quasar | c0dab721d866a195e277db6b0ccbe1f5b014e56f27a7a73e6f61cd6d22dd47c6

Analysis

max time kernel
600s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

82c128ff06c769276e959ef2e0435a98
SHA1

426e40df051e213c513de2137b6d956f5bfe8396
SHA256

c0dab721d866a195e277db6b0ccbe1f5b014e56f27a7a73e6f61cd6d22dd47c6
SHA512

b82a61631719d542e0f159d643409d23d01946565e7598703de0eb9783011d9ce5b2abe50de570ecbe38573f1490aae927173bbc74426997f8e6356d71ba961c
SSDEEP

49152:uvAG42pda6D+/PjlLOlg6yQipVXgbRJ6kbR3LoGdqlTHHB72eh2NT:uvD42pda6D+/PjlLOlZyQipVwbRJ6u

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

https://stable-notably-hound.ngrok-free.app/:443

Mutex

628470c9-2393-45af-9798-10641bcd6445

Attributes

encryption_key
A5F0EE2DBE7A3009387617912AFB48C127E2B576
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3532-1-0x0000000000580000-0x00000000008A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 58 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 58 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4932	PING.EXE
4416	PING.EXE
980	PING.EXE
3188	PING.EXE
3052	PING.EXE
3940	PING.EXE
2724	PING.EXE
4660	PING.EXE
348	PING.EXE
1340	PING.EXE
3500	PING.EXE
1272	PING.EXE
2504	PING.EXE
3528	PING.EXE
4488	PING.EXE
4748	PING.EXE
2524	PING.EXE
1680	PING.EXE
1744	PING.EXE
684	PING.EXE
1388	PING.EXE
3360	PING.EXE
4260	PING.EXE
544	PING.EXE
5104	PING.EXE
4892	PING.EXE
2968	PING.EXE
4896	PING.EXE
2684	PING.EXE
2360	PING.EXE
4648	PING.EXE
4776	PING.EXE
4932	PING.EXE
4236	PING.EXE
4640	PING.EXE
1288	PING.EXE
4920	PING.EXE
3736	PING.EXE
2276	PING.EXE
5016	PING.EXE
4452	PING.EXE
4420	PING.EXE
3880	PING.EXE
4176	PING.EXE
2696	PING.EXE
1532	PING.EXE
1912	PING.EXE
2556	PING.EXE
404	PING.EXE
4244	PING.EXE
2164	PING.EXE
5016	PING.EXE
1928	PING.EXE
4028	PING.EXE
3792	PING.EXE
952	PING.EXE
544	PING.EXE
3140	PING.EXE

Runs ping.exe 1 TTPs 58 IoCs

Remote System Discovery

T1018

pid	Process
2504	PING.EXE
4640	PING.EXE
5016	PING.EXE
952	PING.EXE
1340	PING.EXE
4452	PING.EXE
3188	PING.EXE
1288	PING.EXE
2276	PING.EXE
684	PING.EXE
1388	PING.EXE
4244	PING.EXE
4648	PING.EXE
4776	PING.EXE
4420	PING.EXE
3360	PING.EXE
1912	PING.EXE
4932	PING.EXE
4896	PING.EXE
2696	PING.EXE
4416	PING.EXE
404	PING.EXE
4660	PING.EXE
1744	PING.EXE
5016	PING.EXE
2684	PING.EXE
3736	PING.EXE
544	PING.EXE
3052	PING.EXE
2556	PING.EXE
2360	PING.EXE
3792	PING.EXE
348	PING.EXE
1532	PING.EXE
4932	PING.EXE
1680	PING.EXE
3880	PING.EXE
3500	PING.EXE
3940	PING.EXE
4488	PING.EXE
4176	PING.EXE
1928	PING.EXE
4028	PING.EXE
2164	PING.EXE
2524	PING.EXE
980	PING.EXE
3140	PING.EXE
2724	PING.EXE
544	PING.EXE
5104	PING.EXE
3528	PING.EXE
1272	PING.EXE
4920	PING.EXE
4748	PING.EXE
4260	PING.EXE
2968	PING.EXE
4236	PING.EXE
4892	PING.EXE

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	Client-built.exe
Token: SeDebugPrivilege	2268	Client-built.exe
Token: SeDebugPrivilege	1292	Client-built.exe
Token: SeDebugPrivilege	2808	Client-built.exe
Token: SeDebugPrivilege	3240	Client-built.exe
Token: SeDebugPrivilege	4088	Client-built.exe
Token: SeDebugPrivilege	2856	Client-built.exe
Token: SeDebugPrivilege	4000	Client-built.exe
Token: SeDebugPrivilege	1264	Client-built.exe
Token: SeDebugPrivilege	3016	Client-built.exe
Token: SeDebugPrivilege	436	Client-built.exe
Token: SeDebugPrivilege	4428	Client-built.exe
Token: SeDebugPrivilege	2060	Client-built.exe
Token: SeDebugPrivilege	2376	Client-built.exe
Token: SeDebugPrivilege	2324	Client-built.exe
Token: SeDebugPrivilege	3488	Client-built.exe
Token: SeDebugPrivilege	516	Client-built.exe
Token: SeDebugPrivilege	4800	Client-built.exe
Token: SeDebugPrivilege	1316	Client-built.exe
Token: SeDebugPrivilege	4284	Client-built.exe
Token: SeDebugPrivilege	4344	Client-built.exe
Token: SeDebugPrivilege	4984	Client-built.exe
Token: SeDebugPrivilege	4212	Client-built.exe
Token: SeDebugPrivilege	4408	Client-built.exe
Token: SeDebugPrivilege	2836	Client-built.exe
Token: SeDebugPrivilege	2028	Client-built.exe
Token: SeDebugPrivilege	3928	Client-built.exe
Token: SeDebugPrivilege	4864	Client-built.exe
Token: SeDebugPrivilege	1672	Client-built.exe
Token: SeDebugPrivilege	1104	Client-built.exe
Token: SeDebugPrivilege	2432	Client-built.exe
Token: SeDebugPrivilege	1436	Client-built.exe
Token: SeDebugPrivilege	384	Client-built.exe
Token: SeDebugPrivilege	4380	Client-built.exe
Token: SeDebugPrivilege	4156	Client-built.exe
Token: SeDebugPrivilege	5040	Client-built.exe
Token: SeDebugPrivilege	400	Client-built.exe
Token: SeDebugPrivilege	3960	Client-built.exe
Token: SeDebugPrivilege	2456	Client-built.exe
Token: SeDebugPrivilege	2472	Client-built.exe
Token: SeDebugPrivilege	1740	Client-built.exe
Token: SeDebugPrivilege	4808	Client-built.exe
Token: SeDebugPrivilege	4436	Client-built.exe
Token: SeDebugPrivilege	4792	Client-built.exe
Token: SeDebugPrivilege	4480	Client-built.exe
Token: SeDebugPrivilege	4464	Client-built.exe
Token: SeDebugPrivilege	4948	Client-built.exe
Token: SeDebugPrivilege	4592	Client-built.exe
Token: SeDebugPrivilege	4976	Client-built.exe
Token: SeDebugPrivilege	5096	Client-built.exe
Token: SeDebugPrivilege	3572	Client-built.exe
Token: SeDebugPrivilege	2564	Client-built.exe
Token: SeDebugPrivilege	4828	Client-built.exe
Token: SeDebugPrivilege	2056	Client-built.exe
Token: SeDebugPrivilege	2372	Client-built.exe
Token: SeDebugPrivilege	4920	Client-built.exe
Token: SeDebugPrivilege	740	Client-built.exe
Token: SeDebugPrivilege	3880	Client-built.exe
Token: SeDebugPrivilege	3284	Client-built.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
3532	Client-built.exe
2268	Client-built.exe
1292	Client-built.exe
2808	Client-built.exe
3240	Client-built.exe
4088	Client-built.exe
2856	Client-built.exe
4000	Client-built.exe
1264	Client-built.exe
3016	Client-built.exe
436	Client-built.exe
4428	Client-built.exe
2060	Client-built.exe
2376	Client-built.exe
2324	Client-built.exe
3488	Client-built.exe
516	Client-built.exe
4800	Client-built.exe
1316	Client-built.exe
4284	Client-built.exe
4344	Client-built.exe
4984	Client-built.exe
4212	Client-built.exe
4408	Client-built.exe
2836	Client-built.exe
2028	Client-built.exe
3928	Client-built.exe
4864	Client-built.exe
1672	Client-built.exe
1104	Client-built.exe
2432	Client-built.exe
1436	Client-built.exe
384	Client-built.exe
4380	Client-built.exe
4156	Client-built.exe
5040	Client-built.exe
400	Client-built.exe
3960	Client-built.exe
2456	Client-built.exe
2472	Client-built.exe
1740	Client-built.exe
4808	Client-built.exe
4436	Client-built.exe
4792	Client-built.exe
4480	Client-built.exe
4464	Client-built.exe
4948	Client-built.exe
4592	Client-built.exe
4976	Client-built.exe
5096	Client-built.exe
3572	Client-built.exe
2564	Client-built.exe
4828	Client-built.exe
2056	Client-built.exe
2372	Client-built.exe
4920	Client-built.exe
740	Client-built.exe
3880	Client-built.exe
3284	Client-built.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
3532	Client-built.exe
2268	Client-built.exe
1292	Client-built.exe
2808	Client-built.exe
3240	Client-built.exe
4088	Client-built.exe
2856	Client-built.exe
4000	Client-built.exe
1264	Client-built.exe
3016	Client-built.exe
436	Client-built.exe
4428	Client-built.exe
2060	Client-built.exe
2376	Client-built.exe
2324	Client-built.exe
3488	Client-built.exe
516	Client-built.exe
4800	Client-built.exe
1316	Client-built.exe
4284	Client-built.exe
4344	Client-built.exe
4984	Client-built.exe
4212	Client-built.exe
4408	Client-built.exe
2836	Client-built.exe
2028	Client-built.exe
3928	Client-built.exe
4864	Client-built.exe
1672	Client-built.exe
1104	Client-built.exe
2432	Client-built.exe
1436	Client-built.exe
384	Client-built.exe
4380	Client-built.exe
4156	Client-built.exe
5040	Client-built.exe
400	Client-built.exe
3960	Client-built.exe
2456	Client-built.exe
2472	Client-built.exe
1740	Client-built.exe
4808	Client-built.exe
4436	Client-built.exe
4792	Client-built.exe
4480	Client-built.exe
4464	Client-built.exe
4948	Client-built.exe
4592	Client-built.exe
4976	Client-built.exe
5096	Client-built.exe
3572	Client-built.exe
2564	Client-built.exe
4828	Client-built.exe
2056	Client-built.exe
2372	Client-built.exe
4920	Client-built.exe
740	Client-built.exe
3880	Client-built.exe
3284	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1392	3532	Client-built.exe	85
PID 3532 wrote to memory of 1392	3532	Client-built.exe	85
PID 1392 wrote to memory of 520	1392	cmd.exe	87
PID 1392 wrote to memory of 520	1392	cmd.exe	87
PID 1392 wrote to memory of 2276	1392	cmd.exe	88
PID 1392 wrote to memory of 2276	1392	cmd.exe	88
PID 1392 wrote to memory of 2268	1392	cmd.exe	91
PID 1392 wrote to memory of 2268	1392	cmd.exe	91
PID 2268 wrote to memory of 2524	2268	Client-built.exe	93
PID 2268 wrote to memory of 2524	2268	Client-built.exe	93
PID 2524 wrote to memory of 1284	2524	cmd.exe	95
PID 2524 wrote to memory of 1284	2524	cmd.exe	95
PID 2524 wrote to memory of 3792	2524	cmd.exe	96
PID 2524 wrote to memory of 3792	2524	cmd.exe	96
PID 2524 wrote to memory of 1292	2524	cmd.exe	107
PID 2524 wrote to memory of 1292	2524	cmd.exe	107
PID 1292 wrote to memory of 4472	1292	Client-built.exe	109
PID 1292 wrote to memory of 4472	1292	Client-built.exe	109
PID 4472 wrote to memory of 1224	4472	cmd.exe	111
PID 4472 wrote to memory of 1224	4472	cmd.exe	111
PID 4472 wrote to memory of 5016	4472	cmd.exe	112
PID 4472 wrote to memory of 5016	4472	cmd.exe	112
PID 4472 wrote to memory of 2808	4472	cmd.exe	120
PID 4472 wrote to memory of 2808	4472	cmd.exe	120
PID 2808 wrote to memory of 2756	2808	Client-built.exe	123
PID 2808 wrote to memory of 2756	2808	Client-built.exe	123
PID 2756 wrote to memory of 3016	2756	cmd.exe	125
PID 2756 wrote to memory of 3016	2756	cmd.exe	125
PID 2756 wrote to memory of 4660	2756	cmd.exe	126
PID 2756 wrote to memory of 4660	2756	cmd.exe	126
PID 2756 wrote to memory of 3240	2756	cmd.exe	128
PID 2756 wrote to memory of 3240	2756	cmd.exe	128
PID 3240 wrote to memory of 980	3240	Client-built.exe	130
PID 3240 wrote to memory of 980	3240	Client-built.exe	130
PID 980 wrote to memory of 4956	980	cmd.exe	132
PID 980 wrote to memory of 4956	980	cmd.exe	132
PID 980 wrote to memory of 952	980	cmd.exe	133
PID 980 wrote to memory of 952	980	cmd.exe	133
PID 980 wrote to memory of 4088	980	cmd.exe	135
PID 980 wrote to memory of 4088	980	cmd.exe	135
PID 4088 wrote to memory of 3300	4088	Client-built.exe	137
PID 4088 wrote to memory of 3300	4088	Client-built.exe	137
PID 3300 wrote to memory of 4268	3300	cmd.exe	139
PID 3300 wrote to memory of 4268	3300	cmd.exe	139
PID 3300 wrote to memory of 3500	3300	cmd.exe	140
PID 3300 wrote to memory of 3500	3300	cmd.exe	140
PID 3300 wrote to memory of 2856	3300	cmd.exe	142
PID 3300 wrote to memory of 2856	3300	cmd.exe	142
PID 2856 wrote to memory of 2624	2856	Client-built.exe	144
PID 2856 wrote to memory of 2624	2856	Client-built.exe	144
PID 2624 wrote to memory of 4988	2624	cmd.exe	146
PID 2624 wrote to memory of 4988	2624	cmd.exe	146
PID 2624 wrote to memory of 4244	2624	cmd.exe	147
PID 2624 wrote to memory of 4244	2624	cmd.exe	147
PID 2624 wrote to memory of 4000	2624	cmd.exe	149
PID 2624 wrote to memory of 4000	2624	cmd.exe	149
PID 4000 wrote to memory of 3904	4000	Client-built.exe	151
PID 4000 wrote to memory of 3904	4000	Client-built.exe	151
PID 3904 wrote to memory of 3892	3904	cmd.exe	153
PID 3904 wrote to memory of 3892	3904	cmd.exe	153
PID 3904 wrote to memory of 3052	3904	cmd.exe	154
PID 3904 wrote to memory of 3052	3904	cmd.exe	154
PID 3904 wrote to memory of 1264	3904	cmd.exe	155
PID 3904 wrote to memory of 1264	3904	cmd.exe	155

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W1wqMCWIpKSY.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:520
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koA3wHMoMTbN.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1284
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3792
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JB2AFrrodBcg.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aalF3NHcpfUI.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BVx3DgM82rEu.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RDKIpPDAS2Fn.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dp4uwDRwepB5.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kT91Z5bZVl7I.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O1O6P0aQQQSG.bat" "
        18⤵
        
        PID:5008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NVhjaLNVekfv.bat" "
        20⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0r6GBQv9N8F.bat" "
        22⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AExpUdQYSTuh.bat" "
        24⤵
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97URt4VFk3Vd.bat" "
        26⤵
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0qCK9INIGVHW.bat" "
        28⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nPCdIAtA57Ig.bat" "
        30⤵
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        31⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\slKpi2EpLU2O.bat" "
        32⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        33⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeiZ2vrUBqoC.bat" "
        34⤵
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        35⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\udOkNYaij49M.bat" "
        36⤵
        
        PID:3772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        37⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOPZgixC6kII.bat" "
        38⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        39⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmOxynbCvXBD.bat" "
        40⤵
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        41⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmVFPzRJCovM.bat" "
        42⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        43⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QTt1gujdlfud.bat" "
        44⤵
        
        PID:716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        45⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hzp6oWOaVlvz.bat" "
        46⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:3232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        47⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3oEFhlNRWi6D.bat" "
        48⤵
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        49⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6PQIeHevdsS.bat" "
        50⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        51⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGSAuJXs833r.bat" "
        52⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        53⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sjgIAJgIXWhe.bat" "
        54⤵
        
        PID:1220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        55⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m0VPReexjrF9.bat" "
        56⤵
        
        PID:412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        57⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ny5yW9cgvpw3.bat" "
        58⤵
        
        PID:1900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        59⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s8jVkQoCgloA.bat" "
        60⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        61⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOSOAWKN7q4X.bat" "
        62⤵
        
        PID:4464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        63⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8lkKyvyGb8V.bat" "
        64⤵
        
        PID:4660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:5104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        65⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEw0WX2xPXAm.bat" "
        66⤵
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:1296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        67⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmDwahsQ4pkO.bat" "
        68⤵
        
        PID:4524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        69⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqChep6fsMjj.bat" "
        70⤵
        
        PID:532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:1388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        71⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9LgSaNioiV2X.bat" "
        72⤵
        
        PID:3284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        73⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QFrwBGotsego.bat" "
        74⤵
        
        PID:1188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        75⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeQoSS8LZFAE.bat" "
        76⤵
        
        PID:5060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:4544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        77⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z5zbySx6FnPo.bat" "
        78⤵
        
        PID:4664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:4460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        79⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMeY9Bt9Fzev.bat" "
        80⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        81⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        81⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9icJprTJpRpU.bat" "
        82⤵
        
        PID:1400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:4240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        83⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        83⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOHW47M9IRgS.bat" "
        84⤵
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        85⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        85⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZdPx1cpH60N.bat" "
        86⤵
        
        PID:704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        87⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        87⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kp13JaeviTRh.bat" "
        88⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        89⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        89⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        89⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZLPMrYu3AVl.bat" "
        90⤵
        
        PID:4876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        91⤵
        
        PID:2228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        91⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        91⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7XxlH5LcWqq0.bat" "
        92⤵
        
        PID:4280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        93⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        93⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        93⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q0cnAYuqEB8h.bat" "
        94⤵
        
        PID:3852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        95⤵
        
        PID:4568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        95⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        95⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMi5esU1IA7V.bat" "
        96⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        97⤵
        
        PID:4268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        97⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        97⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yz5EAMYbnHhb.bat" "
        98⤵
        
        PID:3436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        99⤵
        
        PID:3304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        99⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VvvxW4PBikAI.bat" "
        100⤵
        
        PID:1220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        101⤵
        
        PID:4632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        101⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        101⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RhijUVTvw2RR.bat" "
        102⤵
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        103⤵
        
        PID:4364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        103⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        103⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qb1DIKj453f4.bat" "
        104⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        105⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        105⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        105⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vakpa71r18Jt.bat" "
        106⤵
        
        PID:3756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        107⤵
        
        PID:4288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        107⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        107⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u6kQQaAYWnig.bat" "
        108⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        109⤵
        
        PID:3652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        109⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        109⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkMFgtEs1iTA.bat" "
        110⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        111⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        111⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        111⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pnmM3pGvvmFn.bat" "
        112⤵
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        113⤵
        
        PID:3304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        113⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        113⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHa3zJG6tmTp.bat" "
        114⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        115⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        115⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        115⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUoZ1raJds84.bat" "
        116⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        117⤵
        
        PID:3664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        117⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njLq3fY9Ohn2.bat" "
        118⤵
        
        PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0qCK9INIGVHW.bat

Filesize
209B

MD5
63a419496eed73f105a3237a27738ec5

SHA1
a15dbeedc24495378ae4cab528c2899e703b4ba0

SHA256
0582a38bf19e1a03d4f7ee732ac4d030d159dcd1a3076ab1687bf77f48344cec

SHA512
f04c71f1039ceb2a2ec46c084ef059339e13c5c0a6d1c7834c54a99d82fb3825b91625f730d7fbf9ddf666c1b8933a51b3df170cb38ba67bcf52189b8a53edb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3oEFhlNRWi6D.bat

Filesize
209B

MD5
256bd515fd76bff7dbbf781d75f88344

SHA1
87936664f6ef1cd44204534710afdd26b82c4cc6

SHA256
5ba8739cb0788ab2aad33f498335084fe109a7c2b6d60fbb56b6c25fa936f69f

SHA512
a2b259c2a921aa8a6deb5e3d557a71b5544241ade6be15eafc2eeb10cf3e22147817e5f7c1efdb46f2303711c500553eeacc5b658b0995d9c9707885dfa8ffee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7XxlH5LcWqq0.bat

Filesize
209B

MD5
5796824e8474015af0a9326f3cd1cb5a

SHA1
9ed384d37afa11d771925ec2624703f592424f12

SHA256
544ac441068c504f9a5e8a5580957311ae1b2e4b308b0f4c860ac0b5ee09463b

SHA512
7e4d4e416e99753714a5f33f3744c88a08f380f09d54616fa36f694718d4dc428d1d298a1ca492c83029520a5cf380e34281ce4ed719b48ad2faca8cf8d2095f

Download Submit
C:\Users\Admin\AppData\Local\Temp\97URt4VFk3Vd.bat

Filesize
209B

MD5
bb2f1cdaad14a2eb9590230d167d5f1e

SHA1
c3c679fc7a6b829afaf7c9fdbeab0ec8ace11fc2

SHA256
a64fd1a363293c6187c32a1576ff675eadeea864e5115db61ec29252b36e1a58

SHA512
d690d4c99a9642a08d02c7846ff974fe60acc7a37d040b2445988e54e48967f81b23848b7b0cae55d901fdcaa1a186d4c88015832630e6869b9e5e0efe8d1c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9LgSaNioiV2X.bat

Filesize
209B

MD5
9d79d8c64980483e6ea5315dd71f109f

SHA1
19854fa1b75af890d7c30886ea27c26fd20fb2a5

SHA256
eb79a11c1f9228d1848e7a9bb19c444674a75a7036d4cdd694356d8a9f438b1a

SHA512
28a1ec3f36549c5244191a5d53b97e732c4761a91c279faadbc21198ff00cf5ae57910e43beac88be00cfb0d90abc9dc1830bebd7103deca307af654858634e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9icJprTJpRpU.bat

Filesize
209B

MD5
4a47b9f7ce6ad9082c28280bdbe6fed4

SHA1
74ec985314ee675dd35c6dfc4262802ffc627674

SHA256
0bfdb518e01288947471c24d63d0e6f5288f0c154d68b9180d474a5e4beeef7c

SHA512
21f66bbe087fa40ff87f9485957698c96141368ede16a5e7a32f44f0b65383c686cf243f12b7657f062c5525774cff17d57f8efba0f511c6e061c5205ffe83f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AExpUdQYSTuh.bat

Filesize
209B

MD5
45620223e6b726ec852be441e1216a0c

SHA1
30d8c399c09714f9a2ae41ddf1a83d12c40f3c17

SHA256
1d0bd65ae38030ef64ebbaf238ac9903a67247002b60a31b4f83c341a28be7de

SHA512
268dd20a777675d0277713641f673aedf2aae3cd6b277c2414a70d0aeba9ba83ca8ec2f1476c6561740735702e9a8b9aeb2fa08e051eb014981a62ceb592ec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVx3DgM82rEu.bat

Filesize
209B

MD5
c58262d0cf3e24cf0365c789ee4ef179

SHA1
72fc7a0bdf49b383500272b9592e8d2d3d51476e

SHA256
140b93fdaa58efab757ebec5e5c80e7509de9f17c44af180f547c72f27475b2c

SHA512
4ff835fecab0a068508698198796baa6081eca17bd7256ef144a598bfc0e1663652e682b78794c3bc7644f73f77c16da35ae83b20bf80d01f0c4f8d384d9a155

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGSAuJXs833r.bat

Filesize
209B

MD5
4d55cf435a23e55ef7a3d875bc7e56c0

SHA1
b0581dfdcfb431169e458ef8aad46b95d19d6f90

SHA256
6f78f98346032de7262c88183efc2588de76a89b7ac7f59f86e7c8757cd49973

SHA512
147daeefd1979586e3bf2d8cd7b0074317c5d63c1c3ba9303925a4308e8cc0d61b3c996a739572f531faf049078794ccecc51408d09bf1a83b1dd3b910acd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmOxynbCvXBD.bat

Filesize
209B

MD5
35437374284104e8be724b8febdcc954

SHA1
6a0e54dd4a82283559032fa45c581348fd9d62ed

SHA256
09eaa0778ddc0a7c5cd714fac70624e7d571a6c7f13f27354306e84ba1c66d90

SHA512
05437965a27949a5a2387353ffeae49065d5e8654d6096c89ec5fc57ffd945129428fe442eb4d371dc3a35c705df0d38737a3e8dc3a751cd9e5fbbaff9299b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkMFgtEs1iTA.bat

Filesize
209B

MD5
0159a44f9cc8044daa42b6da89230023

SHA1
0a5da52c892bc594eac3518e2e79ad56f451711d

SHA256
36d2a4693344440f07914599120dd306b521eb2335f9577b67654b4ae3ca9b28

SHA512
4b7df28a9c7cc801a17dc9fb7c0193088e003573a03f88e33e3beead3cf65ddab010595ebc8883306319317790434ef951261af6503d5173b295d6c7c43206c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hzp6oWOaVlvz.bat

Filesize
209B

MD5
fb1afafdf972b458d5a54ea92ca90cac

SHA1
295e47cfed7f01b66137f051e7fba374561e45ec

SHA256
b4640fe7a35e5a55a3471a7b198fc33cd7f426228b14b31441e469f053e23b03

SHA512
09254b08e397ef01cb638987797f2285f4e619c9641ad7adb9d10ea16221b0816b378b0491961e3201ad5dfed0581708dc224afb0fd2a835c6f2968c60fcc43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JB2AFrrodBcg.bat

Filesize
209B

MD5
58f045ba26d622fa6e64caca3e1f98ba

SHA1
aa9b79c85c541b517cd5240b540d3d867395414c

SHA256
3718673d0f7c3f3e00bd8bf4a0b689be306a7bf27f431083c3d50edaac6260d3

SHA512
a0e611eb2d6ae8c2129b91eccd3be6006a594661c883c2d714b945978a5b2c1f787b25a264d5d948876edb85d75cc1240fbc340561f7ad46de50633d0c85635a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kp13JaeviTRh.bat

Filesize
209B

MD5
710049879d966d48bdf31982370ec9c1

SHA1
6b8359b9616dd6f6f45b09d8d5844a30f2f5669d

SHA256
bbac3fabc8f2dcc01d1f4ae419f5bddcfed77485718e4bc1e414465f1d49d9d9

SHA512
ca82fa39fb74ea5fa0141305e53f8705e0b770aabd2758a531eb137e9d9e7fd272bf55c84794541fac7dfec23007549e71673e763110451fce4fad3d413c83af

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMi5esU1IA7V.bat

Filesize
209B

MD5
1697fd54e7c0ba2419bd9ad0993b48c6

SHA1
51371b0b980b6893a363ca9aeb2984f15378b441

SHA256
ced5bcfabaa86c4ed47e2fcb750168a79d72e8f808e15b8e45e825faed08fd4a

SHA512
57850b9c2ef9fccaad3dd770d51b5853f5083054f4459b4f48a9c2df9df5010c22f5fe130cf2f512f5f367ef897f5b6bca7845aa4a23d4968ab05fd5fe1a8f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOPZgixC6kII.bat

Filesize
209B

MD5
1f13f60bd9e5f6b29c3f48e3910ff658

SHA1
ed841931bde54ad7b06cde21726f5d6dd742a8b8

SHA256
57266b529d440235a50e875313f3dede2c6aca6e2b1a5447186a25e5a7304cda

SHA512
49f3b1ad72596e78eac0f40d35afe99511a0472a42352cfcc5d23102855a33726128946977a32ee90004324742360405691e85a6a0a25f30bbe833eb3292a8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHa3zJG6tmTp.bat

Filesize
209B

MD5
570fb4aea9a80f325ce632008e06a5e9

SHA1
cff91a170f5e5d3e172b18f8407a6c4da536279a

SHA256
aa4af91705ce1c769dfb903edf36dc755cf5ebe7a38be39ead5d68511ea8ddab

SHA512
5af4485b0460c570797911ddb7ddbf691d252a7e86bd24e2e778b0f912628d664eec7b61d2198bd3e085fd752202a001ba97b34c0a9036217b0d788a045c52db

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVhjaLNVekfv.bat

Filesize
209B

MD5
1217ec0d39eae03421c54101aab91101

SHA1
bd7dfca94167f89734da8f22160904ef77ab386e

SHA256
3e0a95fc39849ec8c57bd6f9bbe6d47d4ac80a97d6225fa85155dd6615f42802

SHA512
e9a0cf2a2dc172745fee62e29602b159987c639683f48d8141e04757f51da9f6e0d91e9e265b2441b8e3c7b2446062c1c1f4f8663e7af7b6345e279ca413a666

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ny5yW9cgvpw3.bat

Filesize
209B

MD5
0b427736d133ef14d52c4363b606c054

SHA1
c124ee7f755419a57e92fad4064901d390028435

SHA256
50e61e9cb5caca806b6a96fdc54b0af7243f1e2a04961ab14a582c6592894b76

SHA512
412c2ba4c07f2c135da0bfa452ddbb661bf57fb76a22ba4de68c842aee5391869786ec78b473f8606914a4ee9d46d3bd1b104cfbe2f6aeea6668f1128b2e5e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1O6P0aQQQSG.bat

Filesize
209B

MD5
e93324a64d3c2c52652d5ac5216c8410

SHA1
323a658f938b37e318bb06c97d28e32f5bd14c8e

SHA256
4f3b45d2fe094c11a5b18ac2c879ea73ade7b5f7a55fabdc6cab06b992b29c3f

SHA512
c2677fafdbb7ffd6c0cf5bc9cf76a5b16ed2ea8a086c86ef98b2556639b3d429657fa07c66aaa21d8f7eac6db02b5191cb62adb58d40ae27824cca1de5e00ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QFrwBGotsego.bat

Filesize
209B

MD5
43bd2740fdcd01c655edf74ca5528ed7

SHA1
9f6d45096c592790e6a8546eacbe34a9f3743d97

SHA256
10c5fd7211253fbc107ead588d8711abd52cdcdcf163bb0a546803382fd4cda3

SHA512
607ca73b0507de3aab46a1222717e6695c1e593af98d965ece0fa4049b5aaadb957f4b97cb14c0ac28a0d68a769bd07d2c3195d51d1171fbbd9ab503e2ae9526

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTt1gujdlfud.bat

Filesize
209B

MD5
5030b1155654f4d8d964d6050f9ade69

SHA1
d96a50e9dda2bc93c821250d6dd5f4e5dad22acc

SHA256
0e0b291810f6e2a89eb197e47c57c3f13ace98c0a044476a1a6687539320fcab

SHA512
7a5eb741ab64532f3d7f830f8aed5e692e46d80448c9ca5021d6b8ff0039b19b1cad5804984507a79cd3dc4eaebd2e909e6c9a039c5b4fb8f286dfa016a9e487

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8lkKyvyGb8V.bat

Filesize
209B

MD5
401149833f0e14d232dd0903f6ae3322

SHA1
b5a5a4cd2b05a33ac3767714787613608415b70e

SHA256
67f803690f679bf6e0d7945f592c8517a2d3999efbc60c10de85217c403bc672

SHA512
08c203d9bacc6a54516bf5d3d79b5c6f56d6af6a16bd8eaf8112908bc166028339ade8e67bbb761c08cd7845906657a0fabece80dc5c1209512ff8adbfd2b08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDKIpPDAS2Fn.bat

Filesize
209B

MD5
5261c103f7079e7c335ec3fb993dbef7

SHA1
77099e9f4c2291aa12a1b9a6310c7968a6ca5a0f

SHA256
8908769eef37485e3ef3908d1c9ba630856333e03b6a84d4444195c5b118fee5

SHA512
0973746756616c3f0e7ecc946c5595340e468131fbc07f3c07cc58132063591cb905db2488b3b3f3dc806dba3361bfcd3e090436e357976f08e96a065a1b13fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RhijUVTvw2RR.bat

Filesize
209B

MD5
01b9d1b2ae0e010b52a9db73082297d5

SHA1
c3edc3b6a66f971c57bdc666481c81c509b3ec00

SHA256
3749ad68359df13e2f7e44cd6b742ca9a677976911f839834f0f23f51a06810f

SHA512
276c1b3c2528f01eb9688a6792c6640bb002c49b4fab0e9f242442a064de8a2595c2bbead30d42a1b65850bcf440ff4987e557b7e8af54d5f1cfb56b468d86ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmDwahsQ4pkO.bat

Filesize
209B

MD5
bad80cb2116cfa8a1c4c3438cfdd23ca

SHA1
12f35c7bfdde600411a77fc03e6304dbeebd55b6

SHA256
394bc195648e4f67f06113daa09510ae0552e20479a1c1cf0a27182253756903

SHA512
bef3b8ec4dbd767c5e20ab6972427d32290238f51551da4b68e4a8c119b6c53b8044d878c2712bc4cb76ecc83b125f9c9efc04f00f3028c093a5648e00236fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vakpa71r18Jt.bat

Filesize
209B

MD5
387d8930ddf4a4144833ef3bfc32c01d

SHA1
bae9d041f284c462a32e8715d19d76e128059d25

SHA256
01169b2a2110bfb96e9f4dfb5a24ac1a7efd15c7a8e3b1f1b031f88648b0abfd

SHA512
d29f3543e55e5db56b4762980c97e4ed9570ab212aefeaf04be5aae707804e0281040463a1c0cc57e5dae53aea84f20903dc6600b780fab4560d8061d41fc8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VvvxW4PBikAI.bat

Filesize
209B

MD5
f0e76b821671f2109d51c9aa933bb82a

SHA1
ca806f4b6c170a47a9a16a03367145ef2ab27205

SHA256
faef996da1d54e14b0797c3daff0f37bfdc5b718d8b864dd285820165a9d68b8

SHA512
50cd968ccdec59a6855038d2ced2843fbe030e2edab8934ba14079e22292a75b5da9ee3c48bf37e06379e5dad6605d436e6c9e46c3a804de2ba025018cab2796

Download Submit
C:\Users\Admin\AppData\Local\Temp\W1wqMCWIpKSY.bat

Filesize
209B

MD5
b1fed5eecc20180a423fd80f5a2932c6

SHA1
cc39c619f72f28413a83e39a2cba7a59e0e2ef40

SHA256
8b346bd476cd253d1cf85f60598218944f8f8c7291cb59d57369fa7fdf22386b

SHA512
c4ebb35d8bbe900dabbacefdcd8f423e3b358b8d1d1970f220dced1d15572c8799fea3077f1ff73e24411215851b7f15ea72086d7161281d35d4e162d903b6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZLPMrYu3AVl.bat

Filesize
209B

MD5
b9391ee5b4563946f757e959108ed2b3

SHA1
5bae97b3840461572da7cb659631a2b6ab4abac2

SHA256
635238ead5264452ae10a5f01d424b14191c16f2065dcfa96f776fbb6e558011

SHA512
93172aaef0226775a9896d083bdfb21e3450b45b7ba2f075a53903764a569753c7f4b938619a5aa4c10dce59f5101a7f5220a126cb627aa97417891b03259be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeiZ2vrUBqoC.bat

Filesize
209B

MD5
8b2fc975c3508573a1c7344a272feacb

SHA1
786e58fc7b9cfdd935d9b3025d0508546c717187

SHA256
c4731fc5d74b098ca08db440c4bb32dccb641af6021d27beb620d41c3b0f87e0

SHA512
25e96017a7440d1122f0dc0458fea220dace438e916d81d1f370df24f33bf7ac456d577215a15989784b7f2e3d9dea1eb4baaa7d016c2a1a58a58a93b30a04de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z5zbySx6FnPo.bat

Filesize
209B

MD5
cacce6020b958bc99851f3940d68918a

SHA1
882837282ad98bc971eb13a2e5938fc806149a8b

SHA256
0a98246ad1f9488b038c13d416bebbf9446e3f95dcbadbde4bece3e5ee1c6031

SHA512
325eb090bd809dea177b098b75f9c50b4063abdd454e3dbbd9d3ae60c0c20d7dfd926a8aec1ca123f67d37be43e8eebe54d4e2d6df80ca6dcaf2cf68161ed5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\aalF3NHcpfUI.bat

Filesize
209B

MD5
0bf2b769c85e1f492540bbb365f91022

SHA1
7b75c99db3520594fdd873ffc299afee0beea77c

SHA256
e0eb8b2bf7e3277cc5fa88f8a1856ea4e2a9936bf09e4d1d3853596178ace5cf

SHA512
b2f897bff8011ac3cda65c96e56d230daf10e2536243665eb587e9eff0d0ce0fe120724484951dc8dad14c08e98e5a0d0c6d31bc0cf4e44a75243696d8d79b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmVFPzRJCovM.bat

Filesize
209B

MD5
ec7c02b498fea926ac1db9c8b1763166

SHA1
94b075ca5ff2d6425311d11b81c1d3e8983ee5ab

SHA256
2892a5102219e89fe69a053221b268c21ab3fdc2870c7bcd4f05bd4f25d0af5c

SHA512
ce413eaaf5ca42bdf04839ee339e66fdd9c819ec3aed2324b1f5248112103b8331d4b6a6a51bc5597108eee7ba3a627a445cf5933a0329c94ecd118406759229

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOHW47M9IRgS.bat

Filesize
209B

MD5
6fd1c4523ca44920e33a3ae9a3adf247

SHA1
aa9f51b19100450110f0129098e801a531aca9d7

SHA256
d97c41cc0aea67553fca168ae216cb9af8476403239493836c0b0d2bb1042bb5

SHA512
7b0c98be8894599bcd6a8469deb86897efd8b683e093b1017b2dc742ab96afe9d52f8c019e6f4779b141d43d77493f02f9f2706afb73ced8171eb06aaee8fa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\dp4uwDRwepB5.bat

Filesize
209B

MD5
f4493bd153494a1905db0e661412b43a

SHA1
59340b24b3a382508fa631ab4e6868ea76a30bac

SHA256
215816485256720b1f4b1c5c1de3f19fbfce86421cd1fda242d7ac04b10abdbd

SHA512
0fc9aa78016d8da6848993b450851af0b02b85b9e38588ea355d46ad0933124cc8ad5f0f85db6f9bf7c151f58e78957cedd03a32176bb7d893b26f16bdc748b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0r6GBQv9N8F.bat

Filesize
209B

MD5
35d7d1e51f5e51718d3efa296c1c261b

SHA1
cc77dcf7eee9ce8b4c98bc7579837bab064c8b9f

SHA256
75228a4b74a230ad3f39249a74469ed3e1f48b0535829be1cdc44838d9ed1dcf

SHA512
dccb853d32073c05777eb9ce5aaf777a5ee0f1723fd1aeca51d27bd0893aec28bef9873b335f79d231f88447138f3881429d23330bca482775ec247660aca98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kT91Z5bZVl7I.bat

Filesize
209B

MD5
099635d9077483d601ab52b9d7264cf0

SHA1
b56bb034636a064cfc8269f48ac0621bec283453

SHA256
d3f2f8dd3e481bf6fe26d16f477898df06bb5abfefe60d2d7cef8571a82c8dea

SHA512
0d6394cb9524ebf9d5a9507912ab6bef8536c5cce11b72a52331071b577c055a391ed7e77b8455a919f84a50e9b5bef11f455ebd2e33e75ca1cd59e11a3704fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\koA3wHMoMTbN.bat

Filesize
209B

MD5
e7294eeed3f254eaa212ffa91edd0ba0

SHA1
8e1cc545e70da3f23f65a47df0f4d3d47ce135ae

SHA256
034180d1719cae470ab5a05c9f4b1da92a0e039a37c3cfca746f8c794e4069d5

SHA512
4577fdeeb91029e7cafb49046d2be246d5c0374f8ed680a5c3772889cf9f8ceb603d3fe04e816a626ee0e0b130000624932da2151795fc0f26a1e7fd390c6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0VPReexjrF9.bat

Filesize
209B

MD5
28bf6de2a0239cc67c7d5df7e80fc22b

SHA1
6d1feaf623f2844b0a59ad86214965960f88c71f

SHA256
1cb42cb9c4ac3150c3593cf248b651c4e010ee109f95514a61dfb27f5f42304d

SHA512
28dce44d2923e655131a5cf0a33c88444dcc9d74633de107197e10640557d050f32dc5654397c92380a490fd2b16c050b48f52456c5f686f0a1223b2765003ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMeY9Bt9Fzev.bat

Filesize
209B

MD5
a38edb3dd2213b7c7b8dde3584813e63

SHA1
062264bd565b00be0c422b4263e7a5f1b5fbb328

SHA256
325b6d1930c15cfc70041f047b52195e3fe89e5dcf2b7e1683b3dc74ac52b09b

SHA512
085c8521d32887ec3d96e49e05b755134b17bb846a3c515fd903fd556fb7a7338f03407e0bd99426692a90f059e3c0ff53f390fae3e9fc7c81c71464232cd5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nPCdIAtA57Ig.bat

Filesize
209B

MD5
b7618d30ac10555c5d1322ed051cf8e6

SHA1
1cd80c317d2f70972a182adab82be8c7c83786d1

SHA256
ae95df830489ef3ea61ff5c66e59810db0d7b40883a4baa0ab1c3183e3c4d9be

SHA512
bd77c206beb487e2dbb81dd7d79c801f29179c9e7c7d921b16888647e1bb419a029261fc25fa84a6856f0e5611433e188438d05100ba20d25d5e2a3954318b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOSOAWKN7q4X.bat

Filesize
209B

MD5
f67ec0457dedb438945fb83bd4108073

SHA1
1df6bed6d156344b3614a02f6f6406a844fa3653

SHA256
98ccc707aca22a9f01b69454bcbb4d70ed3aad556ca279100fcfb9ef90fcf35a

SHA512
f1c7c52ac061397081aafd04e1a9b1515343b922dec64bc2ecc8da6e9663349f012307c6584bfb3c9bb52141bf74af76ca1a6299256e87d10807a6c0baf0b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUoZ1raJds84.bat

Filesize
209B

MD5
b1a3b96b669ae2ba70abd56402acf8c7

SHA1
862fa82333c9131e19fa4aac2971af1e74ae7fae

SHA256
411528ff724b1f5576402b2055ee3050b6e26916b8ef5c7e15cb928391ece9e6

SHA512
1d2c7894cdf8204df2bf5218cbfdf901565f5f3a4e3aa1965c87e5541e35ab49ae32bd5d1e3a8f551887df44a24f8004d669b9ee0d93f602f694699195e9ab9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnmM3pGvvmFn.bat

Filesize
209B

MD5
ad74e37247ae041f7824c046546b8333

SHA1
140e9b3bf9a0ad79cb0872f28e8cda78b4fd90a8

SHA256
b86461406c5fe398fb251f94dca70d12da5b43c1db0857697bf6dc9aa35423fc

SHA512
f9bf63adb077a461838aeebedfc7cde13bb204b4a7e41f819ade94aaec215fb07a603e8b1e747bc691519f7095a1554f2848a7a32d25e018b99124d13a473889

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0cnAYuqEB8h.bat

Filesize
209B

MD5
ffe97599af3fa1631fcf34dee3a78822

SHA1
9bb6d80572b0d0dcfe9737403f8b8c7dccab3e2b

SHA256
75a51c52a3aef4474359c05e184b6706d76be62414a148cf1b90c509cf3ea136

SHA512
fb9060eb63c20c8833a41312314fe0584b003e7d3ae98229f4eaf0f896484ae2d5dbc69136f2bd6a74c50825834b6242daeab334fe5d3cab9c4d111bf2d49ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEw0WX2xPXAm.bat

Filesize
209B

MD5
5bb63ad3688f4cec8c98332e6e15bbd7

SHA1
03b8d1517f52501a972455f7dfe0462e1ce83d03

SHA256
c60110abb36ea6a13101883bcd7e5f3e7ecc82559a799092612fb5ca2273735b

SHA512
f05b3e07f616c6a20a57c04b2fc97e4a68f340d4ab458876d7e771cb3cbab16dd60ab1a7e922b376407a8446c355f4ac1c1a73bc2424b1f23e8f9b3b274463c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb1DIKj453f4.bat

Filesize
209B

MD5
50b1eda6d61405d4bd581252e9b52e0d

SHA1
0bf080d18b83243f7b2e988615608e01efed1fde

SHA256
866374c053e3dcc172f4950d9854228a42e6ceeba86a1d31ed149463e7e7f267

SHA512
2aa64a6be431ffffe40b93bb0ef7d08ebdaf3ee8e2202d8ede1bf4b0c98820c79e8d0b389bd8243fc67661037b854b90ac783658b8553480efde74870fb3a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZdPx1cpH60N.bat

Filesize
209B

MD5
49ecd02068dfbef2bf62894c28ed7ad6

SHA1
6f25d162f55e10b2d5a1f0e4bd865e92ef7d1e72

SHA256
4a6e12fa2abce2f027e1c1cf49b6d77e80dcef8be339afc59d88f4da8fa221cf

SHA512
ab318c898fff0c9f86c5282344f8104d6738ce1ebde62484823165040b4c9183ee0296b811dac664293b9b6075c6b39f780b1ff5ccccc59c8c917b87d2f3b68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s8jVkQoCgloA.bat

Filesize
209B

MD5
a109411f8265d68e3dc19eaf64266d14

SHA1
f4ad9c5ea920426b2a3d2c7aa7152d37d667c855

SHA256
2cabd7ae3605655bc02c69fde7acbca37a1c9542ad428f3797e2d09a95891185

SHA512
aa84bb21ed240d98b8672c02ee68509e8e61ca554fb8a9e57d94e85a9c3ab119513c94dbe475753097f68faf0a840a3482618d7707a41f85e4aaaa51925fa6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjgIAJgIXWhe.bat

Filesize
209B

MD5
55c9624979aae65fac19c00e9404fcd6

SHA1
e593b6de77f26ea7958469c11df11cfeda7f3508

SHA256
1616d0e559a8862b615530114247f8835933ae4f7c0f1126aef140cfcc2a38ca

SHA512
d9f6553154e5c3015db8cab2e9cc3a4a0907409c9fab6507bad14bfe10efa677c81703f4718d34a32d6f4d6f1659b8b17c0367035c8d4563f63f398e357138a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\slKpi2EpLU2O.bat

Filesize
209B

MD5
a9b4ce98ce0d0740d6ea26601ca22dc0

SHA1
210b071a6910b80878d32c532a4700ff68716431

SHA256
31414053c708a99633898bb5ffa20692f6daac68872994ab5faf8067458efb5e

SHA512
b62d04ac21f54a5da3cd9d3940a3cd8e7cb6559879a941155f76f777930acb9ceea5f9f213b82f11a0b7d60633f26640d145902918827ea4688c895c5dddd829

Download Submit
C:\Users\Admin\AppData\Local\Temp\u6kQQaAYWnig.bat

Filesize
209B

MD5
752c7a2ab754ecf5a818fa7d54ea1be0

SHA1
6471b4e3ec4c2394bae80635d1ecd014c95a56bd

SHA256
3859a6f2d7d689ceca405a49be0f904d01dc7b9e3048d6f5d4fb7c6d215ce9c7

SHA512
4ae4a6562327de210306f166203dfe9ad47c6a640a0bc7e9fe45f63ff61d4088ac044bcd4cf0791ff7e51e7c9969ae5a89ccc9aec27e5b9a33dd3d91afb67467

Download Submit
C:\Users\Admin\AppData\Local\Temp\udOkNYaij49M.bat

Filesize
209B

MD5
ad82fd448c0503c642f4368eb78cc77d

SHA1
04c2cea1eb15e43e8ed74900f80030907c638d65

SHA256
9419799fd8dd14efd561f0e91f3df2f2d4752049917607cdb2b7e7625f43fc6f

SHA512
967fb64257e9cadc9921f49e5ee315a99e7ffef969c7385a00008a8a64524daddc0a1046fa28976e650ff240d810bacd2cd869d4b06e177f25f10c6f5e524372

Download Submit
C:\Users\Admin\AppData\Local\Temp\v6PQIeHevdsS.bat

Filesize
209B

MD5
1c03ad2b169945f56ad99948a45d4754

SHA1
31061bfb7ad06097501e42fc91bcb5bfd5eda514

SHA256
3319c14139d265b31097fb713ca9ea9788698400b8e4ed2c92e388a03df0e97d

SHA512
0d34593a5db0e0416e27faca0a4af9e8eb69a20f4f7cc7eaf4a023bec4179ad998e4005bcf0ad7f82d8414982bcc6c1a2f6299a19b2227c894215d474e113bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqChep6fsMjj.bat

Filesize
209B

MD5
782b20e1395e1184ec28c2d208e0c67b

SHA1
ceb3a481399894874b36424050ad32e1aae5cb95

SHA256
bb55cf62ddb535b562d700fd05795fd5394abd77f9ef0ad0be17a444a24d09fd

SHA512
015da001c3fc8d27a2992ca3d5eb1f034b00e60ce47bbea2ff2e82611b57bd1ca035a13a3fa45b474d108b223448b4f0ccd07dd3b80f1c3318264dcf99f7dfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz5EAMYbnHhb.bat

Filesize
209B

MD5
bfbb9a2ba76f61102e9be2c7fc2b8038

SHA1
0d342b84c710ba77f1d755428701eefb442faa3f

SHA256
5ef893a815ce2a047bd313e2a6fae364a66042c378c4f86c02ffac90a05b6d59

SHA512
c2cb3a5f99e56a6a6cfec801365df7574439ff86371bce0805f6946257d8d34f604348cc8d7812a373f66d75ee5bde159c6387d8ddfdae2b3cd2a020edd2e5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeQoSS8LZFAE.bat

Filesize
209B

MD5
19805f7595ef335a5c85e510c0a83942

SHA1
8b912d62f6a0261febc6b39f35751028770c68d1

SHA256
4fe64bb784c9ce4127963fffc203faf7e3422c54382617038d5a2c3c12bd4091

SHA512
3c349c87e731ffb88de4ddf6b8735de822e78ac4a9fc591fa57b2b3802082f4772a563f2b3563289226f2f792b7471a1333761663e63a41139b244e87583a2ba

Download Submit
memory/3532-9-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/3532-4-0x000000001C0B0000-0x000000001C162000-memory.dmp

Filesize
712KB

Download
memory/3532-0-0x00007FFB67ED3000-0x00007FFB67ED5000-memory.dmp

Filesize
8KB

Download
memory/3532-3-0x000000001BFA0000-0x000000001BFF0000-memory.dmp

Filesize
320KB

Download
memory/3532-2-0x00007FFB67ED0000-0x00007FFB68991000-memory.dmp

Filesize
10.8MB

Download
memory/3532-1-0x0000000000580000-0x00000000008A4000-memory.dmp

Filesize
3.1MB

Download