quasar | 46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6

Analysis

max time kernel
39s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

liberium executor.exe
Size

3.1MB
MD5

a83c74ddda692ff3e4279ef4d1e1ab6b
SHA1

f807912389ed16a9d7ac3e3e7b73282658c6ecf0
SHA256

46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6
SHA512

70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b
SSDEEP

49152:Svdt62XlaSFNWPjljiFa2RoUYIsSDsKdpvVoGdqTHHB72eh2NT:Svf62XlaSFNWPjljiFXRoUYIsCsE

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.0.0.0.1:4782

Mutex

92adbb05-a27e-42e8-b9a2-c260d01e742b

Attributes

encryption_key
46B4B3697EBEA35C7930856CF4E60FB52D50DE37
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
executor
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2852-1-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/files/0x001000000001866e-6.dat	family_quasar
behavioral1/memory/2620-9-0x0000000000DA0000-0x00000000010C4000-memory.dmp	family_quasar
behavioral1/memory/2184-100-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/2860-134-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar
behavioral1/memory/3008-174-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/2408-204-0x00000000003B0000-0x00000000006D4000-memory.dmp	family_quasar
behavioral1/memory/2908-222-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/1148-233-0x0000000000C60000-0x0000000000F84000-memory.dmp	family_quasar
behavioral1/memory/2600-257-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2620	Client.exe
2184	Client.exe
2464	Client.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files\SubDir	Client.exe
File opened for modification	C:\Program Files\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files\SubDir	Client.exe
File created	C:\Program Files\SubDir\Client.exe	liberium executor.exe
File opened for modification	C:\Program Files\SubDir\Client.exe	liberium executor.exe
File opened for modification	C:\Program Files\SubDir	liberium executor.exe
File opened for modification	C:\Program Files\SubDir	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
340	PING.EXE
2004	PING.EXE
2092	PING.EXE
1836	PING.EXE
2240	PING.EXE
1932	PING.EXE
2656	PING.EXE
2784	PING.EXE
2528	PING.EXE
468	PING.EXE
1532	PING.EXE
2264	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1532	PING.EXE
2240	PING.EXE
340	PING.EXE
2784	PING.EXE
2528	PING.EXE
468	PING.EXE
2092	PING.EXE
1836	PING.EXE
2656	PING.EXE
2004	PING.EXE
2264	PING.EXE
1932	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe
788	schtasks.exe
788	schtasks.exe
928	schtasks.exe
2868	schtasks.exe
988	schtasks.exe
2592	schtasks.exe
2868	schtasks.exe
2892	schtasks.exe
2472	schtasks.exe
2932	schtasks.exe
300	schtasks.exe
2644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2660	chrome.exe
2660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	liberium executor.exe
Token: SeDebugPrivilege	2620	Client.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeDebugPrivilege	2184	Client.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeDebugPrivilege	2464	Client.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2620	Client.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2184	Client.exe
2464	Client.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2620	Client.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
2184	Client.exe
2464	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2620	Client.exe
2184	Client.exe
2464	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2592	2852	liberium executor.exe	30
PID 2852 wrote to memory of 2592	2852	liberium executor.exe	30
PID 2852 wrote to memory of 2592	2852	liberium executor.exe	30
PID 2852 wrote to memory of 2620	2852	liberium executor.exe	32
PID 2852 wrote to memory of 2620	2852	liberium executor.exe	32
PID 2852 wrote to memory of 2620	2852	liberium executor.exe	32
PID 2620 wrote to memory of 2868	2620	Client.exe	33
PID 2620 wrote to memory of 2868	2620	Client.exe	33
PID 2620 wrote to memory of 2868	2620	Client.exe	33
PID 2660 wrote to memory of 3068	2660	chrome.exe	36
PID 2660 wrote to memory of 3068	2660	chrome.exe	36
PID 2660 wrote to memory of 3068	2660	chrome.exe	36
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 2420	2660	chrome.exe	38
PID 2660 wrote to memory of 400	2660	chrome.exe	39
PID 2660 wrote to memory of 400	2660	chrome.exe	39
PID 2660 wrote to memory of 400	2660	chrome.exe	39
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40
PID 2660 wrote to memory of 2776	2660	chrome.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\liberium executor.exe
"C:\Users\Admin\AppData\Local\Temp\liberium executor.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2592
- C:\Program Files\SubDir\Client.exe
  "C:\Program Files\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\57udCX8Cg2Kr.bat" "
    3⤵
    PID:1740
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2032
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:340
  - - C:\Program Files\SubDir\Client.exe
      "C:\Program Files\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2184
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jP5vpn2WYs6H.bat" "
        5⤵
        
        PID:1216
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1528
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
      - C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqTJY5Se2fMP.bat" "
        7⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        8⤵
        
        PID:2860
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9j8hAYveQz73.bat" "
        9⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2528
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        10⤵
        
        PID:536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uw8Z5zU4zzrj.bat" "
        11⤵
        
        PID:1076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:468
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        12⤵
        
        PID:3008
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AhtiS3OEnRU2.bat" "
        13⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        14⤵
        
        PID:2408
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIVvNJZ9Ku86.bat" "
        15⤵
        
        PID:896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        16⤵
        
        PID:2908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ve393vVD7FeE.bat" "
        17⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        18⤵
        
        PID:1148
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGi1IAb9qgyC.bat" "
        19⤵
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        20⤵
        
        PID:2420
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UbqkJSweDkVu.bat" "
        21⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        22⤵
        
        PID:2600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XVUQZIVyyYwV.bat" "
        23⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Program Files\SubDir\Client.exe
        
        "C:\Program Files\SubDir\Client.exe"
        24⤵
        
        PID:2528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "executor" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XTGqf2NAGvzd.bat" "
        25⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef939758,0x7feef939768,0x7feef939778
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:2
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1184 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:2
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3252 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1908
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fa97688,0x13fa97698,0x13fa976a8
    3⤵
    PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1480,i,412819219772874446,17528244030966676199,131072 /prefetch:8
  2⤵
  PID:2696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\20241201214217.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\SubDir\Client.exe

Filesize
3.1MB

MD5
a83c74ddda692ff3e4279ef4d1e1ab6b

SHA1
f807912389ed16a9d7ac3e3e7b73282658c6ecf0

SHA256
46136025a4d84640710a3c3ab05588b2ff288c7294ea3d855061b67609839cf6

SHA512
70b79b90362b50fa52762554161f962535aff171f4cf3147afb960b5aba302cc8d969eb2168f331653b114b4199201be4ef5cd3bb97c67547708e2622e72874b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4cbb866f-4ab4-411e-8514-cf9ff5ded470.tmp

Filesize
350KB

MD5
5e33af6aac820edf08b1a8882b5ba667

SHA1
e0d368895b0faa822f48f659d6ce29c9d30a1025

SHA256
c478501a4f94a4abcbcc8ea28d939762aaeddb4c863a83352e2cfe741c720454

SHA512
09eb517683ac153b35df7336f79ffaa6c5420ae5d530af68eba6a11a2cdbec4f25b0ea65b98a9cd687225f06a0494803d7a6fc591d146775a0b0485ff9116a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
bfdbd0bc61bb2241c2d65d7e996af6bc

SHA1
e29752ccb0daa60a1f54e895fd0b02082cfe5dec

SHA256
a2871999a5ff01382347949bfeafe088965715e95cc576b730bd1797f08521bd

SHA512
7cd04fcda57c01bcb0f793defada44fd3f21496ab07ab3f66face5d9a0975dad1d10b208f3fb973eb79000a36ec006f56c0f5f192b385f14c751cd3b01dbce21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
14fb06e2c6d9b74082ca4835f961f8f6

SHA1
c8ceb7820d809697fd4844b15170c3e063f5d261

SHA256
da8842502437ffb8bae32446bebb9fffa2f316e390e65533fd9ae6ec0e1fef1a

SHA512
b3be03fd2f003214805b672f1182701d3f83ebc8803258a7cc0c1ee309cf61de524dbe7046e8f1fd11918514dfd8add45bfe5cf70f07be870c6a4ea7ced12b56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a7941f350368832071068494de4d916d

SHA1
c90cb1ffec22ea53ab6542d54133b4dab7c90a0a

SHA256
310a7c3cdaafb39d587bee031982a4dd97963d86ff3add082ecac0de76535065

SHA512
66fbff9b3923045e21750e617a4a2d6399b68f3392c1aef2eadf5827d9c7174681693eb96b49d624305612fffacc909d9e02d1483fcdcefce5f07ad22ad188c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
d58c9c8150db78668ec3c9a598d09496

SHA1
bcf9c025a3fc7403a262374d58f13a3fff64fd87

SHA256
eab8785776a2c533aa99292e2b82780ee426d6bc22c3c8b357f1b567659c278e

SHA512
308465f3ae997a72fd432878ec9a0dc45a78bdd3ec43d22ffabdd52e83ca2f3e39b7e43408e10816512bc8cde5bb230d2f66599cc8dd9a413d5285f097be70ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
377KB

MD5
7e3d5f9f6d22f53e3a0f48626099cd0c

SHA1
209a8cc542d26558c25223e786e372924e73dd2f

SHA256
b940744a0105c15daa5d9080f87881fb7d23da6274a4c69a4a15eeea712ba67d

SHA512
e1c48f36bc7d49a60bd2f05fa3e6e8bbb90ac5c6a198491d1cf8f1a386268a645a2a7543a5dfd4355796a156e0eaca4ac6ee562a292fce88c82b0a0521ca8a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\57udCX8Cg2Kr.bat

Filesize
193B

MD5
0d7b148cafb7151dfef39ec55fe36044

SHA1
15648ffb3468ee366b9d9750653740cb7913239b

SHA256
6ddb608ba62defde0f2ad4b34774a62675c71bbb97d9a432540bfaf8e0dc46a9

SHA512
f6656a8a4e68041f4da07709469d42310ded49b30e67da135b70276dde8409bc3497c2228aaf182bd5fb6c4f52e16fdb68ae43b98bf478d7083c0e4c9f2473c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j8hAYveQz73.bat

Filesize
193B

MD5
f6e066c39c51039bf1205bdb9de68120

SHA1
eacba242168a535946e9fbb0ac69760eb219a53d

SHA256
8a0d8b6fd51b1b31789dd8fcc1d8e85c080530b72788ebc0f6a18ec039e9bb54

SHA512
4274e44b2ec5bdc6c7a8a9e1e1133abf62697b59b775a44bc6e52257ad99e75dad526c096c89cec818ea7a0ab76eb3b5567c29e03ee906e7482da536f4661066

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhtiS3OEnRU2.bat

Filesize
193B

MD5
42bf450287f3a15fe558e381a129b759

SHA1
b9ff0baeaeb7c60203a7445759823bee5b2e0233

SHA256
ecdea21c99a4aeb7b1bd54f00d003fd067d556e276919a9f719563cb3d55c032

SHA512
0f2cf137db5fd881f380247544e7c3629283d1bc8e5e8e84ee44b9c4b8cbbca427c3d62ecd30f2b357da5beb1afee63eab21408ddf5934a78bf9af2ebbe71abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GqTJY5Se2fMP.bat

Filesize
193B

MD5
5e4cd19f96e775f1c1a9e951bca2167f

SHA1
ad3e44b6d09f7bf18dbdeb5b34a52f75e48a7f7e

SHA256
80c18a582c870c00662a111838c8f15fa78e2683ac413fa8f61f8a596e283232

SHA512
33b9fed69b0732e750a11ae3ee5f2242fa359ae71305a992d03a3e2277b324ae385454a072837f95d30f112ee665c1c53ab7db035b306b0b5ac5cbe5a5f8e592

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGi1IAb9qgyC.bat

Filesize
193B

MD5
c21c25546657dfd5bcc084160a86b8e6

SHA1
943c81388a32e031d56383260590cc0c36ca5cad

SHA256
51d6921a6d09857a0cca2a7d301938d195f44cdb28e9e659f888e086ca529ee8

SHA512
5ee44b56c85ae27fc3d4c7a56d3806383300c3b563d77fce0feb76ac37c59f13dd734c633784ecfebcfcb4c5aa3e26274795ea8a2a23d880a5f5c271073fd725

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIVvNJZ9Ku86.bat

Filesize
193B

MD5
3965560ba7b4f7bb21cc936d468a2d3c

SHA1
4f5e9823465af82fb2bda17760d80fdb58236e2f

SHA256
da049e369b4859e7a06744188ee61693dc31dd4a81c00c5969b6d15c3e694286

SHA512
3920f975021a950b53ebbace827389004770a8b5c61b709811c6ccce7693b4ba9dd2e2d7b460e286e27eb48a232d6bf71ca219b2d78f56555e466586c0bfc88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UbqkJSweDkVu.bat

Filesize
193B

MD5
0b68580a34edf6f862def23c14c19807

SHA1
eaa130ff05104927f04db5d079b3f8fbdfbecb97

SHA256
c3becea0d79c60df0c24c70101785ebfba96d31d8e2453a284b312a176194190

SHA512
fe57ab21f3de2f035ac4a8a07b00d4b7f7a2fe86537be722c612ed8743c71eebcfdc177ac2d5715c796d86537c6e436ce954e10fc39ce625883be6223e03255c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ve393vVD7FeE.bat

Filesize
193B

MD5
f5d3ebcd0728486a076a044d3b0fa85d

SHA1
f5de0ade3ef510cea3cfe4b49d97f520bd334ba5

SHA256
32695674ae5536679a89f16c373c2fb22ab6da89b84d98e91bb391e2b985b570

SHA512
93d11d71e8a772a212f069c4b44d655e8a85a41c0db2c8b3cdb5b4d36ac05783a1ab4eb25f5028bf051f3a7f8548c65b0bff0180e2a5b3c9684259e337849e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\XTGqf2NAGvzd.bat

Filesize
193B

MD5
b2bdc184fc08e6168656eca15837d258

SHA1
920a06749ba464105db653a3a072b411e80d7f41

SHA256
952b242b574e3781d0459cef1f7a95e84b11dfe9153278d651684ccffa39ca12

SHA512
b8a7a223eac9832180f131a006847bb215155e952bfefbf3735f63674cebddb62b05c76bfb9092c9f020f09619c27985e9c9843a3bd68df5df035fae5ab13e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVUQZIVyyYwV.bat

Filesize
193B

MD5
ae61199865e17767078372b41b475e55

SHA1
072d745ba408f51795f40c76290bbc9b40106169

SHA256
21faf96bbef7f29ae9997015e657b54fafde2b31b5a6086754f909906df318ec

SHA512
93a61b1b9f2b01f8c07ea044870372625a64195e226deb2f94162e84e2338d792cac93455b6a0a880c11ab132a1f8b09832ab7f0ea89d0a5627710439516645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jP5vpn2WYs6H.bat

Filesize
193B

MD5
9df7590701bee1830bfbff28a7276f47

SHA1
cd2f4a962865922db043df254ba11bb0b8d64ab2

SHA256
e38c10fe9c75f46203efc28ef2e4404eee2ecb6a05163ebb967814c1c7ffed37

SHA512
ca48fe1ebb911a7d52b3d73bc2d422462a94131077988c1cd6685bc888927787a1481276817343e527442c41a79d62223efe72c4e5b11270fc05898d21f46bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uw8Z5zU4zzrj.bat

Filesize
193B

MD5
3d0314bba1a4a31267db7708a54cf4f0

SHA1
7af5c2e8033a4177f0e2dbe6852173ed6fea71da

SHA256
516f6ede9139f597089dcbe9feece2f11f3738a36a45a9f9b6cbd2907855740b

SHA512
55c9f06263c9c97cb1d69fcbc879dfba17b2aa49c84fca9ec5788fca41e647a9b90e91f25b18af771e012a0bb2ab5c59bac3f9bc552d771de89ef17cd56a52fb

Download Submit
memory/1148-233-0x0000000000C60000-0x0000000000F84000-memory.dmp

Filesize
3.1MB

Download
memory/2184-100-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/2408-204-0x00000000003B0000-0x00000000006D4000-memory.dmp

Filesize
3.1MB

Download
memory/2600-257-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download
memory/2620-71-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-10-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-9-0x0000000000DA0000-0x00000000010C4000-memory.dmp

Filesize
3.1MB

Download
memory/2620-11-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download
memory/2852-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-8-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-1-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2860-134-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/2908-222-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/3008-174-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download