quasar | 811d675d1d10e959f6e3ccc53781cbfbc09e410d3e289f6506414e6b014d1f50

Analysis

max time kernel
596s
max time network
423s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

d7ec9eb9526d50e9c789721d4810573f
SHA1

4bf49edc9dc4b7874e184bc9da076d60b18ce5a0
SHA256

811d675d1d10e959f6e3ccc53781cbfbc09e410d3e289f6506414e6b014d1f50
SHA512

7e521edcef37b4d62289db66f8d186a4d88fd9dd7b0f8c806958e6de22c32f7c19c7c1751dfe87aa7f8bc19bd40c1ad45a5361c07d635fb11d370614f614932b
SSDEEP

49152:PvAG42pda6D+/PjlLOlg6yQipVu6RJ6PbR3LoGd9THHB72eh2NT:PvD42pda6D+/PjlLOlZyQipVu6RJ6h

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

https://stable-notably-hound.ngrok-free.app:4782

Mutex

c081fec6-ee48-4448-b981-5f88e601e91e

Attributes

encryption_key
A5F0EE2DBE7A3009387617912AFB48C127E2B576
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1260-1-0x0000000000570000-0x0000000000894000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 59 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 59 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2896	PING.EXE
3456	PING.EXE
3196	PING.EXE
4540	PING.EXE
2280	PING.EXE
4864	PING.EXE
1184	PING.EXE
2284	PING.EXE
1576	PING.EXE
2648	PING.EXE
1636	PING.EXE
776	PING.EXE
1960	PING.EXE
2564	PING.EXE
552	PING.EXE
2152	PING.EXE
3384	PING.EXE
2932	PING.EXE
2084	PING.EXE
2044	PING.EXE
3092	PING.EXE
396	PING.EXE
3452	PING.EXE
2244	PING.EXE
4620	PING.EXE
3024	PING.EXE
3856	PING.EXE
1468	PING.EXE
32	PING.EXE
2260	PING.EXE
3020	PING.EXE
2884	PING.EXE
1144	PING.EXE
3884	PING.EXE
3016	PING.EXE
3092	PING.EXE
2896	PING.EXE
2532	PING.EXE
1628	PING.EXE
2868	PING.EXE
2324	PING.EXE
3196	PING.EXE
4768	PING.EXE
1256	PING.EXE
4224	PING.EXE
1140	PING.EXE
4080	PING.EXE
2248	PING.EXE
2880	PING.EXE
1464	PING.EXE
608	PING.EXE
3956	PING.EXE
1628	PING.EXE
3796	PING.EXE
868	PING.EXE
4668	PING.EXE
4560	PING.EXE
2300	PING.EXE
116	PING.EXE

Runs ping.exe 1 TTPs 59 IoCs

Remote System Discovery

T1018

pid	Process
2248	PING.EXE
4540	PING.EXE
3024	PING.EXE
2260	PING.EXE
3456	PING.EXE
3020	PING.EXE
3092	PING.EXE
3196	PING.EXE
1576	PING.EXE
4768	PING.EXE
4224	PING.EXE
396	PING.EXE
552	PING.EXE
2648	PING.EXE
2324	PING.EXE
1636	PING.EXE
116	PING.EXE
2896	PING.EXE
1628	PING.EXE
1184	PING.EXE
2880	PING.EXE
3796	PING.EXE
2532	PING.EXE
4620	PING.EXE
2044	PING.EXE
3384	PING.EXE
3092	PING.EXE
868	PING.EXE
3452	PING.EXE
1464	PING.EXE
3856	PING.EXE
2884	PING.EXE
2152	PING.EXE
3884	PING.EXE
2280	PING.EXE
608	PING.EXE
2932	PING.EXE
3196	PING.EXE
1256	PING.EXE
2896	PING.EXE
1468	PING.EXE
2284	PING.EXE
32	PING.EXE
1628	PING.EXE
1960	PING.EXE
4080	PING.EXE
2564	PING.EXE
4560	PING.EXE
2084	PING.EXE
3016	PING.EXE
2300	PING.EXE
776	PING.EXE
1144	PING.EXE
4864	PING.EXE
3956	PING.EXE
2868	PING.EXE
1140	PING.EXE
2244	PING.EXE
4668	PING.EXE

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	Client-built.exe
Token: SeDebugPrivilege	5084	Client-built.exe
Token: SeDebugPrivilege	3300	Client-built.exe
Token: SeDebugPrivilege	4856	Client-built.exe
Token: SeDebugPrivilege	404	Client-built.exe
Token: SeDebugPrivilege	5060	Client-built.exe
Token: SeDebugPrivilege	2136	Client-built.exe
Token: SeDebugPrivilege	448	Client-built.exe
Token: SeDebugPrivilege	4108	Client-built.exe
Token: SeDebugPrivilege	1520	Client-built.exe
Token: SeDebugPrivilege	2492	Client-built.exe
Token: SeDebugPrivilege	2276	Client-built.exe
Token: SeDebugPrivilege	720	Client-built.exe
Token: SeDebugPrivilege	1736	Client-built.exe
Token: SeDebugPrivilege	4600	Client-built.exe
Token: SeDebugPrivilege	3624	Client-built.exe
Token: SeDebugPrivilege	836	Client-built.exe
Token: SeDebugPrivilege	4260	Client-built.exe
Token: SeDebugPrivilege	4048	Client-built.exe
Token: SeDebugPrivilege	1748	Client-built.exe
Token: SeDebugPrivilege	3836	Client-built.exe
Token: SeDebugPrivilege	388	Client-built.exe
Token: SeDebugPrivilege	3100	Client-built.exe
Token: SeDebugPrivilege	3796	Client-built.exe
Token: SeDebugPrivilege	4220	Client-built.exe
Token: SeDebugPrivilege	2040	Client-built.exe
Token: SeDebugPrivilege	2892	Client-built.exe
Token: SeDebugPrivilege	1828	Client-built.exe
Token: SeDebugPrivilege	1920	Client-built.exe
Token: SeDebugPrivilege	968	Client-built.exe
Token: SeDebugPrivilege	2252	Client-built.exe
Token: SeDebugPrivilege	3920	Client-built.exe
Token: SeDebugPrivilege	2704	Client-built.exe
Token: SeDebugPrivilege	4772	Client-built.exe
Token: SeDebugPrivilege	4380	Client-built.exe
Token: SeDebugPrivilege	224	Client-built.exe
Token: SeDebugPrivilege	4720	Client-built.exe
Token: SeDebugPrivilege	3604	Client-built.exe
Token: SeDebugPrivilege	3288	Client-built.exe
Token: SeDebugPrivilege	1956	Client-built.exe
Token: SeDebugPrivilege	4436	Client-built.exe
Token: SeDebugPrivilege	1952	Client-built.exe
Token: SeDebugPrivilege	2052	Client-built.exe
Token: SeDebugPrivilege	1712	Client-built.exe
Token: SeDebugPrivilege	736	Client-built.exe
Token: SeDebugPrivilege	4976	Client-built.exe
Token: SeDebugPrivilege	1028	Client-built.exe
Token: SeDebugPrivilege	1596	Client-built.exe
Token: SeDebugPrivilege	3516	Client-built.exe
Token: SeDebugPrivilege	3808	Client-built.exe
Token: SeDebugPrivilege	3668	Client-built.exe
Token: SeDebugPrivilege	3356	Client-built.exe
Token: SeDebugPrivilege	2608	Client-built.exe
Token: SeDebugPrivilege	4284	Client-built.exe
Token: SeDebugPrivilege	1300	Client-built.exe
Token: SeDebugPrivilege	3024	Client-built.exe
Token: SeDebugPrivilege	436	Client-built.exe
Token: SeDebugPrivilege	932	Client-built.exe
Token: SeDebugPrivilege	2616	Client-built.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1260	Client-built.exe
5084	Client-built.exe
3300	Client-built.exe
4856	Client-built.exe
404	Client-built.exe
5060	Client-built.exe
2136	Client-built.exe
448	Client-built.exe
4108	Client-built.exe
1520	Client-built.exe
2492	Client-built.exe
2276	Client-built.exe
720	Client-built.exe
1736	Client-built.exe
4600	Client-built.exe
3624	Client-built.exe
836	Client-built.exe
4260	Client-built.exe
4048	Client-built.exe
1748	Client-built.exe
3836	Client-built.exe
388	Client-built.exe
3100	Client-built.exe
3796	Client-built.exe
4220	Client-built.exe
2040	Client-built.exe
2892	Client-built.exe
1828	Client-built.exe
1920	Client-built.exe
968	Client-built.exe
2252	Client-built.exe
3920	Client-built.exe
2704	Client-built.exe
4772	Client-built.exe
4380	Client-built.exe
224	Client-built.exe
4720	Client-built.exe
3604	Client-built.exe
3288	Client-built.exe
1956	Client-built.exe
4436	Client-built.exe
1952	Client-built.exe
2052	Client-built.exe
1712	Client-built.exe
736	Client-built.exe
4976	Client-built.exe
1028	Client-built.exe
1596	Client-built.exe
3516	Client-built.exe
3808	Client-built.exe
3668	Client-built.exe
3356	Client-built.exe
2608	Client-built.exe
4284	Client-built.exe
1300	Client-built.exe
3024	Client-built.exe
436	Client-built.exe
932	Client-built.exe
2616	Client-built.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
1260	Client-built.exe
5084	Client-built.exe
3300	Client-built.exe
4856	Client-built.exe
404	Client-built.exe
5060	Client-built.exe
2136	Client-built.exe
448	Client-built.exe
4108	Client-built.exe
1520	Client-built.exe
2492	Client-built.exe
2276	Client-built.exe
720	Client-built.exe
1736	Client-built.exe
4600	Client-built.exe
3624	Client-built.exe
836	Client-built.exe
4260	Client-built.exe
4048	Client-built.exe
1748	Client-built.exe
3836	Client-built.exe
388	Client-built.exe
3100	Client-built.exe
3796	Client-built.exe
4220	Client-built.exe
2040	Client-built.exe
2892	Client-built.exe
1828	Client-built.exe
1920	Client-built.exe
968	Client-built.exe
2252	Client-built.exe
3920	Client-built.exe
2704	Client-built.exe
4772	Client-built.exe
4380	Client-built.exe
224	Client-built.exe
4720	Client-built.exe
3604	Client-built.exe
3288	Client-built.exe
1956	Client-built.exe
4436	Client-built.exe
1952	Client-built.exe
2052	Client-built.exe
1712	Client-built.exe
736	Client-built.exe
4976	Client-built.exe
1028	Client-built.exe
1596	Client-built.exe
3516	Client-built.exe
3808	Client-built.exe
3668	Client-built.exe
3356	Client-built.exe
2608	Client-built.exe
4284	Client-built.exe
1300	Client-built.exe
3024	Client-built.exe
436	Client-built.exe
932	Client-built.exe
2616	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4888	1260	Client-built.exe	82
PID 1260 wrote to memory of 4888	1260	Client-built.exe	82
PID 4888 wrote to memory of 2880	4888	cmd.exe	84
PID 4888 wrote to memory of 2880	4888	cmd.exe	84
PID 4888 wrote to memory of 3196	4888	cmd.exe	85
PID 4888 wrote to memory of 3196	4888	cmd.exe	85
PID 4888 wrote to memory of 5084	4888	cmd.exe	92
PID 4888 wrote to memory of 5084	4888	cmd.exe	92
PID 5084 wrote to memory of 776	5084	Client-built.exe	95
PID 5084 wrote to memory of 776	5084	Client-built.exe	95
PID 776 wrote to memory of 772	776	cmd.exe	97
PID 776 wrote to memory of 772	776	cmd.exe	97
PID 776 wrote to memory of 1256	776	cmd.exe	98
PID 776 wrote to memory of 1256	776	cmd.exe	98
PID 776 wrote to memory of 3300	776	cmd.exe	99
PID 776 wrote to memory of 3300	776	cmd.exe	99
PID 3300 wrote to memory of 4284	3300	Client-built.exe	100
PID 3300 wrote to memory of 4284	3300	Client-built.exe	100
PID 4284 wrote to memory of 4440	4284	cmd.exe	102
PID 4284 wrote to memory of 4440	4284	cmd.exe	102
PID 4284 wrote to memory of 2896	4284	cmd.exe	103
PID 4284 wrote to memory of 2896	4284	cmd.exe	103
PID 4284 wrote to memory of 4856	4284	cmd.exe	105
PID 4284 wrote to memory of 4856	4284	cmd.exe	105
PID 4856 wrote to memory of 3992	4856	Client-built.exe	106
PID 4856 wrote to memory of 3992	4856	Client-built.exe	106
PID 3992 wrote to memory of 1692	3992	cmd.exe	108
PID 3992 wrote to memory of 1692	3992	cmd.exe	108
PID 3992 wrote to memory of 4540	3992	cmd.exe	109
PID 3992 wrote to memory of 4540	3992	cmd.exe	109
PID 3992 wrote to memory of 404	3992	cmd.exe	111
PID 3992 wrote to memory of 404	3992	cmd.exe	111
PID 404 wrote to memory of 5116	404	Client-built.exe	112
PID 404 wrote to memory of 5116	404	Client-built.exe	112
PID 5116 wrote to memory of 4160	5116	cmd.exe	114
PID 5116 wrote to memory of 4160	5116	cmd.exe	114
PID 5116 wrote to memory of 3092	5116	cmd.exe	115
PID 5116 wrote to memory of 3092	5116	cmd.exe	115
PID 5116 wrote to memory of 5060	5116	cmd.exe	116
PID 5116 wrote to memory of 5060	5116	cmd.exe	116
PID 5060 wrote to memory of 4800	5060	Client-built.exe	117
PID 5060 wrote to memory of 4800	5060	Client-built.exe	117
PID 4800 wrote to memory of 1612	4800	cmd.exe	119
PID 4800 wrote to memory of 1612	4800	cmd.exe	119
PID 4800 wrote to memory of 4224	4800	cmd.exe	120
PID 4800 wrote to memory of 4224	4800	cmd.exe	120
PID 4800 wrote to memory of 2136	4800	cmd.exe	121
PID 4800 wrote to memory of 2136	4800	cmd.exe	121
PID 2136 wrote to memory of 2040	2136	Client-built.exe	122
PID 2136 wrote to memory of 2040	2136	Client-built.exe	122
PID 2040 wrote to memory of 4376	2040	cmd.exe	124
PID 2040 wrote to memory of 4376	2040	cmd.exe	124
PID 2040 wrote to memory of 1628	2040	cmd.exe	125
PID 2040 wrote to memory of 1628	2040	cmd.exe	125
PID 2040 wrote to memory of 448	2040	cmd.exe	126
PID 2040 wrote to memory of 448	2040	cmd.exe	126
PID 448 wrote to memory of 1568	448	Client-built.exe	127
PID 448 wrote to memory of 1568	448	Client-built.exe	127
PID 1568 wrote to memory of 2864	1568	cmd.exe	129
PID 1568 wrote to memory of 2864	1568	cmd.exe	129
PID 1568 wrote to memory of 2880	1568	cmd.exe	130
PID 1568 wrote to memory of 2880	1568	cmd.exe	130
PID 1568 wrote to memory of 4108	1568	cmd.exe	131
PID 1568 wrote to memory of 4108	1568	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kvJEkWB00Go0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2880
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3196
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWdYiI5QzPX4.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:772
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmVLhmq3K68o.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuZYhc9mtwkv.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSMHMynUsM6W.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHCX1JQlMv8T.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LXBsjEXXB71F.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m3Gx4DURRoAg.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKrcIbSThsuo.bat" "
        18⤵
        
        PID:948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wl07VD2wwewI.bat" "
        20⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xD7RdCasz8N3.bat" "
        22⤵
        
        PID:3816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2T7tkeiTW2xW.bat" "
        24⤵
        
        PID:432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6CB2GKRa28Lt.bat" "
        26⤵
        
        PID:3420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tRP3nODn8SXK.bat" "
        28⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JE3LwUE7uI1s.bat" "
        30⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        31⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53MpdghRGjwd.bat" "
        32⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        33⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuhKdNh9m1QO.bat" "
        34⤵
        
        PID:3704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        35⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F8P8wsN1pwEO.bat" "
        36⤵
        
        PID:4212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        37⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuaAkZFpTq96.bat" "
        38⤵
        
        PID:3196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        39⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\af2eQeiedRpS.bat" "
        40⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        41⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V3hbUPu53g3k.bat" "
        42⤵
        
        PID:4284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        43⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00yJi56wdFN7.bat" "
        44⤵
        
        PID:5056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        45⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIcuYBptPsTp.bat" "
        46⤵
        
        PID:4864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:4044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        47⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7w2MfSsW3G2I.bat" "
        48⤵
        
        PID:1452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        49⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcmYu6UPDeU3.bat" "
        50⤵
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:5104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        51⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qHp8ehJUrXxd.bat" "
        52⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        53⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xlOg3FhVOT5G.bat" "
        54⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        55⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iL5VLlmN3g7J.bat" "
        56⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:3364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        57⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUoqXECi8ujY.bat" "
        58⤵
        
        PID:1240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        59⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D04v27ERfKVX.bat" "
        60⤵
        
        PID:3212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        61⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCug3C619WyD.bat" "
        62⤵
        
        PID:1216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        63⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i2Qg6yvKSmS7.bat" "
        64⤵
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:5056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        65⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjlrMbQJW8MJ.bat" "
        66⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:4004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        67⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0zncIS4ueqb7.bat" "
        68⤵
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        69⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ts5BXC60LMbE.bat" "
        70⤵
        
        PID:1488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        71⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7KozjBEAIvUH.bat" "
        72⤵
        
        PID:4460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        73⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qThMntd8QsCH.bat" "
        74⤵
        
        PID:452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        75⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\frbvbQZuyzjK.bat" "
        76⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        77⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foh68CzJAyEE.bat" "
        78⤵
        
        PID:4768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:4064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        79⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sijBv508xUST.bat" "
        80⤵
        
        PID:4248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:3476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        81⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        81⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TjJeS9yuAUbp.bat" "
        82⤵
        
        PID:4588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        83⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        83⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bFEgFOVqZ41B.bat" "
        84⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:5108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        85⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        85⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uNfnhdMUtfra.bat" "
        86⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        87⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        87⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iim0XoscbuTl.bat" "
        88⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        89⤵
        
        PID:4228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        89⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        89⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FStqijGjgjV5.bat" "
        90⤵
        
        PID:64
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        91⤵
        
        PID:3168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        91⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        91⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilVP9gT2oQYc.bat" "
        92⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        93⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        93⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        93⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uZQwmXPDlB3f.bat" "
        94⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        95⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        95⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        95⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4YlaeIsluTNa.bat" "
        96⤵
        
        PID:3136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        97⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        97⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        97⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQxRJCkR7m4V.bat" "
        98⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        99⤵
        
        PID:452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        99⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LjTViHzMm3FR.bat" "
        100⤵
        
        PID:432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        101⤵
        
        PID:4560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        101⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        101⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GhrhIYsbSIJr.bat" "
        102⤵
        
        PID:3664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        103⤵
        
        PID:3568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        103⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        103⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fpfDlmUfva2N.bat" "
        104⤵
        
        PID:5072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        105⤵
        
        PID:3932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        105⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        105⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ux4BIu1RP2AE.bat" "
        106⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        107⤵
        
        PID:3152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        107⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        107⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dxG6OeecZMU0.bat" "
        108⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        109⤵
        
        PID:3892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        109⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        109⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EnTsRjvXa5Rq.bat" "
        110⤵
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        111⤵
        
        PID:3484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        111⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        111⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0MGhZUJTJKal.bat" "
        112⤵
        
        PID:5068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        113⤵
        
        PID:732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        113⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        113⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkPiz6rPfiv7.bat" "
        114⤵
        
        PID:3960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        115⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        115⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        115⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0xaAb2LwbusF.bat" "
        116⤵
        
        PID:992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        117⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        117⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ze3wdAKvHeQj.bat" "
        118⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        119⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        119⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00yJi56wdFN7.bat

Filesize
209B

MD5
44e89ca8fa9bc7fcb28b4ac670a5de12

SHA1
ba34609cd6e5a9c922a4fe26afdab435f889b8d5

SHA256
ae7b7da3a73cf88c33f2bfab22d4f712aceab432ee2a0c33fdbce4c4056c1bba

SHA512
cc70eab6561808fcd71eb7ee103f3724fb64643069dba9ead29684a60191b330e22ae6aaa9167d2f3e5bc32f61ce4221619396a6704e80d0e93d0ade1126ae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MGhZUJTJKal.bat

Filesize
209B

MD5
87a0c921e3d284fabe4aa00df3279ac2

SHA1
b4405bc6e33b46652bef6b0ca11c1bb6cd0d60ae

SHA256
62379903a384303f6a67d91a22aac2437dc7f97b741a75441b23b2569948b817

SHA512
de8cfe84657230a8fff2acba2d468cae5bdde8aed9a50f180da87979d426b15dd99447bef384c7065b2f96acf5e98ef0d418512d607e3c9a52a1196417995a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xaAb2LwbusF.bat

Filesize
209B

MD5
cb4fa78204dc33966bd00b41799d2142

SHA1
35043dbffc19487f65232a63d1abcb27ad9d9e04

SHA256
72c07499e8c63463db1d62178fff46203639cb9c05bd12e1f154e10accae2e41

SHA512
c12e4c124d8c274231468d0ff9602a626faad166f7553fad9cdcaa3279b6d0d49e33a4ad95bbff25b0cb90deedd230c77c5d937b210beb4837911c670907cf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0zncIS4ueqb7.bat

Filesize
209B

MD5
c4a83c4354392f952d5fdbe2944d3398

SHA1
15c888772a05593439ab719099e799680e9b9666

SHA256
9f63af7268bf5131a0d53a9105d5bfb0f6bc5d049da13e68938894505336b390

SHA512
bf93cd1d7f51d0a5ebbc013f8b9559eca2b14df197c8b7a6757fc921b6074456f7ed5240ff44bc5eabd0d3b4c4f95e9eeedc49ef91b3dd3e97e92791ec09308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2T7tkeiTW2xW.bat

Filesize
209B

MD5
11868c7e51d5247fec773f9fd0b3ba86

SHA1
dfa51b9c7a7007bf445392670d43277bdc497e9a

SHA256
be16b0b185242e1c5faf4aebe5eaf8a899eb427b2e72770a09993515e2a7281e

SHA512
2297b53ac33b837866d4344018a4008460390509efdde1756a8fb2f0898bc32a77ffc5f672b3440335c8fe01e79817d25785a9de63f6a0dbfc65c5dac924eb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4YlaeIsluTNa.bat

Filesize
209B

MD5
2b4e4d131e7b6a2a0572052c65a06d60

SHA1
cdfdff9bd34fddcbe19b2fa8503270cc80fccf4a

SHA256
246fe733f37ec5d0b80acc951ae6ecdfb975a1e513c62ce0e9065a90cde1bddf

SHA512
72ebfbba8c39c2d80df9729e7b4f7cac2c3162e7dea1cb1295af5d2e615c779ff926081f938cdf4be55cf6f910ec60cb9c776de7d54f1c311ff396575d1de656

Download Submit
C:\Users\Admin\AppData\Local\Temp\53MpdghRGjwd.bat

Filesize
209B

MD5
812aff7a60f8818ac59eabeb1349cd2d

SHA1
7d845ea5e343ac77d3a6e7ece907beb32061b3dd

SHA256
845b8b045d6e3a72ce639446ecae99216099674c7ee7deb716440ea6bb7ab6c1

SHA512
601e0e277991cfa7065552c0d2a65a376d72b61ee427f0d02d22b40e3e541ffc1dfb36d58c7c6740933e0535b36dab3e4d209ac2eacdc90e0de988943299bcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CB2GKRa28Lt.bat

Filesize
209B

MD5
b18db35c197a6e93d84ac68870ecf33a

SHA1
13dd6f5be91dce2203fcca741be0b090f75683bb

SHA256
5f4b08788671674a7f6621a2d16d7abe965c5b51d59822c463e01ee0b25d97f5

SHA512
34bc88ae9c307f94079aaf0863aa7cd04b23768f5f39c4ecb181a7def407304b53ee424478fc3c653c5de7de34081384dde5eaaa2c7c5bb5007b5a670589ee56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7KozjBEAIvUH.bat

Filesize
209B

MD5
19fb841fdc2054a94264aa1970424118

SHA1
e2477ed8c818586b2001f82ac5b6729c530671a0

SHA256
50f141e20d0e2ce82f80b5b1dfd814e8f5aa1bab609d4be170e08af6473050b1

SHA512
f3a693ffc0360663535110eccff6dc7a0739b4758596568728b1709659a4a11bd98d86f86042bf8699637d1f935d7af6dbfbd7e5086b0abae4a530c03d0bcdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7w2MfSsW3G2I.bat

Filesize
209B

MD5
0d652c080ac6684a54518cb19400356a

SHA1
e83234b14d5ef19abfc3b5a74e9a1816fb16024c

SHA256
a8db1279af1435d7bdaa1a5fb03dedeae790cead3c363ef242707ab3d93a2553

SHA512
2d863a515cf6175fbdf0c02bde078d36350d1fabeb15d0656a2c1bac767aec2cfd4d6a7c93527edfd5c567e46842364de5bdbe7fc15813528f16386e08c904f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D04v27ERfKVX.bat

Filesize
209B

MD5
e33700dc0e08eee3e20f2af69ae63d6a

SHA1
0e41afa45821a782ae0ee5b1db29124392fef608

SHA256
f8919c9964a7239b991f45bc967c3d63dc0df48f213e3f7b5d612657a941f8e4

SHA512
2e6b6d4995c6519650f0661dec8f1c4a356249cc29aeac228f462048038d5b151f9ea9c1e20c075d616cacc5a3e9cc836832b8d90aaf9ac8733c6b9c1fec4a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnTsRjvXa5Rq.bat

Filesize
209B

MD5
e94b9a7cd3781a27862f299c3097cdc6

SHA1
47e5b7e74163347e636be4baba613530408948b5

SHA256
fa1eacc20a48818d7b6381df2627c3ef1be4b50ae197c45ffd1e20393674c191

SHA512
18d9b946c49e669093390dd4075d756dd54169f2e779be03b936973ff5b5eece604c05c53d7585e71562ceb46b4c79f74ed028641289b9dedc78b1bebb9cd422

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8P8wsN1pwEO.bat

Filesize
209B

MD5
b231e5ef6917d1910570be6636228cbe

SHA1
5cc5f803f9ed9ca28ba57a5b74b163d73ab3a43e

SHA256
35628026238246348da9fe8f5a259a8da7a1a94d49ec0a0a1f990ba3e8e75ab6

SHA512
118438a471574a75222fbec22e3b74d25d086aa76f536cfcd7ee422e87dc71bfda105c6550a8e923c773bc11fe35e713edd11d2c5038d553f7f469805d6ed623

Download Submit
C:\Users\Admin\AppData\Local\Temp\FStqijGjgjV5.bat

Filesize
209B

MD5
f996a37d81467e808c6cbb77f9bec071

SHA1
b3d07a41866f7c58fbfe105edd59e6ba7e23c05a

SHA256
0af6fb1946d58e13d3dd85a291941334e7f663a6c215882007c1a2e17bf6593d

SHA512
7ba59a609246265c8c4a1f9cc8ba5036cfe17b52d635a9fb7d87def568a78431f4d1a1961db74c3eeb52ed4d521904d36e7f3d71041f9681fcd27ea0e906bb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHCX1JQlMv8T.bat

Filesize
209B

MD5
e26322a66534c4dda2450d8e5a3bbd74

SHA1
805ef1da1cd2614cc6a3d267904791eb47d72af9

SHA256
14a9e5666f13e2f3cbfbb4630f2e41d537525cde4a6704e307b36ed294c40ffd

SHA512
100016800a3c6aaabde824a80a86e2d0326384c421093727c64709c83be9eec3ebff5fe7386c3d241dd0a2f0320aa5c8188022ad3e56de8fa5de0d212603645a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GhrhIYsbSIJr.bat

Filesize
209B

MD5
d7ed7adf4ce7ae2f18dacf9cb2f9a9d7

SHA1
a65c9c9a58a64cb238b3376fd3ea731ea9a162e6

SHA256
8dc2b03a5100dd2cc049c629ae2e29e944ce031213597c7ca9d72a9c1cb346c8

SHA512
3aa98648ab6c9309c2952b178cc50b77f695e178f35baad096bc8e6f2585ab9964263dd172750625ac0a31af8c0a3f3cf2620d6f54a8f9befacc228981efbe42

Download Submit
C:\Users\Admin\AppData\Local\Temp\JE3LwUE7uI1s.bat

Filesize
209B

MD5
878a7b6f1cb32f5bcb4526bf776c8a49

SHA1
32c93b825ac367b680f3f44def376cc1d645cac2

SHA256
3055de287d2c0e547ff7cb2b23a3d45c4446432674ed5551871095d65d995dac

SHA512
99c88e7a27b2659b6d6b6b83c6082e4707496df790ae22b4663528f0eef1bcd133e0b8716ccee0741df6e200d9abb22ecaa475b899381585062adff69e700633

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQxRJCkR7m4V.bat

Filesize
209B

MD5
fc2cdf91f1ddcb9b0fbde4d689abcf98

SHA1
a1a889cd93d961a0dfb57c486aea539e7171bb84

SHA256
fd75a5e37899729240f0afa3be8e395269055d179ff3761d26fc7e670ff50c2f

SHA512
80e58dd8a8bd2a8e270daf12bfcdaae31ce42d64fd47f7467f30bcea8f4b674296f5a980627468f38dbd9fe151858d41242349a80ebc7be5b3fd6c248a563085

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWdYiI5QzPX4.bat

Filesize
209B

MD5
79adf9720ccb030149cf0d59a2c825ac

SHA1
b07c63f83f7bf61e0b03b712a0a0cb428e03197f

SHA256
87a17956ac5016a0a05ab343b15ab1296f6884989fbce0465336957d0b6ec107

SHA512
10b4bc0e44d858aaf0e8512eb3a622025a6aab0004b04a180a101b96e78b24ef269f446c2c65b16cc062ba21dd505c04da16d5e9213a91585b3e60872d212875

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuaAkZFpTq96.bat

Filesize
209B

MD5
39d9f18ee18e97f087ba3e6e5c4f4da9

SHA1
0d3e3542a3228604266a9ef4e891d6d4285ecc23

SHA256
121e96e993b94e67d45ce8d38b4964f4afa198773c5257e88ff86a9780102c50

SHA512
6da1a5affeb9cb3f1b079a6e9727d8e7bc3cb2a892232e94135e1eab5ea4c75c6090e621d090d0bac7f7f65745ed471236746564ca7cc3b84b2fbebc957e8d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXBsjEXXB71F.bat

Filesize
209B

MD5
56d8e926311372942b4a68515c389df4

SHA1
13de0b5ad77c8a949c8247b30afa71fd57734bd9

SHA256
f224bb679bd5f78d69533d0d7d934728d53acedf03d5552a1c4b8ba66342f804

SHA512
6c28b88c0a9e2fed08e2914adae3201f980eb9a0f45a3fddf933b322c305ce9040d77aee6e9daf7ea2da84863e91e2b0a2ed44b8e52df42a6d03e45bdbe0ac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\LjTViHzMm3FR.bat

Filesize
209B

MD5
8a31b18b368e11f86bc18a4c2f6cbf8a

SHA1
2796e8364ff57fae9a6e3531f3176b31f0c49b68

SHA256
9ea675af57373bd75381ee6ab59aab8b1c9acad491056e359ab81d3d8b638454

SHA512
e5ed0c6804f06e6983786687acb563f4636f0170dd33c99db9179a071a55985697962bcb4f48539a845c9f13fd6ba3a23bda7a661e47a1a1fa018592f703eec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKrcIbSThsuo.bat

Filesize
209B

MD5
f3bce2150e8e874f3629334b7d238589

SHA1
343c72502b9570475b883c68d2d1604b26c3c95a

SHA256
37f8ac7d9556609e3f3e9c355b397a7e14e1d9643124ac0d49ec189ec6aa851e

SHA512
ab521611ea289b4d39d3c1a51ce111537d98c0152d02a0a0a18cfa3c53b0fd43acc95f425939ea12f674aa7022e4b7dabe88f5ef20488c82ac06e0683ee42cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PuhKdNh9m1QO.bat

Filesize
209B

MD5
0fa4d46b2880266ecc5241ef7271d8f0

SHA1
accc4abcfa44446843500c69d1f1aa38697e476d

SHA256
b1aafa3f9960599b7fc15234535f249f4411cecbbf5bd368e83f919b01e625d2

SHA512
92d08bc5abc72d19f94065cbe7d79974231f79619cca5924d68440f1f0520b7498525dfa1af03f3fa9efa903994d4831ca988d9aebbe92028bdbe703f1ffe20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSMHMynUsM6W.bat

Filesize
209B

MD5
d0b8e2af7990fb66be762be3476389ef

SHA1
ef505eb1fefb3a0b78624e2dde6a171a9bd62f99

SHA256
ae294e682befdde026464cf5868c13802868a9d51e7a423d419d44977f67caa0

SHA512
b17ace82d74acd5b3e15cb7be93687ed2dafd7289116262790ba384a5708c975d9938a921e150909d6c7fb355e9e832e7cc389986e47f7a1e1b3630d698719e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TjJeS9yuAUbp.bat

Filesize
209B

MD5
0fd9357dc770bdb16c5bf9a77c91e6a7

SHA1
8d6ab0da2178d56d9ff017ae7e03d7ef8bdd2117

SHA256
0f6ceb2fde71990e46bb53fc4dd5eaa42638fa1e2cc3a830ff6cdd32702b1766

SHA512
d694db852dad59c0d2bfa9c72687009478f42eb74cdb96dde47285d6c49316bfe133049431a209d8335c3115e3ccb89e50efbba26468a990f9463f8065effe5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ts5BXC60LMbE.bat

Filesize
209B

MD5
146b953438eba5195379c814f5c2981f

SHA1
9e404a4f4372d80ea6b1fbe94999dc5be8a2057b

SHA256
3afcd84332bc934283d64445069fc0509c7592f0a1206e5c93898118462a41a8

SHA512
a775b8d6b92d5ecb2abe7384f82263f6109d532a00fda2f015c977411028b06ed7fcf3bcb9f55418e533c2e5581ac03b62f9521f6e028198b0b67d8c0be5d4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3hbUPu53g3k.bat

Filesize
209B

MD5
30d7f27b9913d04048a628fd4c70e22c

SHA1
82a2b9290b55351535d8b4ae815017c70bca285d

SHA256
0cf232819b48f1657b6cfeb5a19ec549bee710a44ec43a26c05e60deb41f7db3

SHA512
ad3b16d198f8f86cdabe9053824ada7a614c2bb924334ba397775f9e2a880e6d1c5e6d110d928b187a30f6aebb3be788a39c3f81fff26818249540a021bd8222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wl07VD2wwewI.bat

Filesize
209B

MD5
711fc4c391be06d66b267289a8f81f4a

SHA1
8ab142a72572996b7055c5db4039628f2227c760

SHA256
caeff416d4b05e6a377b746e6bcf1214453d1c3f59e1d707ee8c1ec33422ffbf

SHA512
811ee83a471ca4cae3c6b9ac8e2df5dcc4b1fe0acd8044f44348081215924d41a44bbb5ffc551a155de8560cd8aee5a01ba858bef02ce5b71671423084a0a005

Download Submit
C:\Users\Admin\AppData\Local\Temp\WuZYhc9mtwkv.bat

Filesize
209B

MD5
db44752443e679d1c23608506ddb33c6

SHA1
a54b1a8fcfa42c6b99772d953c4299080dc5e497

SHA256
7d2450d9658534c364f2557c84b21011168edbaa7e877da819cfce7a7a8f5917

SHA512
790a431c91f19349248a0a4965f084f7cda3a25427d51420205cbdf68e02140238466849d03700969b68f119ddaab734b6e4901a3088c1bfa485d62ea4a055f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XjlrMbQJW8MJ.bat

Filesize
209B

MD5
25a8b1c2c49f43ae44fa55030cc21079

SHA1
0df2d4df9d13ffaadb1e5bcffe0537a2444dccef

SHA256
07f840e8f576b9f369558a0329783756a71dad4b68e20a5a0ed1b490b71eb692

SHA512
56a39a09f0e8deca2b5718ace17b6befffa5eb7d45fac704322fec414747da8563b36b2b3f15d824a629b4cfdb2dfa6e78148b75704b77ca01d0cb55da9f6804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCug3C619WyD.bat

Filesize
209B

MD5
2f3a2771b3981470aad345c125fa1873

SHA1
9721236ac95f7daa4eb569b68716625afd217706

SHA256
786b69e7d801974d0cc61124fe229f726c7465787a294ad658fab1392f928a16

SHA512
7859966cd13bc4d862ccbab3d059774fcd9e3a95a8a3de7cbe7d4a5e281a813827315cca4fb5391812ae3bdb63fd435f2ecf4471e4f5d6ab51cd1efc269b7437

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkPiz6rPfiv7.bat

Filesize
209B

MD5
5d0793bb008f29f3ba34051a33d16c67

SHA1
16561c55763a25bd215640296cb203060fabc99e

SHA256
4a9579304877494321286be9c79b374c7d866ed8e3f94b018172ba68fa4a5631

SHA512
61a10e16f9892478963608edbfd83833c7d403226111a397e780395a10b4b3c7ddc43b712255e8b42db563b41844ab0332c0375fee832fc1c3dd60acec604ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUoqXECi8ujY.bat

Filesize
209B

MD5
d70c31e8f6cd88f99a194e60812aa739

SHA1
3186466b796327da2c3bc7305339db004d28723e

SHA256
4a1a5c0e179a20f0b8477ca6af854e40c1974b6a8e5d241b4ac50467714849d7

SHA512
89970748fdfbb87ed1add9e43b73b258caf0af4007dc3c7762cfbb1bc4b75e5697df3beabe822d88a7c164a85e23dd0176fa5ebbe30cd7f9102128c2027c76db

Download Submit
C:\Users\Admin\AppData\Local\Temp\af2eQeiedRpS.bat

Filesize
209B

MD5
c3088b10b74197078f9ef4f1e3297a20

SHA1
139a5605057fd75fcb6a88e638e1bdad097fe9cb

SHA256
35588a2f3c29b9aac8120d432666e84d41e2ffe19c3f4465ee584e59edc734e0

SHA512
9f1e21aebffd385209a9dc9f6ed135259925d5db3de5ddeeb2c675ab70d7ea20550044a2f23fd69809d4d0f2aedf8499086d431c67b04b2c9ec86cd375b6fc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFEgFOVqZ41B.bat

Filesize
209B

MD5
019f9f7b7928903dbe58800bee76d978

SHA1
17c742d6b6f0af0f05e13d4c4565c44de17a1c4d

SHA256
e088bb9f0498404257e44df4e4cf5cef9781f1f57cdd456bb5883777391b5fa4

SHA512
59c457038cdbf14ffa43952da555dc78bd89584ab1f184fc07238a21ec8bf05c0947b3522dc84bd4e44676d76c451383adec06390e9b5f6dcd658aea55522597

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcmYu6UPDeU3.bat

Filesize
209B

MD5
da4fe4254810f2a637845b5ff3e02f0e

SHA1
2e3a446d55e42eddf60e42706750b9aaefc7bc30

SHA256
272878454c5ecf9c6da45d7ba445570621f7c0843675cfd8b459cd12bf791f51

SHA512
83642f16770ccefb349b9772b4e31022ba8558a479944c3ba7aefec33a83d176b4832fbd094ae4af09ac61a68ede389f89efcd1f4ecae995bf1b837ce0515f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIcuYBptPsTp.bat

Filesize
209B

MD5
bcd433684a2023370eed5e17f35335e0

SHA1
034cb6aa78905d06f9d24b0656bc2c0fbdcb7e6a

SHA256
bf19360e3d2d0d6df084d03025435da5ed19a85bcce568c8573ce783e98a5a7e

SHA512
216eea8474c2a7e97eb3cd6f20fa30fae9d10a6d80e52568080355c22d164c62bb448acb5fb6d2c2a2391bb70a17fcd310caf01bf3f1ca26b5e656232a1efbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxG6OeecZMU0.bat

Filesize
209B

MD5
fb1862b37cb495741a923e40a4374b1c

SHA1
c435b46cf3ab5c8372aa5a1a6ef498ff44392762

SHA256
e5a1186c4f5168f6a25762979dec9776eaedbb04b361fab7b96ad81bed3d98e2

SHA512
9492f39704152fd46113b9d22267c5bdc7627cf3d15a3e5a61ac5ec43dc26c1d86245d169b1a2530a0dc4142e3d39ad8c74c5dd9339664fa3ad7211d0a74c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\foh68CzJAyEE.bat

Filesize
209B

MD5
21bc9301358ded071391186b62489cc2

SHA1
00fec203946b9ce6293c979425df7378cc3676ce

SHA256
ff424e451d915093cf8fcf593193d359cefc0e8c722ad03339a9c6455cf1bc89

SHA512
39de68d79a5ad7038c0cf3d76b5165be8bc93c8c6834570a29087f998e27a99461c7c604288b767c9e227b39588cccef3b46522b1f41428208a6707bc10013f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpfDlmUfva2N.bat

Filesize
209B

MD5
5e7da24c93eca659d7358507f12aca2d

SHA1
6aa99c7fcca3178c9bdc9a9fed4fb65c8852d60d

SHA256
dbc838b671a4e5c4313b6bc1a6e6a687c25336e48c3efcf9fe492d59c8b6886b

SHA512
fbba2893933a00e7ffdb81df52a29a6d1d257506a2842ef59e7c2d40b4c37242fa420a8b6625c2e6e7e4e4c8c7fd552bf412e22357208de0b321e3be28c6bcfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\frbvbQZuyzjK.bat

Filesize
209B

MD5
89d522f032062a29767431d5f83f3a04

SHA1
7f3978c616776b7afd067a99ac9362945cb8cf88

SHA256
284946a0022afe915a38cc4ed6c0fb9aa0481f6f74d1c98f4fcb8823721282ee

SHA512
9179a24ab7a51d6a7ede390b7b3a31de9367536f3acfe15295d1f24d14ec5600aa769ec736870bb30b694c753f3fd1de032796069344c4535a6c606d50dee41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2Qg6yvKSmS7.bat

Filesize
209B

MD5
ee1d3174a632cb98c8d7fbc28712de88

SHA1
130f98779faed351e8d8d38a84a154c1e84f622a

SHA256
0e360ada23ba643ee05ec402e8995739e0d9bb174264903386554c9cef796a4e

SHA512
d32f985b38af3365d456981dfe795afc99f7399047a721007cc6749afe02c426e908fb73e2dafc014e3e85c7de1e2c17f67a3207c82bdc0b5ddf318cfde8ce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\iL5VLlmN3g7J.bat

Filesize
209B

MD5
fef7c3f3386b16650bf13a5eb7f4b3bc

SHA1
c170960fc5e030fe78673ea8635ffbc440f7a44d

SHA256
2861f7450f1463d5940ec615e656d7cf698f2b63570814bb9e90d5d1c08bfb7f

SHA512
0c2354018d1c8fa16231978fe32ff5d7a536f3653dfce21034fbbda3c8bbcea2f3ac7cfc5efb4b4e0dce52b118c1c9d9c5a4a44fca86130b2805af221b129e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iim0XoscbuTl.bat

Filesize
209B

MD5
a600efa19d4ca2b94f3ee9d6f8bcf9a0

SHA1
8ba2d8a8220a0c9fd724f1f69915074ec6724fbc

SHA256
bbedc4d4e6be5edfc904f8201fb530cbda137e3c6de135bdf43ba8d310e30e07

SHA512
bf48295e591c9531b2b88502cf06a36049f3bda1f93c2808fbb2d03cc78b345bb9e6140c7e6799099f5953aa8e82f668dc5b16f062d0a4a81ef3ca77108b8094

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilVP9gT2oQYc.bat

Filesize
209B

MD5
966ef727c3e2c8dd5db7f2991eb1a444

SHA1
c1edb929d7be97356467b547c40821a3f3ee472b

SHA256
876ad20609fc404b16b33cc478aea8953f1f0dc8960dee39f8a657c445bf0273

SHA512
064b8b9ebb36c1571828b193473fe96ffba4a5204d2999a87ccb57ba26f079532556f61ccab25b24658ef1c15be87eb7afb484ff473183c597350e18f3b96b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvJEkWB00Go0.bat

Filesize
209B

MD5
0a0042b1c56ee488142b8ff3f2552af9

SHA1
dcec54b5780bfa985c3ab471630506c05eee47b1

SHA256
f1b4b96a907ce018e62d4e7fb733cf387cb3db3b570a0a80fce4637f2e0bb8f1

SHA512
cfb356d1d56a65c3cac553f573cfc36e0969fae2f22e316b67891130ea2d1e2d598261ea388520b7068433d3a3e78d75528bb03a1ebcbcb06ddd440dc19bdbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3Gx4DURRoAg.bat

Filesize
209B

MD5
bb7c52c8c551633cdea12cfc0e3291c1

SHA1
46b45071089c7c4e42fc2872f4b73e72a9555f42

SHA256
c4a3c11e730fc94dc9c3edcab3d36a93ac56792734c0020355a75a2a09237457

SHA512
811561333299380ad86d08698723677af3f9d2fc2bd2855fd84ed733213ee562c276c148490532fcd1c0b675cd10083de61af2b1627a6f737f56473a8332439b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qHp8ehJUrXxd.bat

Filesize
209B

MD5
7a342ef0019300b98e0ef38a74e7988c

SHA1
3ebf7fba3a3b080484ccf092337a25e3f88000b7

SHA256
6416da9a2ad65477bed979d9e017a36c6d8b145dfe1abadb2f7426ebe198dba8

SHA512
12d9d311dd85b96560c4918aff3712d0559a47b06f7aad8a03a33a9e004ba997223ca0551cd92dec727dbfa8b62ba30b5f8f7ebf47d160dd3d95e8711716fd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qThMntd8QsCH.bat

Filesize
209B

MD5
3c46d08fadc78c257027884ebb9624ac

SHA1
c330920a5cf3fd04b7d09b7325348bbb6dddce79

SHA256
81dc71b159c4860c3df4a3bbd23e321ff0fed420f6f53939413931f930ececb8

SHA512
8154001587ef52020cea0b775782a888ea89d16d344f5d3a1f92c91885f64f37498a418334dbb598b2e4483929c8f0b08da056b162578a1fa0f85d1d94269380

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmVLhmq3K68o.bat

Filesize
209B

MD5
e545954795670f7659af08614d82ba2b

SHA1
23424d886dd9da2110baeaf7996b85b1ddbb8842

SHA256
69865c20f1d345fefeb7554cb90a6a107df7b9eb9a7ed2bbd91d13147ef1d7c4

SHA512
3a51c336ce9d85b762075f9a605cff3598f3ad1a4a8de238b5ce979dc0b1b2ae15ee88a786d1de8a18d27de77ea158a7a98c15d3854e9876ed3f87eaad5e0058

Download Submit
C:\Users\Admin\AppData\Local\Temp\sijBv508xUST.bat

Filesize
209B

MD5
9e4f325917ab930f07d518f1e1cef281

SHA1
39d26c9ba6bfa24b0de86b03a1954f1ebcf415bc

SHA256
c62da1c989cbdb627412979d09a9cb872bf6060fc1fa8d49ea06b042e5260d7e

SHA512
fe92e0fd8a1600e5672afb8dea1c2657d263654fcd74f6d1f9cd3ac8a430965a178e7a14342e201516ebba203a9f7956c7b5ad09473bea5580f63fd81d043e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRP3nODn8SXK.bat

Filesize
209B

MD5
8a16a3014baafb236acc0b7665352539

SHA1
09fd21dc57899917cb0e61853827d3cbd36101f8

SHA256
ef9f1a7d396bab290c122efcb10a284aacea035f6ccd5de57acfe061f61e4d3b

SHA512
f84bd035308928bd6db6cd5855a69ed8db7a32aa57bab7a5ddca3cafe248e2031796b9ac6e9b7748a3f68753030d5a56f7adae5ef84b2365e68d5f9527abdd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uNfnhdMUtfra.bat

Filesize
209B

MD5
be29dd95f9a5c1bb8904cb90bd0ea1bb

SHA1
1964daca0a1819f074ca38f44d7429d28c3d1e38

SHA256
fa7fdf5e29ede497776e41873ae2e4cde9d5dddebea9507356d3aa8f1fa2f6ce

SHA512
5444ef6b4a5264318043acd91fc4baab2dfa737bad0561c8d5f8d4a77e7b31c92daef9e6b1ad5d3da62b574454c1ba6d6b228c4b7c6d28f2b8971f7eca2b3fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZQwmXPDlB3f.bat

Filesize
209B

MD5
c2f5b80dfb269ad165ed429b2f9f961c

SHA1
192c67164501c0cf3b72fa676d1d291a294a8ce3

SHA256
0215670ad238f4a5cfbcf529d8e090df081654a321941bc5816abc0387b8e03f

SHA512
868d0844df8fc4bd8c01e4c389184c0c1ac2bc84fa31325d5a00473dde4c49d3a404e1cb698a5d892e119d4cb1f9384c8ce2d162b372259577fae884a7661d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux4BIu1RP2AE.bat

Filesize
209B

MD5
9df625b5d535ffb6af8ca381f2adce3b

SHA1
251bd9151e1b385c3b2172945cc8714525619d23

SHA256
ec77625e407af16493b9639449d574357a6d1e35870c86f63469a4aca99883dd

SHA512
a08bffc57f5cbe7a213466dac34cf3e2a0fa56ec5493bfc4c7964aa0aaf58bdbf80fec840aced454dc318846988405c3ffcbb147fcbc403373a6c09e1313d831

Download Submit
C:\Users\Admin\AppData\Local\Temp\xD7RdCasz8N3.bat

Filesize
209B

MD5
98e29f3df5fd6ec31a083ddf2dc0e3d5

SHA1
a4f00466be044abbe867b26916883b60d797a7d1

SHA256
5737a738d94faa35d0940bfefccbf8d4350e2ae48324f6279a4935ad1f27085a

SHA512
13758b9c11bef4733950101d83b20ce29ce6cf0ea2a67a5ba051103b406438a5e8fdfba0c148b37493169041af1520154335ffbf546961279c63cb31965cf9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlOg3FhVOT5G.bat

Filesize
209B

MD5
b386a5ff8b1e4627dfd33fb28f838955

SHA1
e6855f0c0eca0f4d195559aa4f28dd4021e6f0f1

SHA256
c67b2bb949017f006e1a798ad3c6c49db33b89b199c923bc7049000e0ddab740

SHA512
527deb0e296a7960fa88b1ecb078f17597eabac3fb5e5b79131f4aa08509125f81367f424639e323881c7dbcdda6f53f5f3dc88b444aed63c637a14baf88ef1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze3wdAKvHeQj.bat

Filesize
209B

MD5
382775e52ed9d044b7cc4103629d359a

SHA1
b479d6b6328f42f6fbc5ec64a59413c06d3561a3

SHA256
bf1f50c066531945173a88598f3411426218160b4e3434488b8855028413ab3d

SHA512
5f07b8b71da49581a36d4ca8bf90a451b9249f0feae539b48ff3b6245cc9ed2d90257a1dcd0b1dc31c894d1b57c754ce7f5b6fcfcd578b833c5aa97c36a2c8ab

Download Submit
memory/1260-0-0x00007FFD352C3000-0x00007FFD352C5000-memory.dmp

Filesize
8KB

Download
memory/1260-9-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/1260-4-0x000000001C0A0000-0x000000001C152000-memory.dmp

Filesize
712KB

Download
memory/1260-3-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/1260-2-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/1260-1-0x0000000000570000-0x0000000000894000-memory.dmp

Filesize
3.1MB

Download
memory/5084-17-0x00007FFD34D80000-0x00007FFD35841000-memory.dmp

Filesize
10.8MB

Download
memory/5084-12-0x00007FFD34D80000-0x00007FFD35841000-memory.dmp

Filesize
10.8MB

Download
memory/5084-13-0x00007FFD34D80000-0x00007FFD35841000-memory.dmp

Filesize
10.8MB

Download