quasar | d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db

Analysis

max time kernel
1790s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.4MB
MD5

15cb2f245ebee2dd12e4b8cea5aa0061
SHA1

0fe7b4c8a4336a9ca20b563bb4288f7bb352ad5e
SHA256

d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db
SHA512

39193ceb136f05e989cd0ab62bf77bf8d548536e958723311bfa9a30e9aae728f1a8c631dae1bfa6cf0a02f51673879c9901c9662d17d9e3ac953104bb02c6fa
SSDEEP

49152:DvqG42pda6D+/PjlLOlg6yQipVh2PzkMfq5oGdLlTHHB72eh2NT:DvN42pda6D+/PjlLOlZyQipVh2Pzcb

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

192.168.0.147:4782

101.56.195.62:4782

Matt10n3-57692.portmap.host:57692

Mutex

08e310ae-ecb8-4d83-b87f-95abe874bb4c

Attributes

encryption_key
7AC4D01862AC71A180B8FAEE5694E9D7B88EF662
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/648-1-0x0000000000730000-0x0000000000A94000-memory.dmp	family_quasar
behavioral1/files/0x001e00000002aba0-5.dat	family_quasar

Executes dropped EXE 31 IoCs

pid	Process
3608	svchost.exe
4908	svchost.exe
3440	svchost.exe
2400	svchost.exe
540	svchost.exe
4776	svchost.exe
4124	svchost.exe
1288	svchost.exe
3400	svchost.exe
4904	svchost.exe
4712	svchost.exe
3912	svchost.exe
1596	svchost.exe
4752	svchost.exe
1520	svchost.exe
3436	svchost.exe
2380	svchost.exe
1872	svchost.exe
4640	svchost.exe
4052	svchost.exe
4084	svchost.exe
1168	svchost.exe
2764	svchost.exe
4856	svchost.exe
3576	svchost.exe
2084	svchost.exe
2960	svchost.exe
4424	svchost.exe
1512	svchost.exe
3708	svchost.exe
1140	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1016	PING.EXE
4828	PING.EXE
1236	PING.EXE
4448	PING.EXE
2656	PING.EXE
3400	PING.EXE
1692	PING.EXE
1184	PING.EXE
4872	PING.EXE
2744	PING.EXE
4768	PING.EXE
5060	PING.EXE
1876	PING.EXE
3496	PING.EXE
3696	PING.EXE
3608	PING.EXE
1948	PING.EXE
3080	PING.EXE
2352	PING.EXE
648	PING.EXE
2396	PING.EXE
2276	PING.EXE
808	PING.EXE
4672	PING.EXE
1184	PING.EXE
1180	PING.EXE
892	PING.EXE
2400	PING.EXE
2624	PING.EXE
2872	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
3496	PING.EXE
2352	PING.EXE
1876	PING.EXE
1692	PING.EXE
1180	PING.EXE
3696	PING.EXE
4828	PING.EXE
4448	PING.EXE
1184	PING.EXE
3400	PING.EXE
4768	PING.EXE
4872	PING.EXE
5060	PING.EXE
3080	PING.EXE
2624	PING.EXE
2276	PING.EXE
808	PING.EXE
1948	PING.EXE
1236	PING.EXE
2656	PING.EXE
1184	PING.EXE
892	PING.EXE
3608	PING.EXE
4672	PING.EXE
2872	PING.EXE
1016	PING.EXE
2396	PING.EXE
648	PING.EXE
2400	PING.EXE
2744	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 32 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2172	schtasks.exe
3060	schtasks.exe
3692	schtasks.exe
3940	schtasks.exe
2796	schtasks.exe
3820	schtasks.exe
1380	schtasks.exe
3280	schtasks.exe
5072	schtasks.exe
1844	schtasks.exe
3476	schtasks.exe
2936	schtasks.exe
1884	schtasks.exe
1016	schtasks.exe
4760	schtasks.exe
3784	schtasks.exe
1944	schtasks.exe
1660	schtasks.exe
2488	schtasks.exe
4436	schtasks.exe
244	schtasks.exe
1044	schtasks.exe
2256	schtasks.exe
532	schtasks.exe
2000	schtasks.exe
3168	schtasks.exe
4684	schtasks.exe
3332	schtasks.exe
3384	schtasks.exe
3140	schtasks.exe
2200	schtasks.exe
4992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	3608	svchost.exe
Token: SeDebugPrivilege	3076	taskmgr.exe
Token: SeSystemProfilePrivilege	3076	taskmgr.exe
Token: SeCreateGlobalPrivilege	3076	taskmgr.exe
Token: 33	3076	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3076	taskmgr.exe
Token: SeDebugPrivilege	4908	svchost.exe
Token: SeDebugPrivilege	3088	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	992	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	3440	svchost.exe
Token: SeDebugPrivilege	2400	svchost.exe
Token: SeDebugPrivilege	540	svchost.exe
Token: SeDebugPrivilege	4776	svchost.exe
Token: SeDebugPrivilege	4124	svchost.exe
Token: SeDebugPrivilege	1288	svchost.exe
Token: SeDebugPrivilege	3400	svchost.exe
Token: SeDebugPrivilege	4904	svchost.exe
Token: SeDebugPrivilege	4712	svchost.exe
Token: SeDebugPrivilege	3912	svchost.exe
Token: SeDebugPrivilege	1596	svchost.exe
Token: SeDebugPrivilege	4752	svchost.exe
Token: SeDebugPrivilege	1520	svchost.exe
Token: SeDebugPrivilege	3436	svchost.exe
Token: SeDebugPrivilege	2380	svchost.exe
Token: SeDebugPrivilege	1872	svchost.exe
Token: SeDebugPrivilege	4640	svchost.exe
Token: SeDebugPrivilege	4052	svchost.exe
Token: SeDebugPrivilege	4084	svchost.exe
Token: SeDebugPrivilege	1168	svchost.exe
Token: SeDebugPrivilege	2764	svchost.exe
Token: SeDebugPrivilege	4856	svchost.exe
Token: SeDebugPrivilege	3576	svchost.exe
Token: SeDebugPrivilege	2084	svchost.exe
Token: SeDebugPrivilege	2960	svchost.exe
Token: SeDebugPrivilege	4424	svchost.exe
Token: SeDebugPrivilege	1512	svchost.exe
Token: SeDebugPrivilege	3708	svchost.exe
Token: SeDebugPrivilege	1140	svchost.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe
3076	taskmgr.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
3608	svchost.exe
4908	svchost.exe
3440	svchost.exe
2400	svchost.exe
540	svchost.exe
4776	svchost.exe
4124	svchost.exe
1288	svchost.exe
3400	svchost.exe
4904	svchost.exe
4712	svchost.exe
3912	svchost.exe
1596	svchost.exe
4752	svchost.exe
1520	svchost.exe
3436	svchost.exe
2380	svchost.exe
1872	svchost.exe
4640	svchost.exe
4052	svchost.exe
4084	svchost.exe
1168	svchost.exe
2764	svchost.exe
4856	svchost.exe
3576	svchost.exe
2084	svchost.exe
2960	svchost.exe
4424	svchost.exe
1512	svchost.exe
3708	svchost.exe
1140	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1944	648	FlashingSoftwarePRO.exe	77
PID 648 wrote to memory of 1944	648	FlashingSoftwarePRO.exe	77
PID 648 wrote to memory of 3608	648	FlashingSoftwarePRO.exe	79
PID 648 wrote to memory of 3608	648	FlashingSoftwarePRO.exe	79
PID 3608 wrote to memory of 3940	3608	svchost.exe	80
PID 3608 wrote to memory of 3940	3608	svchost.exe	80
PID 3608 wrote to memory of 1908	3608	svchost.exe	84
PID 3608 wrote to memory of 1908	3608	svchost.exe	84
PID 1908 wrote to memory of 4776	1908	cmd.exe	86
PID 1908 wrote to memory of 4776	1908	cmd.exe	86
PID 1908 wrote to memory of 2744	1908	cmd.exe	87
PID 1908 wrote to memory of 2744	1908	cmd.exe	87
PID 1908 wrote to memory of 4908	1908	cmd.exe	89
PID 1908 wrote to memory of 4908	1908	cmd.exe	89
PID 4908 wrote to memory of 2172	4908	svchost.exe	90
PID 4908 wrote to memory of 2172	4908	svchost.exe	90
PID 4908 wrote to memory of 5068	4908	svchost.exe	97
PID 4908 wrote to memory of 5068	4908	svchost.exe	97
PID 5068 wrote to memory of 2036	5068	cmd.exe	99
PID 5068 wrote to memory of 2036	5068	cmd.exe	99
PID 5068 wrote to memory of 1016	5068	cmd.exe	100
PID 5068 wrote to memory of 1016	5068	cmd.exe	100
PID 5068 wrote to memory of 3440	5068	cmd.exe	101
PID 5068 wrote to memory of 3440	5068	cmd.exe	101
PID 3440 wrote to memory of 3140	3440	svchost.exe	102
PID 3440 wrote to memory of 3140	3440	svchost.exe	102
PID 3440 wrote to memory of 3144	3440	svchost.exe	104
PID 3440 wrote to memory of 3144	3440	svchost.exe	104
PID 3144 wrote to memory of 3468	3144	cmd.exe	106
PID 3144 wrote to memory of 3468	3144	cmd.exe	106
PID 3144 wrote to memory of 1948	3144	cmd.exe	107
PID 3144 wrote to memory of 1948	3144	cmd.exe	107
PID 3144 wrote to memory of 2400	3144	cmd.exe	108
PID 3144 wrote to memory of 2400	3144	cmd.exe	108
PID 2400 wrote to memory of 2200	2400	svchost.exe	109
PID 2400 wrote to memory of 2200	2400	svchost.exe	109
PID 2400 wrote to memory of 2304	2400	svchost.exe	111
PID 2400 wrote to memory of 2304	2400	svchost.exe	111
PID 2304 wrote to memory of 2316	2304	cmd.exe	113
PID 2304 wrote to memory of 2316	2304	cmd.exe	113
PID 2304 wrote to memory of 2396	2304	cmd.exe	114
PID 2304 wrote to memory of 2396	2304	cmd.exe	114
PID 2304 wrote to memory of 540	2304	cmd.exe	115
PID 2304 wrote to memory of 540	2304	cmd.exe	115
PID 540 wrote to memory of 2796	540	svchost.exe	116
PID 540 wrote to memory of 2796	540	svchost.exe	116
PID 540 wrote to memory of 772	540	svchost.exe	118
PID 540 wrote to memory of 772	540	svchost.exe	118
PID 772 wrote to memory of 2012	772	cmd.exe	120
PID 772 wrote to memory of 2012	772	cmd.exe	120
PID 772 wrote to memory of 3080	772	cmd.exe	121
PID 772 wrote to memory of 3080	772	cmd.exe	121
PID 772 wrote to memory of 4776	772	cmd.exe	122
PID 772 wrote to memory of 4776	772	cmd.exe	122
PID 4776 wrote to memory of 532	4776	svchost.exe	123
PID 4776 wrote to memory of 532	4776	svchost.exe	123
PID 4776 wrote to memory of 1940	4776	svchost.exe	125
PID 4776 wrote to memory of 1940	4776	svchost.exe	125
PID 1940 wrote to memory of 4084	1940	cmd.exe	127
PID 1940 wrote to memory of 4084	1940	cmd.exe	127
PID 1940 wrote to memory of 5060	1940	cmd.exe	128
PID 1940 wrote to memory of 5060	1940	cmd.exe	128
PID 1940 wrote to memory of 4124	1940	cmd.exe	129
PID 1940 wrote to memory of 4124	1940	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1944
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqTA4ppshGpz.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4776
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2744
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PVMPbaJ2zIYh.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2036
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TahSHmg5whOB.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1p83DdBGNRaG.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cNKbRFHPS0Fd.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3080
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KNCrOAiL18AZ.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5060
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0lubiRjFm5R2.bat" "
        15⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D8PB1z8UmyXp.bat" "
        17⤵
        
        PID:3784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4448
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62QSaxKGR07V.bat" "
        19⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QycVXJlC0ySC.bat" "
        21⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6NOuyRfLTV8.bat" "
        23⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4828
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqzDvESrlAJL.bat" "
        25⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3496
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ulWHpncivco.bat" "
        27⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4672
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WXuK63nTjGsj.bat" "
        29⤵
        
        PID:3136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AHBg5VaLnLap.bat" "
        31⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcGsGQniChL6.bat" "
        33⤵
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3400
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RM1P7mp1c7h9.bat" "
        35⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gc0eQlX8PMvB.bat" "
        37⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:648
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgo8O2U7BCnM.bat" "
        39⤵
        
        PID:1292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC6THXwPyEPS.bat" "
        41⤵
        
        PID:4048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:3440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqEL7irHLvq3.bat" "
        43⤵
        
        PID:3896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3696
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dfj9sOjeSMF3.bat" "
        45⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MnjL8Rshy8LB.bat" "
        47⤵
        
        PID:3920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:892
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meQLWFqADY7F.bat" "
        49⤵
        
        PID:3352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:4556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWgybUP0DgiG.bat" "
        51⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MTOhPqNbpKI9.bat" "
        53⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ww19OfLf7DMF.bat" "
        55⤵
        
        PID:4072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4872
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MW7MmjvvhQoi.bat" "
        57⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3608
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cw2hhynP3nei.bat" "
        59⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:4396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1236
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TlKIKzlZWjFS.bat" "
        61⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:1364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:808
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3784

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FlashingSoftwarePRO.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
b7ddbc493a968485ca6ffb8afbe34c13

SHA1
420e3f945be5990b756e5a73297e8d4103be327c

SHA256
7e4d8c99b07c1c2c6dd52b4bb00910e55ba0b26546333636b3063285fbc9c9bf

SHA512
3728fb72579708ea715376798b7d04c76fac52a7a23d05b557c0ecac4055249c843140ed954b9e33471d98d9b34568f280b57e49c4c8cc684324fff9802a0137

Download Submit
C:\Users\Admin\AppData\Local\Temp\0lubiRjFm5R2.bat

Filesize
199B

MD5
a919cf65fc8d6e5e2a98d7241a599250

SHA1
4dd51317d823604b1974a4d17b191a2e8dd08baa

SHA256
31ae8f2eea0b52454f22c76845f070e041a09ed510000073438773318e2b1c27

SHA512
5d5d115f1c02bd8bc654a5bbbec7754dd0ad89067ddc11da6c6ba5a5126547942c32e44e38c491fd32d42158c9487b5af5f7121aba7528ad2128ccf1486c0270

Download Submit
C:\Users\Admin\AppData\Local\Temp\1p83DdBGNRaG.bat

Filesize
199B

MD5
e52cdac128a38fb5c3ec8ee5ae0ca6fd

SHA1
087ced75468905a314823c8944beaeed840ee154

SHA256
4454c7b0c03b4217ecd8026f9915cde41c6ccd202b4b3c0ff825164f1be5664a

SHA512
022a7789dc5ad8357b387303d07407f3fef29dba81c70baefdd049717d237b08b80088c11d200b3c07f8afa3b035efa5868ed9b5fdd4f91372ff7f5d163c7578

Download Submit
C:\Users\Admin\AppData\Local\Temp\62QSaxKGR07V.bat

Filesize
199B

MD5
653edef9c7af28bd17a62f2d96365b08

SHA1
8d5b08e39d2c6753490262e2ac26c40ae0b97af9

SHA256
5fa9c1a74572960546b9c61e40a1cc163499d115b6e802ea431c51224d62ac00

SHA512
9073bac1772d58cf10be918c3386dfa12ca2472c34508f318da34d72b23bf139ded3c37622a6cbe1aa81824da3f1671f0eaa3b8569053de5b0fd7beb92830226

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ulWHpncivco.bat

Filesize
199B

MD5
66007481c9cf092dd344192d1aa2f76f

SHA1
710ae9028c510a830e350e07f8e4b7e7e19b8758

SHA256
95d2568fb39ec080d99cc4a4e0aed2ed4f2f4d3a0ce97b22a4496f91aee6fcb6

SHA512
a3652309c3aacebf571d43e3a6865744bd462de1bedbf1cf1c30b377b0c14a70e06ed7c7616880b39f0ec5120ac82f949ac187b19e9e353b3f841d4e87e4c2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AHBg5VaLnLap.bat

Filesize
199B

MD5
e21fc0c4a0071a90ca7e8ed959a93fe4

SHA1
2c6aa632dff71818e26f331b2006c137a4fbb283

SHA256
1df6ec01a5d5ebacf77f2bb9300eea6ccd42c3fbc8b45f4900ffdebb8aaac6ff

SHA512
0eeb937b204db5227c6e1d0555f5624bfd340b9adbbac362d32d2a821f9de5f89acab0b2a0157adb9b683d07fec2dd851ebec6e0191e28c8d0ed5b4e139d7822

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqTA4ppshGpz.bat

Filesize
199B

MD5
f9c035409503d9c123aacaf3b07d22ff

SHA1
b2592e8322acdc84103b50d17188a9c91f928caa

SHA256
ba08696127bc406272ccc6b1833c867f92252dacb53d11e20259126242b8b75c

SHA512
b61c29e6ed5692694dea358f84343a7abf7ae376072792580628ef44fdcb8cb6b3e3ec9e6464ceb9e65567980207451526f2a62425f30cfe512068e4e4e8b3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cw2hhynP3nei.bat

Filesize
199B

MD5
772575603b4cd95f8c9e9576057bb74e

SHA1
818b3f987864a0c84cc0d7a4c7669a615ace52be

SHA256
2a574dfaf10af82e96f7eded2d86afd7468c313f005d0fe3fb950e7154af015d

SHA512
92c5700275a52a69a50b303013e08d6d6a314b30db6a0f525ec6d7a2c49776e89d9d2b0b3bcfb9357c116a4ed63aa926f499ada4ce62915cfce4ffe102f5e9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8PB1z8UmyXp.bat

Filesize
199B

MD5
490587da3aff488e4c03cdd6ce77206f

SHA1
2091a85f02bb76216fb05b88f8446b691bf797dc

SHA256
d00f91583ba1634ace90b5c1c4ce56d18d485a825d17722918d3dd87671099a3

SHA512
59a58da13782e7b6082b54e1d0bd41b08e85c02796f1069fdc7f8277535425397bd45dd6cfc1538a3b6d38fd48150efcc4f38dfca768c26160b4684b94af7850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfj9sOjeSMF3.bat

Filesize
199B

MD5
ff8615f25cbe407e807ac2b8174dcb4b

SHA1
9b311a2c72fbe85ba7bf731d9c4099c1fc99a136

SHA256
a96fb7087b1b202e2aae2285e427e9ff81b3a5b5b97d0b50c981055204984c29

SHA512
3877260fc178b094a3dbfcf688a9c2acabed646f7e005f3339af18f26b6c9cbfbdf1f7cadc3e028d7de56baf5393a9a16b390d6abc850bbed4554b2692def435

Download Submit
C:\Users\Admin\AppData\Local\Temp\FqEL7irHLvq3.bat

Filesize
199B

MD5
a20bfc7ae12ed54ccd3dca98bf8ba728

SHA1
0ad56d232f7063b69e5d0df00a68ef6422e5d688

SHA256
b152f9fb7f1920f070f534bd17a0a35bd6b202a3d3c23c0d781f3e98d93d791d

SHA512
669aaf19da377aaf5d1dd656769c068e08f53e4827bc6dfb5b8766e996d01011ebc7c973e3515615b097d6348bac61c89dae89bf4f54abe55ea4b9738c64c4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gc0eQlX8PMvB.bat

Filesize
199B

MD5
50a643be97655b879fb44a4788425624

SHA1
c3c268a624254f086d7e106d0fb8292ab3adc723

SHA256
eeb1cd64502df056f505153b5b0f13406236db28c96705e6ae680748cdc6f1f5

SHA512
e3d98101ae9cbf352414521a2af264452b9662e54390c00475c0574d6cd9085df7e8b933f03908380f9d190bdc6dbbe1c3dc744fccb0f12e86085865f7f7be59

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNCrOAiL18AZ.bat

Filesize
199B

MD5
fca4eabf6740eb0b78d1c94def21bdd3

SHA1
717e3c91a159f1ff26e18b0f309151cfdcf0749f

SHA256
08ce7e0643d56f25dac731f6a836d427e06461c276bd35126fedfa26bc5c6212

SHA512
7791b396c9f33dad2eb2e9122e819b98d2889ed7f4a9a2117c245b33674bdf2c1322fe634524ceb035e2b8cdd0ae32dcf09395f8e127c595ca01a9d920ad615c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTOhPqNbpKI9.bat

Filesize
199B

MD5
1e7bd1e26d7de728e5a03803805e0f3e

SHA1
88095f416068af653ea918d5cc2b5f4a153bd06b

SHA256
6a5f691651703e0c6dda092e40e27dfae1a19216bdc856d119980fbd50b2c8f1

SHA512
5da2d76ec4c153d24ab05522e5c2570098532d1d9a0a7fc4ac1715970796fdedc75c9e74babae904285c539f2588301cbff8d8b1fcbbfeea8a08d8bc1897745e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW7MmjvvhQoi.bat

Filesize
199B

MD5
6f0d906fc04feac341c90d09ff871e27

SHA1
2ea6daf4978735642961142949b53587ec35a89d

SHA256
68441e6490282bf9077f90319afc63d94b322941ef59f7e1a7096a699b74096f

SHA512
e30f686df14a4446e008c18c54ecb9daf588ac6632185001a690702b9e92f08d8e0ebe994d5bdcd6e4bc6443fba4f1ab098409b9575ec6952f38ada4280d7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MnjL8Rshy8LB.bat

Filesize
199B

MD5
c8125cebdecefc8b3fb781d7528c7cc6

SHA1
15d70ad4ca77cc621394a094e11dc549fb40341e

SHA256
24906fa331b076ef3a349e4a3f52c655d6a5e6da8c06ff5eabc8a8b0030098e9

SHA512
248bbf3698cefe986c81524ecef2af9e65862be910af47c8f2207df35d887c2c26517c7fe20b934bdecbbce7ba4560f3ae0adf6c66ff8af069ab28e0845b26ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVMPbaJ2zIYh.bat

Filesize
199B

MD5
426bfa620666b2647533307098341574

SHA1
b4357e779c1b503c1facaad08db0679ac60e5393

SHA256
fe4ccf4378aead5c2fab3ad1555eb95852683d1fb2c7d349b89cb162ca625416

SHA512
51ae8e621512fad50450c36eb6c9f0e353dab42fe9bc8e487b9d358cbe05d0bef6210ba4ea24137ff25b4f38e8b8adf2c7e04c99d36cdddafaf5a5cad37d80a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QycVXJlC0ySC.bat

Filesize
199B

MD5
283db54142ce5f554cbba4080057820a

SHA1
890e086820e9bc5f7aa10c3e79cf4ea4441a66f1

SHA256
7cb50e1f757fe522052113122db64870d1e9573616ce5828586e1949d6b4785d

SHA512
ffc2afa8ab2cc5c37a10c6e4570332c120b22644f8ef190ee32c41f8d299460ed6a90faa52d4761202eb740c9c1f5abea4f0913bab7e95326cb8faf7d96cda48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RM1P7mp1c7h9.bat

Filesize
199B

MD5
c12f802294eb2ae69a10a1669522b4a9

SHA1
60db95a1ae49c38745e7e3da3ec907e2f6ad7065

SHA256
a2007d2cdd945cfee09f61c3df0669b6649e69b6ce860b1cd459aee34082a3a5

SHA512
9b58da161a6b2fdcfc6d43ea4215c487e57f642dcd8545d30bf56f5c509f628eba3b8ac9c7e97d72c9140b73233c27fdd60c2dadb3b909a41f54d99d3492c3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TahSHmg5whOB.bat

Filesize
199B

MD5
3da12418d7a083eaf960eec1e4897c20

SHA1
65b976af6e99acb6f7d8ebf65fb623fd1e6ba2d3

SHA256
f72c531dc1eb6550a5a3a0d7d1a5c38c623d0118b4a141a943863c351da1a250

SHA512
e4c7ecc2cf064beb2e43b1be26956bed12b7dd3c6a48a90ab9f90b4975d139873a47b3a2305509619dc3c4e395666f2a61d7fa5257b3b6ade64542883a84b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TlKIKzlZWjFS.bat

Filesize
199B

MD5
4ceeceac675110e6a64724d53ec9c0cb

SHA1
c1b4592d6c769cf17eace11259872cec7cda711c

SHA256
c1f12756c2f85afa32dc1e3decce20e6134d1a482da1e4ff4bcb9465b100f223

SHA512
1fa886937b7cdc827dac55b3a622d7b2d83dd464bc49344ad16caf744781c0032d18075f978a8551642be44658b49e75aeb4fc018560284953e3bc0094e4fc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TqzDvESrlAJL.bat

Filesize
199B

MD5
d73afa3b2183468ea92c60f9105f36a4

SHA1
4c9cebb27a847b396ea7c422f4b546fc834647e3

SHA256
4fa02448c1c984a40a58d1236be4e7e8b94486f7a56eb419e3d0e77444627cab

SHA512
2cd59f620e6fe0fc5cc29fcd303f8ccaf1d75200e5bf1309d84b79d7bc598f36c431385ebdc04a3d389834aa92a44f5a9091ab17d36db227d695d4ecf93e70f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXuK63nTjGsj.bat

Filesize
199B

MD5
bc1551844e4cd5d61024445bbdac5364

SHA1
48a92f2c3c74c4efbfb54616e83170ae5e9bed74

SHA256
4b55ef218732dffe0b61fbab9a767ebd45989e9f4300a5232fa9afc0c2fa695f

SHA512
7dee530edab42cbadb2163c2d3ce9a5b5a1b28f965d218f08766f3d87050f2dac64170acb4578cbc9e682a7640a275714d3d2ad7e81f6c8afc2eebf5dac596f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww19OfLf7DMF.bat

Filesize
199B

MD5
0a80d92c8d8db4e5c5681ceb0e180db1

SHA1
3237e0c625e40ce40a40a1f8ab40b9bed968b480

SHA256
cf175bce3bb063e88bdc149a2a9e5a7ee4a6873bb4888542e4452fcbf82d2643

SHA512
934f41270285430488bb6a99bb989617b2a80d9cc1972e0afcd00c452832f73406c2a4d74ada4be4ece98b5aaa5d9149fda91677fe441fd8e9edb30106e1c23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6NOuyRfLTV8.bat

Filesize
199B

MD5
57363d4d9e6cadcb2e2fa9e1fc9edd2d

SHA1
d64670f98a7ceffbb6aaf34c6f5ea599619d5312

SHA256
1daa4ca409a905dd3b6c740f7cafd7b4cd87d485d45aa88bfd498e929b97287f

SHA512
dd06f990ecea75bbc3a3bc932c18ef94ce38c8f27c19ea8ed1251deb350683e5ef2bfec37b48de9d00a08463a0bf942c5375e7dd7406062e6625c2374f4aba79

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcGsGQniChL6.bat

Filesize
199B

MD5
a50a7b15544b77971ab575c51de672b5

SHA1
ce7b372644b4bc03d5983344765efcaf1fc9b095

SHA256
1b6fde737624d348561e0cee67dc314481ef7e8721b04a66605e30c6aebd823a

SHA512
eed24ad95be30887ba0fc0b4cfb6de802ac1ffc337efdf382064981184369b0e11c3619b6d835fc5e479f5d2cb6ebce3ca50ec692e8b8239bb9d06c45c1c0de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cNKbRFHPS0Fd.bat

Filesize
199B

MD5
8da1b4e806705a39bfea7946e7a52ba8

SHA1
cb28a2166eed5875dd9ffdde74076038779672d6

SHA256
1af44e1da1d4e3052b7bacc79ffdba906a57681669464aa86b7817fb62dcf11a

SHA512
707fcf8465011841115b86d6d7d05050db390f964e70b7377e213b2ed47440728afad1df3bd1e8006ccd8d6a67a33087efbcd2fea1bb597aa1b2faf08a0a2147

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWgybUP0DgiG.bat

Filesize
199B

MD5
d5b783ab24c51e7385c7a42e7f0a87fb

SHA1
df8c03c8ee288d2a8af1418cd5b6e37409b2b499

SHA256
161106b2b95dd942f08bec933d2113d3ceda966273e8c28fdb09609e3ca2c8c0

SHA512
8b8973ee939a0b4b8d0bb74963d98b9b8337edd39b6590d5f61637907942281104602210fd95bdf93939e7b4ab510696a8ded0488a7d39946404d56112a10938

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgo8O2U7BCnM.bat

Filesize
199B

MD5
418c658b2f4a57540ee2196d3ef0ff94

SHA1
1e547fa9421abc69231f59ce1a8d51e1f6760d6b

SHA256
dd83acb1c2156d7db6b212fbf31c751b238b8d65789a29f54f5796ebcbc8a5da

SHA512
1cde77c8b7668eba5888ca8ac6c02e531215166dd2e55972ad51e098fe8d974b4a258a70d4a4b3332f6ebc456e3657382fea9517564ddb3484d435994e784744

Download Submit
C:\Users\Admin\AppData\Local\Temp\meQLWFqADY7F.bat

Filesize
199B

MD5
0e584704022f6fb2d5401e657c7e88fd

SHA1
f1621bf00f7a052faefcdf877f420534f5897451

SHA256
348134c24b36e0b1256dd62af002c0f754a182e6e18494b8f32e8f0c01599b86

SHA512
3b656e0ee45d0c1cfb5eb6656759c0bb5900597efc99e655407546bc5d2773b4416880cd4bf5472e8990c1b4d2e43ba7aa726209a50619d3a5b0b6205113db20

Download Submit
C:\Users\Admin\AppData\Local\Temp\wC6THXwPyEPS.bat

Filesize
199B

MD5
d12736f7500f9b3eaa36d7b8da4cdba5

SHA1
583d2137dcb93f3c3839f2411a9be911190237d6

SHA256
29d164c5db92fe5ea79d25753b78d390d759bac0421edecc27be264ceef240b7

SHA512
cd6bf613b0bb8feb964faec9fb2892271e9205183679168fc37551e608f9b11b2776fa68081db71f71e1e84d5430c531eb5b4510d2199c0f3f038103c428698c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\2024-12-13

Filesize
432B

MD5
b909c62f2e2e497d42b1c7c29d6b5878

SHA1
7056f24a9818787929d4c1e53d2081502b2f8e5f

SHA256
cd96d392009a2275055e1e17009a6138769d59dfa09e85b7fd06c26151ced1a5

SHA512
2ee58196e33625eb3b645086134938f0c876f802b3c95bc8889cdcb3f9dfaeb4a5cedc07dbbf05531a46cdaa12b4569832d3128634d8c15903fb94f4333a61ec

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.4MB

MD5
15cb2f245ebee2dd12e4b8cea5aa0061

SHA1
0fe7b4c8a4336a9ca20b563bb4288f7bb352ad5e

SHA256
d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db

SHA512
39193ceb136f05e989cd0ab62bf77bf8d548536e958723311bfa9a30e9aae728f1a8c631dae1bfa6cf0a02f51673879c9901c9662d17d9e3ac953104bb02c6fa

Download Submit
memory/648-2-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/648-1-0x0000000000730000-0x0000000000A94000-memory.dmp

Filesize
3.4MB

Download
memory/648-8-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/648-0-0x00007FFE79A53000-0x00007FFE79A55000-memory.dmp

Filesize
8KB

Download
memory/3076-25-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-21-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-16-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-15-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-24-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-23-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-27-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-17-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-26-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3076-22-0x00000165EC6F0000-0x00000165EC6F1000-memory.dmp

Filesize
4KB

Download
memory/3608-13-0x000000001E400000-0x000000001E928000-memory.dmp

Filesize
5.2MB

Download
memory/3608-9-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/3608-10-0x000000001D370000-0x000000001D3C0000-memory.dmp

Filesize
320KB

Download
memory/3608-11-0x000000001D9C0000-0x000000001DA72000-memory.dmp

Filesize
712KB

Download
memory/3608-12-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/3608-32-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download