quasar | 59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Size

348KB
MD5

e3227ee81215e58ad2b59b277ffb79f4
SHA1

cfc16846c11f280d907f151a3745827313e92fbf
SHA256

59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4
SHA512

b146155add08215e7376fe8ea2e8d8080467326de410eeee8feddcd27b5b821143d23f84d87d52f0c2e3601f9519ccd589e00249c008671f6572c348d09e248f
SSDEEP

6144:Aw6bPXhLApfpZUAlrmOW5bkjz3jnRBPtcW:xmhAp0Al8WjnRBP2W

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

myhost88.ddns.net:4782

Mutex

QSR_MUTEX_gBbXbVHlujwl4SvP3X

Attributes

encryption_key
7Bgb3YgUbXKS2un5vbeM
install_name
ms configs.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ms configs
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
	8	ip-api.com	Process not Found
	53	ip-api.com	Process not Found
	72	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4900-1-0x0000000000380000-0x00000000003DE000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com
72	ip-api.com
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
760	PING.EXE
3528	PING.EXE
4228	PING.EXE
1644	PING.EXE
4100	PING.EXE
412	PING.EXE
936	PING.EXE
4948	PING.EXE
2008	PING.EXE
1512	PING.EXE
4976	PING.EXE
3120	PING.EXE
1976	PING.EXE
4576	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3120	PING.EXE
760	PING.EXE
4100	PING.EXE
936	PING.EXE
4948	PING.EXE
1512	PING.EXE
1644	PING.EXE
412	PING.EXE
4976	PING.EXE
1976	PING.EXE
4228	PING.EXE
3528	PING.EXE
2008	PING.EXE
4576	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	4948	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	2100	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	4156	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	5080	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	3660	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	180	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1644	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	3480	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	4784	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1180	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	4144	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	4792	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
Token: SeDebugPrivilege	1220	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1164	4900	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	84
PID 4900 wrote to memory of 1164	4900	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	84
PID 4900 wrote to memory of 1164	4900	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	84
PID 1164 wrote to memory of 2204	1164	cmd.exe	86
PID 1164 wrote to memory of 2204	1164	cmd.exe	86
PID 1164 wrote to memory of 2204	1164	cmd.exe	86
PID 1164 wrote to memory of 1644	1164	cmd.exe	87
PID 1164 wrote to memory of 1644	1164	cmd.exe	87
PID 1164 wrote to memory of 1644	1164	cmd.exe	87
PID 1164 wrote to memory of 4948	1164	cmd.exe	91
PID 1164 wrote to memory of 4948	1164	cmd.exe	91
PID 1164 wrote to memory of 4948	1164	cmd.exe	91
PID 4948 wrote to memory of 3528	4948	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	92
PID 4948 wrote to memory of 3528	4948	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	92
PID 4948 wrote to memory of 3528	4948	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	92
PID 3528 wrote to memory of 1552	3528	cmd.exe	94
PID 3528 wrote to memory of 1552	3528	cmd.exe	94
PID 3528 wrote to memory of 1552	3528	cmd.exe	94
PID 3528 wrote to memory of 3120	3528	cmd.exe	95
PID 3528 wrote to memory of 3120	3528	cmd.exe	95
PID 3528 wrote to memory of 3120	3528	cmd.exe	95
PID 3528 wrote to memory of 2100	3528	cmd.exe	99
PID 3528 wrote to memory of 2100	3528	cmd.exe	99
PID 3528 wrote to memory of 2100	3528	cmd.exe	99
PID 2100 wrote to memory of 5068	2100	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	100
PID 2100 wrote to memory of 5068	2100	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	100
PID 2100 wrote to memory of 5068	2100	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	100
PID 5068 wrote to memory of 2552	5068	cmd.exe	102
PID 5068 wrote to memory of 2552	5068	cmd.exe	102
PID 5068 wrote to memory of 2552	5068	cmd.exe	102
PID 5068 wrote to memory of 760	5068	cmd.exe	103
PID 5068 wrote to memory of 760	5068	cmd.exe	103
PID 5068 wrote to memory of 760	5068	cmd.exe	103
PID 5068 wrote to memory of 4156	5068	cmd.exe	105
PID 5068 wrote to memory of 4156	5068	cmd.exe	105
PID 5068 wrote to memory of 4156	5068	cmd.exe	105
PID 4156 wrote to memory of 4124	4156	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	107
PID 4156 wrote to memory of 4124	4156	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	107
PID 4156 wrote to memory of 4124	4156	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	107
PID 4124 wrote to memory of 3552	4124	cmd.exe	109
PID 4124 wrote to memory of 3552	4124	cmd.exe	109
PID 4124 wrote to memory of 3552	4124	cmd.exe	109
PID 4124 wrote to memory of 1976	4124	cmd.exe	110
PID 4124 wrote to memory of 1976	4124	cmd.exe	110
PID 4124 wrote to memory of 1976	4124	cmd.exe	110
PID 4124 wrote to memory of 5080	4124	cmd.exe	111
PID 4124 wrote to memory of 5080	4124	cmd.exe	111
PID 4124 wrote to memory of 5080	4124	cmd.exe	111
PID 5080 wrote to memory of 5084	5080	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	112
PID 5080 wrote to memory of 5084	5080	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	112
PID 5080 wrote to memory of 5084	5080	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	112
PID 5084 wrote to memory of 3864	5084	cmd.exe	114
PID 5084 wrote to memory of 3864	5084	cmd.exe	114
PID 5084 wrote to memory of 3864	5084	cmd.exe	114
PID 5084 wrote to memory of 4100	5084	cmd.exe	115
PID 5084 wrote to memory of 4100	5084	cmd.exe	115
PID 5084 wrote to memory of 4100	5084	cmd.exe	115
PID 5084 wrote to memory of 3660	5084	cmd.exe	116
PID 5084 wrote to memory of 3660	5084	cmd.exe	116
PID 5084 wrote to memory of 3660	5084	cmd.exe	116
PID 3660 wrote to memory of 2124	3660	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	117
PID 3660 wrote to memory of 2124	3660	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	117
PID 3660 wrote to memory of 2124	3660	59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe	117
PID 2124 wrote to memory of 3948	2124	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
"C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMDfu6gtYS2c.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
    "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5qnSgO5EZgqT.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mtajAcvFqt1k.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwYHr5avcIU7.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yPdUt9ImHqQ0.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BiYvVgHRhrV.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ienlxZO75FmO.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoFfRt7fDsnr.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r92nuNcK0OUk.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        19⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XlufFGFrseWb.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        21⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2lGkMFaucRbB.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        23⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8rbcTFtvl0x.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byUuKl8T1Inv.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe"
        27⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaMmfel0uYqn.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\59917b4b4d1a67912f5896bfd274350cb4253cc2bf3c522781fda75ec72debf4.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2lGkMFaucRbB.bat

Filesize
261B

MD5
afd4312e815bfcf46e2c991e44fc5bbf

SHA1
90e7adb1ec956c89d6e4002f609d892e2233ba77

SHA256
a6f26e94ebed8608df90c32565b770496ced0f5d15c269a0c9451c0c83277333

SHA512
45505677a18b097cc1807621e086f0df00e72bf29ab5c7e2e4e38bc8a9760563b0e097b186f0b9690bf752cd82a23a12ab72612ec2b0cb71d22579b293254311

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qnSgO5EZgqT.bat

Filesize
261B

MD5
a38dca8e6198f02e6f362a2c1d97c68e

SHA1
b4f63e1f3f801314246244a215d07ab6c2415ddd

SHA256
e0c28325d42ab2209788cfa6877d3af5d82857b2ca4417befd5bfc5218127532

SHA512
e58fc1dc61b8c6df704df6bc0f44c59abe692581367a1278694c4ed7a0dde3bb3940d5c0644d655671905caba1cb41d7f213d7e2890b5e082206c5bf9d6accf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BiYvVgHRhrV.bat

Filesize
261B

MD5
63dae77d7f33d53431ea83498babe711

SHA1
ac4cfd15fa8c25269985467a7530300b6c388121

SHA256
71d6ae5610897fcd4a95fa301449f87a406e03696e7bdd663ee2bca6fc1fd6bb

SHA512
582653cfb99df89268b905b40b25baad1b7809753f14ab0a9ee6c784265f04024843861c4b987b62d044e323052628918a8282aa20fae7cc89ccffe704068666

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaMmfel0uYqn.bat

Filesize
261B

MD5
1a2d806f4535dee8d02a3ec7c5bee13a

SHA1
8e19a05f735364875285588132205d0565c68d77

SHA256
754aef5931c9e5eb458e4e63b09df220c10acd9fc7baf8c0fae2dde7d1d0ca00

SHA512
9d9b8b16d4e5553e5688aaecfdda5690a7f26ef496a7962878698b4f9f95c1aa08e70d185055fc6c459fc2aa97dc8130c12c12d1d254a4a1e46eb92bdcb32dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\N8rbcTFtvl0x.bat

Filesize
261B

MD5
ebdefa13e9398ad30b25e60bc5b7bbfd

SHA1
227d35fa8f63c203d28a591f9b143b155c7b71b9

SHA256
d13c43a068429d654fc963880399dedac3fbd694dd91a3fe76a97cc0a2230fe2

SHA512
944d69e52360bf9a61d46048ea472e861294496e4134c5073e28b661b25c149b6ca311fd8340bd8e4d4f73dcdfc46aebe60eaea7e51ddd5b2beb6ca16384ec68

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwYHr5avcIU7.bat

Filesize
261B

MD5
26dcf587c8ca6b71ed044f7b6dfc6b7d

SHA1
b0550fd0140394c843fd687ca8e7024b062e9e01

SHA256
5e49c1354cb2dbb0e662c10123a8894d529d66608fbf419a2725b0b2fdacb82e

SHA512
dd0080e7bec1ee3c32f6ef16d8ad1344ec4fdce63b474728e08e3f5c80a99cdad1bfb76ea76c3e674c56e73fcaf178b5c72859ef4a887ecac57729696e8ec889

Download Submit
C:\Users\Admin\AppData\Local\Temp\XlufFGFrseWb.bat

Filesize
261B

MD5
d6e39be7405c709840b0a9c083a09f51

SHA1
79d1d91f12b475069d3a36559e8079da96dc2b9e

SHA256
b6fd4e986f0983404c40b0a6d84ede93d5cb5aec55475f427fe16d9c29089723

SHA512
6af5fe6e7c16dc8db15e06a9b032cae604ce4f9af59a6c633962ec7051edbf270b840ec572100880de004176a3e39207c51699df99f9638d4d65614f0bca28ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoFfRt7fDsnr.bat

Filesize
261B

MD5
5acba436c1e78ac6eff8b80f4b1315f9

SHA1
81b5292e4040a7321ac269d7e46388038ac4bcea

SHA256
cb4267326496d13aeab5d7427b2ff712598e85a21aef0885b4c2fd89682663f3

SHA512
8dde477d4674c298793aeec5b6c6fd236d22fcfd98e92815854950ee2a4b38262a505147a93c4e121c56fafff6c3883d8d35bb7ad1741b0f61c5b2d82791a187

Download Submit
C:\Users\Admin\AppData\Local\Temp\byUuKl8T1Inv.bat

Filesize
261B

MD5
3c288abe1ae8c1cab8613013fcc5359a

SHA1
1599510b229c8862925dd04ccfdb29a6b093075f

SHA256
a370db58e762e4457a709f9750622e1ab40054b1ffc747c2cef6eccb72da2edb

SHA512
45dac7103a5260848ab71b155892216591665ffe45199df7a84227c600c69bc2831f283587492f16ebe5a7e8b2f68c293900c6c1b4c7ea420157284ea5aeee59

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMDfu6gtYS2c.bat

Filesize
261B

MD5
63981ec10cbd04e9d61fe5ccd9910695

SHA1
44018f8f55cb9cb294f790c1db85bf7b9907377b

SHA256
9ffaa14102fd99c7c27f71e6fdd0cbf665f740706f3fe5df9b8f9a46f45a2ee6

SHA512
cb4a7fb245a83e42e917f1e45c2c27cc10902dd2813020569896b0947ced44d1f516a006db6181cc6f1caa44b11c124f83575e03c461bf83595580518fb1e0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ienlxZO75FmO.bat

Filesize
261B

MD5
06fe9fa5f9e142dcd8da1a618725f03a

SHA1
762f888d0292c3bcf523b60883623e8d9c9b8748

SHA256
709d5c878f2820a187bdeeb6cae681501da169753e9ba28c3fa1e51dcac91604

SHA512
8235ca5d583fcc74c0c3ba3b0a4b48fba62b2fc56971269d614ecbe2fb39d0d0512719d78c202bf43e745233a1802478c58d7119fc994909fb5bd900d422a173

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtajAcvFqt1k.bat

Filesize
261B

MD5
13dc6030e5580f4e5a3e917bd835e980

SHA1
b18e8837563d37251b04929f55c2c2eae1cc4aca

SHA256
23004fd19b3d59647eb02ebb2d2d4ff94ba8651f89e24e8c5a138fb6c59b51f7

SHA512
9de8ac32702f464d8ab6974aa8fd8f58456a6a056027575bd8b3f93ab01336157b705b990a32a49a4e159eade4ffc409e5e347e3b2bbfebb5926827830fda1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\r92nuNcK0OUk.bat

Filesize
261B

MD5
7be737e132721982926623551dd63a78

SHA1
95d14f43136f4d6682d4e9f79ef2dfcfc1f79796

SHA256
17f681a94c1be82192ce9c1e54bded93dcc70e7c0c08f9ae5548cafd893d4e91

SHA512
6b4e035bd06c5ba2ea3c5a24d44735a5b50672a3a432453054fd843f84dd2cc9f593d889dad793c118e9e4b891954efdfed063bea3969065b9ad262f877f07f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yPdUt9ImHqQ0.bat

Filesize
261B

MD5
8b3d3c3a58bba113ff7be969b7326c30

SHA1
ffdd9a1f6b6a022e97452809f3ef6c0feaa47f9c

SHA256
27cb67c9e5961c183fbe549e4d039bf52fdbe540e3f6c3f38ff56b5b90c0113f

SHA512
f2de1bd879b217c328dbb9646901f3a842ef46ba39fd35a07bb52028a8dd62ca1c6298d9c35e87ecad6ce404cb6ba342155038388034c9394d9af13628b9a23f

Download Submit
memory/4900-6-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/4900-12-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4900-7-0x0000000006030000-0x000000000606C000-memory.dmp

Filesize
240KB

Download
memory/4900-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/4900-5-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/4900-4-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4900-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/4900-2-0x00000000052B0000-0x0000000005854000-memory.dmp

Filesize
5.6MB

Download
memory/4900-1-0x0000000000380000-0x00000000003DE000-memory.dmp

Filesize
376KB

Download
memory/4948-20-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4948-16-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4948-15-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download