quasar | cc4c02376c24053d287c965105bb92c236bbefea2dcff15cdf1c45b183246a8f

Analysis

max time kernel
595s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

740d9f35b37dd1557744d0d1df0ae2a6
SHA1

fe55e2e2dc057298018a0ed7211096de0c014e0e
SHA256

cc4c02376c24053d287c965105bb92c236bbefea2dcff15cdf1c45b183246a8f
SHA512

8b7fb45bc4c44245f157225431aea64e8d600ee5441c3e8d0197d2ba366bf7ffc6c9a321323ba704b46f5f104d9f5d645c1f680223d38022605fbf182cf4e0cd
SSDEEP

49152:HvAG42pda6D+/PjlLOlg6yQipV3eRJ6/bR3LoGdtTHHB72eh2NT:HvD42pda6D+/PjlLOlZyQipV3eRJ6R

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

https://stable-notably-hound.ngrok-free.app:4782

Mutex

59d0faf1-ae3f-4d2f-9c0f-631501d0027c

Attributes

encryption_key
A5F0EE2DBE7A3009387617912AFB48C127E2B576
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 59 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 59 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2976	PING.EXE
4108	PING.EXE
1812	PING.EXE
1140	PING.EXE
704	PING.EXE
4436	PING.EXE
2880	PING.EXE
4864	PING.EXE
4020	PING.EXE
1124	PING.EXE
2772	PING.EXE
4588	PING.EXE
4968	PING.EXE
4148	PING.EXE
2228	PING.EXE
4892	PING.EXE
5092	PING.EXE
4952	PING.EXE
3948	PING.EXE
4440	PING.EXE
2216	PING.EXE
1640	PING.EXE
4736	PING.EXE
3872	PING.EXE
2360	PING.EXE
4476	PING.EXE
4344	PING.EXE
680	PING.EXE
1604	PING.EXE
4324	PING.EXE
1088	PING.EXE
4476	PING.EXE
3972	PING.EXE
3008	PING.EXE
320	PING.EXE
4536	PING.EXE
4944	PING.EXE
3144	PING.EXE
3172	PING.EXE
4564	PING.EXE
1720	PING.EXE
5024	PING.EXE
1708	PING.EXE
2196	PING.EXE
3624	PING.EXE
2872	PING.EXE
2256	PING.EXE
3944	PING.EXE
556	PING.EXE
3584	PING.EXE
4288	PING.EXE
5096	PING.EXE
4584	PING.EXE
2512	PING.EXE
684	PING.EXE
884	PING.EXE
4976	PING.EXE
2340	PING.EXE
1872	PING.EXE

Runs ping.exe 1 TTPs 59 IoCs

Remote System Discovery

T1018

pid	Process
4020	PING.EXE
4944	PING.EXE
2360	PING.EXE
1604	PING.EXE
3008	PING.EXE
3144	PING.EXE
1640	PING.EXE
5024	PING.EXE
2880	PING.EXE
4440	PING.EXE
884	PING.EXE
3624	PING.EXE
3948	PING.EXE
4864	PING.EXE
3944	PING.EXE
1088	PING.EXE
2256	PING.EXE
556	PING.EXE
4536	PING.EXE
3584	PING.EXE
1124	PING.EXE
680	PING.EXE
5092	PING.EXE
704	PING.EXE
4288	PING.EXE
5096	PING.EXE
3972	PING.EXE
1812	PING.EXE
4476	PING.EXE
1720	PING.EXE
3172	PING.EXE
4564	PING.EXE
2976	PING.EXE
4324	PING.EXE
4952	PING.EXE
2512	PING.EXE
2196	PING.EXE
4108	PING.EXE
4476	PING.EXE
4588	PING.EXE
2340	PING.EXE
4436	PING.EXE
4584	PING.EXE
2216	PING.EXE
2872	PING.EXE
1140	PING.EXE
2772	PING.EXE
684	PING.EXE
4148	PING.EXE
320	PING.EXE
4736	PING.EXE
4344	PING.EXE
4968	PING.EXE
1708	PING.EXE
4892	PING.EXE
4976	PING.EXE
1872	PING.EXE
3872	PING.EXE
2228	PING.EXE

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	Client-built.exe
Token: SeDebugPrivilege	4484	Client-built.exe
Token: SeDebugPrivilege	2072	Client-built.exe
Token: SeDebugPrivilege	1444	Client-built.exe
Token: SeDebugPrivilege	1944	Client-built.exe
Token: SeDebugPrivilege	2892	Client-built.exe
Token: SeDebugPrivilege	2096	Client-built.exe
Token: SeDebugPrivilege	3156	Client-built.exe
Token: SeDebugPrivilege	2260	Client-built.exe
Token: SeDebugPrivilege	1292	Client-built.exe
Token: SeDebugPrivilege	4444	Client-built.exe
Token: SeDebugPrivilege	1416	Client-built.exe
Token: SeDebugPrivilege	4168	Client-built.exe
Token: SeDebugPrivilege	3636	Client-built.exe
Token: SeDebugPrivilege	4172	Client-built.exe
Token: SeDebugPrivilege	3100	Client-built.exe
Token: SeDebugPrivilege	4848	Client-built.exe
Token: SeDebugPrivilege	2152	Client-built.exe
Token: SeDebugPrivilege	1680	Client-built.exe
Token: SeDebugPrivilege	2168	Client-built.exe
Token: SeDebugPrivilege	1056	Client-built.exe
Token: SeDebugPrivilege	448	Client-built.exe
Token: SeDebugPrivilege	4256	Client-built.exe
Token: SeDebugPrivilege	4564	Client-built.exe
Token: SeDebugPrivilege	1460	Client-built.exe
Token: SeDebugPrivilege	4284	Client-built.exe
Token: SeDebugPrivilege	4024	Client-built.exe
Token: SeDebugPrivilege	3864	Client-built.exe
Token: SeDebugPrivilege	4656	Client-built.exe
Token: SeDebugPrivilege	4540	Client-built.exe
Token: SeDebugPrivilege	1520	Client-built.exe
Token: SeDebugPrivilege	2232	Client-built.exe
Token: SeDebugPrivilege	5080	Client-built.exe
Token: SeDebugPrivilege	2128	Client-built.exe
Token: SeDebugPrivilege	3408	Client-built.exe
Token: SeDebugPrivilege	2900	Client-built.exe
Token: SeDebugPrivilege	4352	Client-built.exe
Token: SeDebugPrivilege	2924	Client-built.exe
Token: SeDebugPrivilege	1908	Client-built.exe
Token: SeDebugPrivilege	436	Client-built.exe
Token: SeDebugPrivilege	2748	Client-built.exe
Token: SeDebugPrivilege	2508	Client-built.exe
Token: SeDebugPrivilege	4636	Client-built.exe
Token: SeDebugPrivilege	224	Client-built.exe
Token: SeDebugPrivilege	4820	Client-built.exe
Token: SeDebugPrivilege	832	Client-built.exe
Token: SeDebugPrivilege	4792	Client-built.exe
Token: SeDebugPrivilege	2696	Client-built.exe
Token: SeDebugPrivilege	1736	Client-built.exe
Token: SeDebugPrivilege	4448	Client-built.exe
Token: SeDebugPrivilege	4044	Client-built.exe
Token: SeDebugPrivilege	2720	Client-built.exe
Token: SeDebugPrivilege	972	Client-built.exe
Token: SeDebugPrivilege	5112	Client-built.exe
Token: SeDebugPrivilege	4412	Client-built.exe
Token: SeDebugPrivilege	4864	Client-built.exe
Token: SeDebugPrivilege	2756	Client-built.exe
Token: SeDebugPrivilege	4840	Client-built.exe
Token: SeDebugPrivilege	2052	Client-built.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
2896	Client-built.exe
4484	Client-built.exe
2072	Client-built.exe
1444	Client-built.exe
1944	Client-built.exe
2892	Client-built.exe
2096	Client-built.exe
3156	Client-built.exe
2260	Client-built.exe
1292	Client-built.exe
4444	Client-built.exe
1416	Client-built.exe
4168	Client-built.exe
3636	Client-built.exe
4172	Client-built.exe
3100	Client-built.exe
4848	Client-built.exe
2152	Client-built.exe
1680	Client-built.exe
2168	Client-built.exe
1056	Client-built.exe
448	Client-built.exe
4256	Client-built.exe
4564	Client-built.exe
1460	Client-built.exe
4284	Client-built.exe
4024	Client-built.exe
3864	Client-built.exe
4656	Client-built.exe
4540	Client-built.exe
1520	Client-built.exe
2232	Client-built.exe
5080	Client-built.exe
2128	Client-built.exe
3408	Client-built.exe
2900	Client-built.exe
4352	Client-built.exe
2924	Client-built.exe
1908	Client-built.exe
436	Client-built.exe
2748	Client-built.exe
2508	Client-built.exe
4636	Client-built.exe
224	Client-built.exe
4820	Client-built.exe
832	Client-built.exe
4792	Client-built.exe
2696	Client-built.exe
1736	Client-built.exe
4448	Client-built.exe
4044	Client-built.exe
2720	Client-built.exe
972	Client-built.exe
5112	Client-built.exe
4412	Client-built.exe
4864	Client-built.exe
2756	Client-built.exe
4840	Client-built.exe
2052	Client-built.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
2896	Client-built.exe
4484	Client-built.exe
2072	Client-built.exe
1444	Client-built.exe
1944	Client-built.exe
2892	Client-built.exe
2096	Client-built.exe
3156	Client-built.exe
2260	Client-built.exe
1292	Client-built.exe
4444	Client-built.exe
1416	Client-built.exe
4168	Client-built.exe
3636	Client-built.exe
4172	Client-built.exe
3100	Client-built.exe
4848	Client-built.exe
2152	Client-built.exe
1680	Client-built.exe
2168	Client-built.exe
1056	Client-built.exe
448	Client-built.exe
4256	Client-built.exe
4564	Client-built.exe
1460	Client-built.exe
4284	Client-built.exe
4024	Client-built.exe
3864	Client-built.exe
4656	Client-built.exe
4540	Client-built.exe
1520	Client-built.exe
2232	Client-built.exe
5080	Client-built.exe
2128	Client-built.exe
3408	Client-built.exe
2900	Client-built.exe
4352	Client-built.exe
2924	Client-built.exe
1908	Client-built.exe
436	Client-built.exe
2748	Client-built.exe
2508	Client-built.exe
4636	Client-built.exe
224	Client-built.exe
4820	Client-built.exe
832	Client-built.exe
4792	Client-built.exe
2696	Client-built.exe
1736	Client-built.exe
4448	Client-built.exe
4044	Client-built.exe
2720	Client-built.exe
972	Client-built.exe
5112	Client-built.exe
4412	Client-built.exe
4864	Client-built.exe
2756	Client-built.exe
4840	Client-built.exe
2052	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3364	2896	Client-built.exe	83
PID 2896 wrote to memory of 3364	2896	Client-built.exe	83
PID 3364 wrote to memory of 2612	3364	cmd.exe	85
PID 3364 wrote to memory of 2612	3364	cmd.exe	85
PID 3364 wrote to memory of 3624	3364	cmd.exe	86
PID 3364 wrote to memory of 3624	3364	cmd.exe	86
PID 3364 wrote to memory of 4484	3364	cmd.exe	91
PID 3364 wrote to memory of 4484	3364	cmd.exe	91
PID 4484 wrote to memory of 3128	4484	Client-built.exe	92
PID 4484 wrote to memory of 3128	4484	Client-built.exe	92
PID 3128 wrote to memory of 4988	3128	cmd.exe	95
PID 3128 wrote to memory of 4988	3128	cmd.exe	95
PID 3128 wrote to memory of 4968	3128	cmd.exe	96
PID 3128 wrote to memory of 4968	3128	cmd.exe	96
PID 3128 wrote to memory of 2072	3128	cmd.exe	99
PID 3128 wrote to memory of 2072	3128	cmd.exe	99
PID 2072 wrote to memory of 1868	2072	Client-built.exe	100
PID 2072 wrote to memory of 1868	2072	Client-built.exe	100
PID 1868 wrote to memory of 3572	1868	cmd.exe	102
PID 1868 wrote to memory of 3572	1868	cmd.exe	102
PID 1868 wrote to memory of 4476	1868	cmd.exe	103
PID 1868 wrote to memory of 4476	1868	cmd.exe	103
PID 1868 wrote to memory of 1444	1868	cmd.exe	105
PID 1868 wrote to memory of 1444	1868	cmd.exe	105
PID 1444 wrote to memory of 2344	1444	Client-built.exe	107
PID 1444 wrote to memory of 2344	1444	Client-built.exe	107
PID 2344 wrote to memory of 4252	2344	cmd.exe	109
PID 2344 wrote to memory of 4252	2344	cmd.exe	109
PID 2344 wrote to memory of 3948	2344	cmd.exe	110
PID 2344 wrote to memory of 3948	2344	cmd.exe	110
PID 2344 wrote to memory of 1944	2344	cmd.exe	111
PID 2344 wrote to memory of 1944	2344	cmd.exe	111
PID 1944 wrote to memory of 1288	1944	Client-built.exe	112
PID 1944 wrote to memory of 1288	1944	Client-built.exe	112
PID 1288 wrote to memory of 5052	1288	cmd.exe	114
PID 1288 wrote to memory of 5052	1288	cmd.exe	114
PID 1288 wrote to memory of 4584	1288	cmd.exe	115
PID 1288 wrote to memory of 4584	1288	cmd.exe	115
PID 1288 wrote to memory of 2892	1288	cmd.exe	116
PID 1288 wrote to memory of 2892	1288	cmd.exe	116
PID 2892 wrote to memory of 4172	2892	Client-built.exe	117
PID 2892 wrote to memory of 4172	2892	Client-built.exe	117
PID 4172 wrote to memory of 3112	4172	cmd.exe	119
PID 4172 wrote to memory of 3112	4172	cmd.exe	119
PID 4172 wrote to memory of 4864	4172	cmd.exe	120
PID 4172 wrote to memory of 4864	4172	cmd.exe	120
PID 4172 wrote to memory of 2096	4172	cmd.exe	121
PID 4172 wrote to memory of 2096	4172	cmd.exe	121
PID 2096 wrote to memory of 1760	2096	Client-built.exe	122
PID 2096 wrote to memory of 1760	2096	Client-built.exe	122
PID 1760 wrote to memory of 5108	1760	cmd.exe	124
PID 1760 wrote to memory of 5108	1760	cmd.exe	124
PID 1760 wrote to memory of 3144	1760	cmd.exe	125
PID 1760 wrote to memory of 3144	1760	cmd.exe	125
PID 1760 wrote to memory of 3156	1760	cmd.exe	126
PID 1760 wrote to memory of 3156	1760	cmd.exe	126
PID 3156 wrote to memory of 1072	3156	Client-built.exe	127
PID 3156 wrote to memory of 1072	3156	Client-built.exe	127
PID 1072 wrote to memory of 4148	1072	cmd.exe	129
PID 1072 wrote to memory of 4148	1072	cmd.exe	129
PID 1072 wrote to memory of 1140	1072	cmd.exe	130
PID 1072 wrote to memory of 1140	1072	cmd.exe	130
PID 1072 wrote to memory of 2260	1072	cmd.exe	131
PID 1072 wrote to memory of 2260	1072	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ALkh4WpF6qlI.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2612
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hd3wYUxFnqr8.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4988
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FY63t9laV8cv.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A28maXQ06iO3.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoGvnnnYWm1s.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3jrLeixyhWf5.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEoJbFTNHyoj.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVDEZ7SbKiOS.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4MtaWGoc1Nle.bat" "
        18⤵
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHTTbthjmCSw.bat" "
        20⤵
        
        PID:4288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fh9t0c6pcVZo.bat" "
        22⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZTnSVSoAo8K1.bat" "
        24⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yObJ1hGrStuz.bat" "
        26⤵
        
        PID:5096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OhHwyVGpTC8G.bat" "
        28⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAMI8lISFIGJ.bat" "
        30⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        31⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c1hbIEIdljKm.bat" "
        32⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        33⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w6HGtL6li3ql.bat" "
        34⤵
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        35⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X9J5KYkgr2Zj.bat" "
        36⤵
        
        PID:4944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        37⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qFiLCnWoAFV4.bat" "
        38⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        39⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oitFs2vRt2SA.bat" "
        40⤵
        
        PID:4672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        41⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d2y2BP9Mc8D6.bat" "
        42⤵
        
        PID:4404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        43⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t4FkAAL3fSmi.bat" "
        44⤵
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        45⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYUl0cEOy5Vb.bat" "
        46⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:4772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        47⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76NRvUnNk6Gk.bat" "
        48⤵
        
        PID:3972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        49⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L5TfYu5d8liu.bat" "
        50⤵
        
        PID:384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        51⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Hw4cB4SIGaK.bat" "
        52⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        53⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ubxsVH5UN0vU.bat" "
        54⤵
        
        PID:4244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        55⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SZJXgcttIHCU.bat" "
        56⤵
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        57⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmky59hhYLvS.bat" "
        58⤵
        
        PID:4032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:64
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        59⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ei9QqdNCmKhE.bat" "
        60⤵
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        61⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOGZwjiLCwID.bat" "
        62⤵
        
        PID:3360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        63⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7XgylpuV7UU8.bat" "
        64⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:1000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        65⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDkyU1rRR6UU.bat" "
        66⤵
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        67⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eFPflnWMMXsQ.bat" "
        68⤵
        
        PID:1968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        69⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYfDVfCfdDNa.bat" "
        70⤵
        
        PID:4332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:3580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        71⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PM28Z0EmY2Fq.bat" "
        72⤵
        
        PID:680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        73⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gie9zFgwdQ4B.bat" "
        74⤵
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        75⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeINbQzijiPD.bat" "
        76⤵
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:4764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        77⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\stJ0ADvtFXHZ.bat" "
        78⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        79⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQAQztBcHhYc.bat" "
        80⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:3260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        81⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        81⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6pJQkCmX0cXa.bat" "
        82⤵
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        83⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        83⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koJB7rLC11Tk.bat" "
        84⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:2388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        85⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        85⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N55uSDsJ1uZl.bat" "
        86⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        87⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        87⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xym0uq5ABqvS.bat" "
        88⤵
        
        PID:4728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        89⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        89⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        89⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOQFX5Kc6f9m.bat" "
        90⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        91⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        91⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        91⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\70CTXjiCICpR.bat" "
        92⤵
        
        PID:3744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        93⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        93⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        93⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aG7obNRMm9ND.bat" "
        94⤵
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        95⤵
        
        PID:3796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        95⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        95⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umIEgetJLkjW.bat" "
        96⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        97⤵
        
        PID:4108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        97⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        97⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BLcMoCbwyeNo.bat" "
        98⤵
        
        PID:5108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        99⤵
        
        PID:404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        99⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RK7AZb6L5owJ.bat" "
        100⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        101⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        101⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        101⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRecYQ08lMGV.bat" "
        102⤵
        
        PID:228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        103⤵
        
        PID:232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        103⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        103⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\37xL9Vx9b04q.bat" "
        104⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        105⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        105⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        105⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osQRSeaVjN95.bat" "
        106⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        107⤵
        
        PID:2800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        107⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        107⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOKuLpNL8yOB.bat" "
        108⤵
        
        PID:3476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        109⤵
        
        PID:4224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        109⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        109⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4QZpze2nVrim.bat" "
        110⤵
        
        PID:4280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        111⤵
        
        PID:2424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        111⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        111⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ll2Y5paPDSvU.bat" "
        112⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        113⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        113⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        113⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pchqqEB4fS65.bat" "
        114⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        115⤵
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        115⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        115⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PzWlo3rSD4ct.bat" "
        116⤵
        
        PID:4732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        117⤵
        
        PID:3580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        117⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmD6zUJJwpAl.bat" "
        118⤵
        
        PID:4756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        119⤵
        
        PID:1572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        119⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\37xL9Vx9b04q.bat

Filesize
209B

MD5
cb3e33717d80f7a4dc0f7738d0b8cd24

SHA1
3bdb9878a4f075c76bd27d2903ae45007e092eb8

SHA256
d9bb407c5332d32eec2cba5cfd9dcd8791a4f4f17c32afc01768f85341d7f052

SHA512
c0ad2bf0f9489222ed4e0ffbc7d0a056a98f0e238d8c995f3d4f4562804457f90cb0114b23b488efa09030a6875f178410e1cb0705c51ae6890f351065bcc221

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jrLeixyhWf5.bat

Filesize
209B

MD5
24108a9e28e543980664d38dc528e37e

SHA1
9915479348fb508e5cf38bd8805c413563458070

SHA256
94fff9336d574afb0220f3d5fe537e9f6432731ece66b38283e7cd17752da5c9

SHA512
21b8138eec46bc2cc39a29ec720ef2c0a85934c498b2a91cf0362d0ac6b9676ca6441ff023285413708afc13a0e8a5670f067a95f782050f2992ac53170c666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4MtaWGoc1Nle.bat

Filesize
209B

MD5
6961d50138f1caf90a3714e926920a90

SHA1
67b0a8091eaec5dd21168e766723a84019a7a868

SHA256
6b3630dab381bd0945ab32750a9610eabf79aed9e35b26d2090ca4a1674a3f5d

SHA512
1aada7d285759f4c417689a26151ca56a332afc8978c73a8f3172f966c42d2b2320693556f9da19bf47319f3c7b2eef57b1312da747df0a93cbf4eb4e136c44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4QZpze2nVrim.bat

Filesize
209B

MD5
6e9412b29d8a2d6d6dc9018541b14282

SHA1
de597a16617f4e346d8ab7ecdff0b5c25b778fcc

SHA256
1b2b5627e856f2ceeb5226881e79f619685dcf8621d2c0aad3fc00e8d55ef3f1

SHA512
4716f22ec71f3afcb1c37acf965677536de66e8b0880941ec5936ae4582bdd28b64f3bd3cf24cdfad99b3ff2543ac0f62d4566beaa52fd2c5c7c61aab1050a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6pJQkCmX0cXa.bat

Filesize
209B

MD5
214251221bf2f80cc21d46442709c458

SHA1
468c3e73572c3d43185316e2baae6935869aebfd

SHA256
69d26a56d1409775f82c3c098334fede333afce91b54cb5deafa3457628aba0a

SHA512
b909d5f88c2290f76fac9e1339db13f0ac8fa35e498e9f4043e5b0f67b1041e9f2e4d5cf3222662794abe239e86463d2d6ff6307be5aaa80111184bd4bdc951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\70CTXjiCICpR.bat

Filesize
209B

MD5
8bd0cfb323dd435c652688da46db835a

SHA1
928e64fd8317e9e5fc363e3433f8bc599cc79682

SHA256
da16bbecc4d257b4706b3787f9398974ea89d1067a87b320ddd7e0d7dc55fffb

SHA512
5b072b76b8c5526462fda072b94d29b07eadbee24006c95df55c1748b4252087b99cdcad70317e9c66118275b93c8ee8d6d449e14506879cf853fdb032cf701c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76NRvUnNk6Gk.bat

Filesize
209B

MD5
0aafb0ab6d92f8d96a46aa504e1d96c4

SHA1
2b34e4e86d73474a32584396b7e7e57b11aa7ffa

SHA256
6bab34334418a107fb756f618f2477bc5a10f0c4bdd5e2e0452faec4158f46ea

SHA512
5de6642331273ee0fd17711e0bff3a63a7144bfd1a69034678eb70f2dbcc522477d6a09c55475698d462dadba79898c6ac1eea464030b9f160fcd43b242e6e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7XgylpuV7UU8.bat

Filesize
209B

MD5
8e47637040fccf057c9575cf46438546

SHA1
960fbbd401ba7642353e3d85d4ed62fcf4215b78

SHA256
f575f0539c5e9d5a1d02e49ae9e3d7fdf03019fafae73e92f99306d04c840bc4

SHA512
813d3ac8120371df3bf1830d28574d68937c3cef717d8e462ccf001f00c8db19bd9ffe64584e0e94e24197b999d9179f1bceb903cae91369e8912d019bef1e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Hw4cB4SIGaK.bat

Filesize
209B

MD5
ed7cdad9ca37c811aeb618f694deffe5

SHA1
689efdb3f4453df78a80c2cda179db7e3f4b079d

SHA256
03e5c13ecd8df24ac59fe1a8d300f94f6f7998bae3c8b998b8ab64c8177da2bc

SHA512
de5789cdb6a6bbee9a6b80a79281ca8389e3c52dac638d6f5e89565bc9dbd3c83012f0e29ddc5aba7f4f09ecce7061f6678191ad86c2d300770fe95076fcf46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A28maXQ06iO3.bat

Filesize
209B

MD5
7785e698afe211f44b2c8de39c62140a

SHA1
16cdfc59ec943924bafb835f8ed4998eb815a876

SHA256
3297d57023de036123817072820e71b36aab83ec4296d4694dd949e03400e482

SHA512
254e22aac6eae864f26512f10216836fc326003888db0681acefb4bbd487d2c33ac8c003eaa0e170455039211a2345760a7f1401db1fade9599735386711f8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ALkh4WpF6qlI.bat

Filesize
209B

MD5
021bf8ae7101821217466b2947311239

SHA1
4951160fa242f3a62959b8398ace3b8fafc938ea

SHA256
385bf2a44cd9191878d068f559f7e9849f57a80cd154aa39a9fa3fbd1584759d

SHA512
118985753600d57f8230806dfa1cb99eed05d71f0c4180fa8a1fcc7d50d3053f76c21e838151f98a1f6030c769b823b54cfa993750bfe38bbc4bdd7b3bbeca2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLcMoCbwyeNo.bat

Filesize
209B

MD5
75e0f6c2315c732d5f5b786f343ffd3e

SHA1
8cc60784b19253bf8092d53e0f42e798a7852bdf

SHA256
031d2c523cbdcafbb346fcfc3728cfad0afedb2b9476a3b5da1809f3c0dec757

SHA512
9090de8e4dff7e5cd535057cbe48c34c4c0ea805cd006cadd30e3dd98e5a775d79fe4f6748b899c84ee0df6d9f28116b397ba7f3311a133879d140915eb41579

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYfDVfCfdDNa.bat

Filesize
209B

MD5
e8227aa64d054aeb8e3934d411663c12

SHA1
a762002a64a8058ea0c9f2837b02503f97fcf4c8

SHA256
3483eafa7cb205847160ca3d27201de3194158b4b098c3ff93f3541dd6415637

SHA512
4cb69afefd691287d63ed9689afaf6a36ce4d3f388939f3923d26b402cb78618b389086e387870a88062397df4a02197c835caaba8b1ddbedd9cd76cef99cf05

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDkyU1rRR6UU.bat

Filesize
209B

MD5
e6b64371e97709b9a311bca2ba13a2d5

SHA1
3f3ea83f86bff1c41846025c8cbc874e5fffb06f

SHA256
c2c3b31a26c5649961dcb4489f29655c5ba08d4f03f104b6f0717ea71feb1cc9

SHA512
b0d04d9a9be18c5f4ccdae1086d7506a3f3096d50d4bcfaf8e10fe08d7b3eeff62aabf36ba41e0afba9482e773f13f9a679baeb0b7ba68f35c035e813127b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYUl0cEOy5Vb.bat

Filesize
209B

MD5
08b9e2458c1e41d288e502317da9f8b8

SHA1
e5541eb9ea047ab9485825b4077c214362c22dac

SHA256
a5b8267c7cab8065bc923dd35453f88fb4ea0c9ba927321caa2cbf38bce12b67

SHA512
3b6565e77507ec64e62a7ae178c6ccc0dd82cee654474cfcd3dce9a0506e15f877514963597256febbb9b2f2006642138c6f624464932ac56a0c678b0fb76ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FY63t9laV8cv.bat

Filesize
209B

MD5
85d9513d551eab77e75c124c737dc285

SHA1
3eb24a54f3670971763a7b1ad4e5867e071363a4

SHA256
278cc2880215b52d60234171acc5eb59c53f8cf3e9d1b2a40652c158050371ea

SHA512
2b36e8906f3af2e07109861c95d2b4f6cc2e031edc1f192867307e26798f330a86fbd13132a445c582b7b388d51a5f478e3e69091cb1e597d33f6eb75e2cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gie9zFgwdQ4B.bat

Filesize
209B

MD5
8b1c2a23a01deca53de12a9f3778ea81

SHA1
5185649f2f6a2efb4c28fa903b0bd6d327f38e87

SHA256
b3d8f8c86a2b76ee944f2c4daae862efcd770dea124cb5b8abbcc85d337e7973

SHA512
f4f4e3387766f92817419a30bf21e720c087c65d3efa003cbee0f2c785fe005f6d9eb25ef708b110d573a0cabb01a3749bb7a77cf88296ac3d81b27757d23f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRecYQ08lMGV.bat

Filesize
209B

MD5
237effd75c34f24c4c5df59e7bf5d5a4

SHA1
d753d9436b7881db99c3fd2575051494fa21fc21

SHA256
b1971d407c63ac60af55f4203822276ddecd9c2418c0b65ad79b26c463539bb8

SHA512
0e55a2b2e5069b90caa3b8d201ffcae863e2bdc69bfb8d0b75f979c546aa3eeb3a060a8ece8277557348d3aede7773e54001e1cd14ba57bacf6b0cb5aea4548c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hd3wYUxFnqr8.bat

Filesize
209B

MD5
3542b3eeb31876a6a9d1a673ed202a8f

SHA1
0fca286433da85c20a993e96b3fcd458c2058b14

SHA256
d234a60b0d240eebc9bfbee4e6cea14c8fe11a6e9c28dc7760a0dd58126ee98c

SHA512
6e0f4719e048f586a74f4c444de4368d64ba15793aad3c1cab30139fa910496d558a114288fd613c2f09aa80fd5b1a5792f62f3fc42de27bcc9d2b5a39365f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVDEZ7SbKiOS.bat

Filesize
209B

MD5
b62c9fc60dc5b833c92ce1655539a3e3

SHA1
4e35ca3df66dd9b046b1ecedcd6ca05e660d165f

SHA256
f6f0e56ef4d1de7271bb69e4fa07644b9189330b1c07b014841125ca757a541e

SHA512
8a2631b3396493b9bea6664d27d32ff87e788faa7d41b25717ff79c4b9c89c36fd943df3fb0241abc41768dadfbf985a45fa11cd86ea5be5aa504a4d9fb5f1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\L5TfYu5d8liu.bat

Filesize
209B

MD5
6c0edfce34ee53ae1e44d8cc52be7ecc

SHA1
c870548448fad5c07dff32d70508c3a5dfc4b34d

SHA256
5383f810ba8f06f78d357a88b084b102fd6a9a23791601cc4415918b22e5de99

SHA512
f702567cc241faaa61ba95a9ff7bd8b0903d455e1cf0171ec305482fd19e8239f75dda709f5a0e4bdc997115b069663733b919c502a00e431335d8e8c6756b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ll2Y5paPDSvU.bat

Filesize
209B

MD5
f549645c3ac52bfa3514d1bffcd730f3

SHA1
febaaa1fcd9bdfea9718c99de0ed058e1d2c04bb

SHA256
9e1f9ab1c3b1761608429ddc856e1a99e3c00a06a8355721b308ba11d979b3a5

SHA512
aa74715d8606b5eb10bd958d183387c6440f5ebf3b3d5f515d94d8564a5256227707a9549b18b75e598223be22d0f8678a99370719fa1193264045573d99b63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\N55uSDsJ1uZl.bat

Filesize
209B

MD5
a6dac0ffc4bef8dc652a942e7718d8d8

SHA1
bc05ef831b7e0ce83f703a726a8b6dec3968f340

SHA256
da243a7f7f2208ba1ada54a39592d8f28639857f018ba0a538554a967e22105f

SHA512
515fe6006b319d387ae04cb493d7d89d06300517365995027e5490751c96aadd23f88f87af37fbc5bf15030f4e8b59223476ae0d26073d62ea27f07249954f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OhHwyVGpTC8G.bat

Filesize
209B

MD5
ce2e544b4feb3f9524d7fb7cbe76547d

SHA1
7c75ee4edac202cc740e67f24ca745bcbfa91e38

SHA256
fdc448774d2dbd1a913362562269e6a37ce579bcdbf6f32b4f706c224a76fc69

SHA512
40fd0d5b251cd0f7a8b0fc339fab282ba8a49935946e1a35deceb077a9b8a5393c9f6bd63f5a64a78920008a86d7a33ff93672839e80dc539ac2e7b796db9e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\PM28Z0EmY2Fq.bat

Filesize
209B

MD5
e77ef089c82072c3d40cece57af12f8d

SHA1
a4e8a8e3111671947d49b7be87791c2869ee9101

SHA256
457695c19bafcd4b231357146e9b3e2e9ba6633c337f50ae0fa7b350ea13ae09

SHA512
bb771ff27f59852ab78614474d3d26dbcbf94c0578af09724967cf60deded96cd1e1e9fe5e0f58ea304237f3907703c212847fc64f3e1abd459013a7c6bab67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PzWlo3rSD4ct.bat

Filesize
209B

MD5
5703b4aa9a340557e28748799ebedc81

SHA1
4227200ee8a327fd40c1269091b6d631844d72c1

SHA256
fd12f2e8a97b9c89e4dfc4ddd8d781aed65226e0b71c26cced140ac950882bd5

SHA512
e85181007987e0870f3c399cff00385934597f21349901eac98f6fc3b2ecf4edcb03a9e7c591415d9aba04b53b306cf05470541ea0f8c7b7df7fcf3c000ce1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoGvnnnYWm1s.bat

Filesize
209B

MD5
419a46367d53d13c9de2e4b8ac582974

SHA1
368a7984a16bc4ecfe34788bb2b88dbee8d54344

SHA256
e78ece5304913c5889e228417e047bb18b3c33cbf4fa19eb37827911585527ad

SHA512
a9e89827a8b30328c9ec7051f1eea2734159e4eac95c50de18fb979c346cbf65cbba1dd65b8daf5ac75857df81e6c2b3bbff658be0c8526b5ebb47c48147e22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RK7AZb6L5owJ.bat

Filesize
209B

MD5
e2bcf813f533c18fd2942f992a996a1f

SHA1
259fcab2e9873eed9dbbd740ff354896992466db

SHA256
0000b03dde11f8a6464a11e0a28b15507ce0310293d73740b8658969e76da9d1

SHA512
5363e8aa78fe8e653a3e9d1a2bccd8661fbc75c18a66173ce649b4e53378d0c04af4940c78e71936f2e0d5709d599ee6e3bc9b81625ac86d2cfaf09770595067

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOGZwjiLCwID.bat

Filesize
209B

MD5
af794b4089afed6d932fe10bbc63c789

SHA1
2a32666797691e4eff8c6746249f3b78a2e29d71

SHA256
84eb842d9cc881145bb5370c921deaa000ed6d814e31cc2eded7aa8661fb37f0

SHA512
6fe86a589282a1ee0d81db8e485a89e13e6a9b4e152e46fd68ffa403190f00b67763d670162d186c87c9d09690e767a7badf8c204c59327d0b5ced067029b5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZJXgcttIHCU.bat

Filesize
209B

MD5
c621bda6b0b605e03adb9e44806870b1

SHA1
d40e32332a0d99443ad6108b59612bd1ed041fb2

SHA256
64af53db870f71dc5c2551b7d688998e598887f4c694ec3544b1677e2c40be5c

SHA512
431a5a4f62a7b1134d7ac4e2bfd970a0e1a09ee39e3984ad8b4ed0a6a9947e091dadd2a0212d092762af038047f2daedfed44dc58ccb754424abd466ee5437f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeINbQzijiPD.bat

Filesize
209B

MD5
bd74436213dad273a2229d733a7322ad

SHA1
48369bfb0c8b9bb269698e73194ac56fd3867633

SHA256
8e01aa6ccfa95a5674815d6fc09177273395568595db689198b6e24cfdf1209f

SHA512
6dfb2c4a11bca17214ce9bda28f30557e798ca8fda237e966d35c2f415c02165a22889cd5d166342ece2394e6e42b7ccbd01a09306a35112e35f75e0813b2a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9J5KYkgr2Zj.bat

Filesize
209B

MD5
a06872276b9bca664216735e15e173dd

SHA1
0565f601be8bf800220d2ea00a8dc9230eb86f5d

SHA256
d3528b3c81e6f7e7f703d2780ba666349dda1bd9e0f3d41e17a3a94c8fe4739a

SHA512
1348feb62db68d1588c9441fc5568d56dd666c2361f153d47de8a144b6dcdd14349369a5306aa8f045ba04f5f99fec29eba83f7e44a1453b6831d65039d726a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZTnSVSoAo8K1.bat

Filesize
209B

MD5
821ec277733bfd5794d74cdfb4f57f34

SHA1
5abe1081cb3b67065a7ea549b015b1e9dd952142

SHA256
2f4f2a7232c46f127e035f5d0e91beae46a28c19f71dd725011238de7e01a229

SHA512
5942bac574d463c8db6aa203491e694fe6cf2ac22ba9b1e62475fc5f5368596c0f2096fbff611442811b3aa9586b1c8b83c6c2e0c96d8ab0933d6fcadfdd5526

Download Submit
C:\Users\Admin\AppData\Local\Temp\aG7obNRMm9ND.bat

Filesize
209B

MD5
afd817b852ef092a3a1325276e2f6806

SHA1
44828e525915fb07dc85061d0350d0543625ee90

SHA256
5ef7424b41ae4a45d6f06860002cfac5b4233f57bb7538d92398c0fcac7c4762

SHA512
a626e139e08403fdc52d59ee2e556cde3f75228ffdc70a461ec0ac4bc619ad7d340a321ebfa9ae082f82853bc939a00843a9bd9dc96b029dc168c9fd36d2ba3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1hbIEIdljKm.bat

Filesize
209B

MD5
42d52f47dd9fe5351054a7c3a63505e2

SHA1
aa88a1638821bd1398e869adbb061b1c78a53298

SHA256
1013d9a590494233bc1597eebaa5c72eb0684c359e40e1cf30940133bc9fb697

SHA512
d36497d3a037928645d27f6fe98715f19d93366a11acb6651d87c1c6d9894fe1712b4dab79af35cd257d768d9a45db57d1a9c3c4b9717970c977f954f6c7d261

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2y2BP9Mc8D6.bat

Filesize
209B

MD5
5f6ea6f34c661bc33899bfc07d73b1d3

SHA1
0373988c25b119d88187b9ba595346f14982ca84

SHA256
b0232a632a9e76dea6e41681ccda7545a412eb2692890340d30cb7febffba94b

SHA512
12959dd7c3ca8ef85043e411513cbe4e1c0495268b9a4e9b7fd2877b9733b15773c66915bb4a37465c5a14773c4116a8468f736f735d6fd0c9fa0db03d0a5d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQAQztBcHhYc.bat

Filesize
209B

MD5
140140a871651392d56e2856906df67a

SHA1
73fb9854f262763b877a33a27e5429799ae82b45

SHA256
0f37b4971d682f08e76e55c7c102599ef94f6a63b1119745849189458b428776

SHA512
2927bfe279ac8001db085f247488ef6975c4bc855abf30882e5e933fbdcf353278346a2578750ffaf03eae69ed93ecce09f7762e9ca460a6ade8618c8a7d11f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEoJbFTNHyoj.bat

Filesize
209B

MD5
e5228c4293e2fde483bec7a432ac0f9a

SHA1
a283a1d7d17619f0c4d50a9ea5858fdf186fb9ef

SHA256
d0777e07dc3d180da8d3c6fcac0fe31c777969675546b4648eb7a07b00a374ae

SHA512
a8f371d6426b7ea722141148830075ad2de35474ed8067222224a93e654f8f4ba099af75ca2945125b3dbfc7ce695bd7b1f7b7a7026c70949d0d9e8bf53aa37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eFPflnWMMXsQ.bat

Filesize
209B

MD5
c81b4043eb18bb7a9abe3de5edc44474

SHA1
3b7251c95a620caf296b483715e306ca5397d04e

SHA256
455ae660da9ac24470c0f597388fa9533f4e6d2fd14dbcfd2f1ab041c445c19e

SHA512
b254861c713fd19f24565b9f99e04adf615590e6a8081dfa7bf262e1812d80d54dbae793e1f10588d3749e67aa123e0ec3e528060ca8d5ba6e6fd2788ff878a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ei9QqdNCmKhE.bat

Filesize
209B

MD5
b666ebd788cbb4d73756d057f1ac6015

SHA1
bc29b15e9cc46e88d85b37005bb1576abb2b119e

SHA256
f2dfe8a4a0b15f6c0a69c745f0d0da77a159782e88593350531daa3c24b4c480

SHA512
f9f3a1de3380fc09bd5b1c6f895420e3df82cf7382282884bb1a877b365365d995d3ec01056298cd223fde6b16efc9ce3507f4fe86b80f81e5e18277a99e56aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOQFX5Kc6f9m.bat

Filesize
209B

MD5
af972182b679aa0ab448dffeaff8d61c

SHA1
bd8f287b75bbdf406e56fecaa8ae849348ed4afb

SHA256
dcde79ed1de8c819f4aa6420c6fb2f3e7b3474d9817f95367c4107a7009d11a0

SHA512
9317288972839e2c5e73b6863a661d86639854019f98532dbcc57a49074abc81590ee4bacbcaadf1fe01f23b27fe636da79b8b1199fdc632f68529569b037ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fh9t0c6pcVZo.bat

Filesize
209B

MD5
38e7f3d91d92659530d9556a42a958a6

SHA1
a4b74821cf03c2fdd4e6bbba850599752855a187

SHA256
5f1d91367e79dfc61d246d1dd253f726d91afdf90fb62f60da668396dcadb353

SHA512
dc9be546beda65d2d6847128c7d89d780c40a76613bef88b5a34b31b6dd0aeea90b90a121bc9404067696448ebbccc515c07bfaa6f0191663eafdcc5a546e909

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMI8lISFIGJ.bat

Filesize
209B

MD5
342500b19167a58600cc3df2a1bfb6f5

SHA1
8e026b27232145778bcff96d6c621dfadd8db7dc

SHA256
8bf134cfbde33e43bf2430f173de45330c8973b3da1d9ccde3d099c96ae542da

SHA512
b8e6378473ff8a07519216b1fdb75028bc6e744ef90c5e8e22231f5a6fd7bfe08b6e8bfe76d252091c14c251389628173d8737c5f3401b951a30ca8ad061902b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmD6zUJJwpAl.bat

Filesize
209B

MD5
4a0763979ae33057f770c339e10e5820

SHA1
2f488fd9951ff5123b87db5c901ce396efe25699

SHA256
4a2b11b580cc92d1578b544a42cd7483cc3fc8448b72864d44a2f6ad5cbcf39a

SHA512
28bcf969b96f2d5a002e50caf0e4bfa39111e3153eb4f8a11bc2274d18145c4756e8890b3e235869d6fc0416d84f3700c90f64dfe14053921bf25d716804338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\koJB7rLC11Tk.bat

Filesize
209B

MD5
a07344e7943b78c074ffe16377f9798a

SHA1
0c6156ca61ba21a0104e8730278466ab6da546fc

SHA256
7f7c577fe261450a506a36a9def848d54d88e694353191394748240bdd5a388d

SHA512
c59b6f4a754f1484febee745c6dafa6928dd683aad4d1e4315657538ec089bb22fb16d642a45ec6b5aaa090b32008535e6066d2bdb4473390ce1fbdcf99751e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oitFs2vRt2SA.bat

Filesize
209B

MD5
add03579cd9a7ef3b0f8a4cb544d4dd9

SHA1
b6efe73b01a49f2ba7bf7bdfcbdeb6813e15de17

SHA256
27c9153ba19885cf1d61361d76cb8f41bc7318c8166d3d6abcc80dee7d9565a3

SHA512
79d8eb4996893af781355d59a68deb3bd56a11cee51045ad60f2e7e5d38bef9b8e37fdf43252b89db77a15d91b9934f1f8dc9fab6ec7d5fd03d8f76b3eb115fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osQRSeaVjN95.bat

Filesize
209B

MD5
4c51c32880b1de1704d56d3f4fa1db47

SHA1
44f9dd0a4ead7dbfe3ab98ad1e5594cc28bb9acc

SHA256
bf6a1c45a792aa636a9470f5c24f5a23f00e1e63e78ffd3c858ffa9030e64c94

SHA512
1cae302939d2cfaf22c2adf94d0270c59a75799f98dba0c6be7126812f73b06de10ace232c175e893aab4a9b0245649c6745da6529971c8ec608e47ca60b26ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pchqqEB4fS65.bat

Filesize
209B

MD5
a7f3c96d1107bd9cd01e2ac0ab1cfede

SHA1
038b9ae1a6cc4d97e01c4019e11f01af3b47252b

SHA256
7dd4bbc843ba3bc3d903368af50c914422798cbbcea8b68839c661d73f25ade7

SHA512
2f75c843de6f43255815ca1e54f567c0cbfe618c66549f8b80b0688eeb910f02db2b3dd26bbc7a127260d5cee746821a856c35c067a8cd46116afbc33e5c5837

Download Submit
C:\Users\Admin\AppData\Local\Temp\qFiLCnWoAFV4.bat

Filesize
209B

MD5
459f02f344905a00b60e0e34e8f957e2

SHA1
d37335b51fe3e0813d5da842b9cc5c69d244be9a

SHA256
2442e6039de6b6dc58c12363f45c0b0bbdd55df9864c7fc68ad47cf156eed334

SHA512
549f4022f438769e96f11c211ccb39b43fc28762b94074d81b11ae6f7ffd2d4c278947e3c84fedbcff7d2e18185f7da342406d53d2c3eb0e4fe0643f7454a250

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOKuLpNL8yOB.bat

Filesize
209B

MD5
4253d5650e84dfb807314e85bf0af2d9

SHA1
6b6b1739548389f17ec0d2e7d24d0205aff6990a

SHA256
5d5b40fa15bb4e00a2df3af4d9eb7561b598f6ef1c036dc24f40acefe13e6f58

SHA512
fb76062bb68e6c3a8871d9bede6ad42288723fe31939959c26a22534b035caf8ff79706e17048b64a48b37d86f063a5dad2023454b0fce19df155b925f750814

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHTTbthjmCSw.bat

Filesize
209B

MD5
b9f9513ee3d80df3fa6353b3a4964925

SHA1
3caa5e76579eb74adab5554950c458e2cf30d3d2

SHA256
e431195209951514ce97cb7ea3fa07b82716d00fc22dfc9d1aacfe6f345fe7af

SHA512
91a26489c8a84440e00e6f0a6b7e94bf4c1021a0bae0e61df5957de832c92016eccf3b580f8b8f027846669ede997fd7be986305f0d5b6f781a06a5215fa7cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\stJ0ADvtFXHZ.bat

Filesize
209B

MD5
867730749e33fb8f61eed00e092860d2

SHA1
3f617389327281bf8e2feb863cfc0049ac4607b6

SHA256
a81626121932114a30570f3e4f51d282f9f9ced56d7292d958b86e61b619fb71

SHA512
c142e907407f018f6cb24b099af0a4ec4c549cb490613c1dab44b10b0c89aa6953552cacd6cb5caddf218a59d7c77bd47538885941a15000f653cc91e3b6b6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4FkAAL3fSmi.bat

Filesize
209B

MD5
8b5b893047a2db0dd9bd84b37d9adffe

SHA1
0ad6d5f800fd466d1e000f0fc142b172cfc83e16

SHA256
b22726450de9740b74ab40dd15cc04959b711a26fd220aaaccea85a4cdf0576a

SHA512
a581427d6082ff32302cf536d0174e6595ecd5b9b103c8b04bdceeb676b1524f239e8a8681ac4bba015152dae7272de89b2d2fec1c19730816ac61a0a356af38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubxsVH5UN0vU.bat

Filesize
209B

MD5
18fbf46c596800d18a3d2592d4253378

SHA1
23a0385e0b5a4bc0229e01f0bc232cae1b290964

SHA256
adc56b4d20e1102678878d550ec63fdee546c253160d85b72616d30faefcfb74

SHA512
5c91a278049df6e7a15a6d92c0add4e2e714da4c78eeffc98a8a2d4b128ea3164cf4cdfbeecb0785c6dd2ba32c82e926656ddace501d9faaeb8226fd90e7dce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\umIEgetJLkjW.bat

Filesize
209B

MD5
bdf5c2758a6648e13bf7d23093434c64

SHA1
c998baa387b3afe5621e6b4505caf56c2e239612

SHA256
ba89e04b6bf4e4588465bef3dd0d284a747a6e798c388f3a55b2cd786c7388ca

SHA512
656213c863c2dab62086a277b27bd57c4758157e023d24d45620680d3f486b0f2bb98479977cb4aade9479999142e3e67f7ea0077509980a4399fd3f0d313b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmky59hhYLvS.bat

Filesize
209B

MD5
52c2ed64c3c178915e301ea12644c0db

SHA1
e13c45c0e795bd9645e33ccc0fca9fc886a04ce0

SHA256
cf7d87ef8e9c5a73d1e690e1c04de94c1c2e2affb0eac7c6df8b6fb46a8147c9

SHA512
84806b5ffa933a10cdae48bdcc92d7709518db6a016b31539c9395a966d203c30a3dbad88bfa1b0e7d3ed0dcdd5a67bdc6040698abb44996d514b98ad01f4ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6HGtL6li3ql.bat

Filesize
209B

MD5
c19134337cf0a872919ae75eabef4b13

SHA1
7747bf94aac974cda8ea65496dc35f27a0dbff69

SHA256
df69eb2e97f5f03c441f89c04137b3052d035b68e00452b2460d0a3d91baf200

SHA512
e8aee016404cdda70552244f7c1835e1b7dc26d7abce918fef659d2ebaf8e45b0d55848e35b567f03f3b56c301ad6f58324ae640242ac16600b76eb6770929b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xym0uq5ABqvS.bat

Filesize
209B

MD5
f1a6a9e7443bcd489498db70745f827e

SHA1
3f12af2b1a54b9d1b68241a768b8623c18eca100

SHA256
51c739b607fafe64c1c626233dc76e3303c6830c9ebc422f1f94b9ea8b03d8dc

SHA512
80355b7d360b752d9aa3f89d6e6ded957acf48d6893d3e4b28bae1ae6b291e3589861fcf0b7a25077d7fd4511b0dcadd1d1faa8605196b09d50f071029e5dfc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yObJ1hGrStuz.bat

Filesize
209B

MD5
844ee30ba955f7ddb1a809efa1620a38

SHA1
4a00f525c018704db2a4248d56090f8d7604dfef

SHA256
381bfe22c85cf7f04a4981dcf91acea42d8e47c301f76f66f044aa87565e6dd9

SHA512
6cc71214d594e201a23fa100feee0eb9d56068f355038ea210144d68f00af5a0457cb95a92bd9656b8c2224eab2442b7dc0daedea167d06f4c3704c5ec28409e

Download Submit
memory/2896-1-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/2896-2-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

Filesize
10.8MB

Download
memory/2896-3-0x000000001E200000-0x000000001E250000-memory.dmp

Filesize
320KB

Download
memory/2896-0-0x00007FFC76C43000-0x00007FFC76C45000-memory.dmp

Filesize
8KB

Download
memory/2896-4-0x000000001E310000-0x000000001E3C2000-memory.dmp

Filesize
712KB

Download
memory/2896-9-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

Filesize
10.8MB

Download
memory/4484-17-0x00007FFC768F0000-0x00007FFC773B1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-12-0x00007FFC768F0000-0x00007FFC773B1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-13-0x00007FFC768F0000-0x00007FFC773B1000-memory.dmp

Filesize
10.8MB

Download