275b3cd0b22e81ae61492eb3f8fc5c7

SHA256
8c75c8390929d395791395b2e125bbb9f61c42d4a54b869c02edc449dfc03237

SHA512
e832cc48412b386d3eaa6b25f421bb574e4c80ac19c0077f11ef940fe9ce675d32c2dd4623bfec8c189087cea1760fa6b8746e9f9ad5cc6083f2d7d3533023a0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
b1e015531826bd672f54c1376360a22d

SHA1
dc5dfaf564ce251cb8d533c96ef3be74736a3654

SHA256
0b076b780abbfaffc4affc7b8b62636843fa3e6f1bfe5bfad45f80d516e92abd

SHA512
2a137566a24438265cf290940d556d54ec7bc997d83cd5e843af1b86857c3636d94f39655303100fc633e43c9c0abd455d86b441dc8b87b6a7ea57a8276d0906

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
cd2a3d3b6bc89636b7e650dde4056a62

SHA1
79c61d9e741300e57bc47bad6fd72288ce575d39

SHA256
fc455a6effe553e7e8a7a8d739f64e221261bde41a9c18659db91039815ce56d

SHA512
12269e76c73f7024e09be7137fa96eac46537ddf0fb57796f84f2eaa1b9d9293dfae4b121b23b66aef9808b7292266369776d48c511bf813dbbe84387452e48c

Download Submit
memory/2276-29-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

Filesize
10.8MB

Download
memory/2276-7-0x00007FFD0BD53000-0x00007FFD0BD55000-memory.dmp

Filesize
8KB

Download
memory/2276-17-0x0000020A03650000-0x0000020A03672000-memory.dmp

Filesize
136KB

Download
memory/2276-19-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

Filesize
10.8MB

Download
memory/2276-20-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

Filesize
10.8MB

Download
memory/4460-47-0x0000000006360000-0x000000000636A000-memory.dmp

Filesize
40KB

Download
memory/5020-39-0x00000000068D0000-0x000000000690C000-memory.dmp

Filesize
240KB

Download
memory/5020-34-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/5020-31-0x0000000000AE0000-0x0000000000B3E000-memory.dmp

Filesize
376KB

Download
memory/5020-30-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/5020-35-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/5020-36-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/5020-37-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/5020-38-0x0000000006390000-0x00000000063A2000-memory.dmp

Filesize
72KB

Download
memory/5020-45-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download