quasar | hxxps://www[.]shorturl[.]at/CRDfY

Analysis

max time kernel
59s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.shorturl.at/CRDfY

Score

10^/10

quasar nmw discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e783-32.dat	family_quasar
behavioral1/memory/4824-52-0x0000000000570000-0x00000000008FE000-memory.dmp	family_quasar

Downloads MZ/PE file

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 18 IoCs

pid	Process
4824	Exm Premium.exe
1068	Client.exe
3896	Exm Premium.exe
4232	Client.exe
4356	Exm Premium.exe
4296	Client.exe
3180	Exm Premium.exe
4944	Client.exe
2744	Client.exe
5096	Client.exe
4044	Client.exe
1884	Exm Premium.exe
4672	Client.exe
2644	Client.exe
768	Exm Premium.exe
4640	Client.exe
464	Client.exe
5016	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2596	PING.EXE
3256	PING.EXE
1296	PING.EXE
1012	PING.EXE
4800	PING.EXE
4164	PING.EXE
1920	PING.EXE
2568	PING.EXE
4660	PING.EXE
4856	PING.EXE
2760	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807441550020000"	chrome.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2596	PING.EXE
2568	PING.EXE
4800	PING.EXE
4856	PING.EXE
4164	PING.EXE
2760	PING.EXE
1920	PING.EXE
3256	PING.EXE
1296	PING.EXE
4660	PING.EXE
1012	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3616	schtasks.exe
2288	schtasks.exe
1704	schtasks.exe
3900	schtasks.exe
1880	schtasks.exe
1532	schtasks.exe
4396	schtasks.exe
2480	schtasks.exe
5096	schtasks.exe
2576	schtasks.exe
4824	schtasks.exe
2876	schtasks.exe
4296	schtasks.exe
2904	schtasks.exe
3108	schtasks.exe
3160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe
3896	Exm Premium.exe
3896	Exm Premium.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	4824	Exm Premium.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	1068	Client.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	3896	Exm Premium.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	4232	Client.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	4356	Exm Premium.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	3180	Exm Premium.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	4944	Client.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3824	1540	chrome.exe	84
PID 1540 wrote to memory of 3824	1540	chrome.exe	84
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 1744	1540	chrome.exe	85
PID 1540 wrote to memory of 4456	1540	chrome.exe	86
PID 1540 wrote to memory of 4456	1540	chrome.exe	86
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87
PID 1540 wrote to memory of 2736	1540	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.shorturl.at/CRDfY
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb6b91cc40,0x7ffb6b91cc4c,0x7ffb6b91cc58
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1524 /prefetch:3
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4944,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4960,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5068,i,14647437952897809043,5667456133747919934,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:4272
- C:\Users\Admin\Downloads\Exm Premium.exe
  "C:\Users\Admin\Downloads\Exm Premium.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1532
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RvMHuR3ZxLbn.bat" "
      4⤵
      PID:1180
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3880
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2760
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3712

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4824
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4pUr5FWbfUTr.bat" "
    3⤵
    PID:3328
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4224
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1920
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2744
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYQvNFapPOcm.bat" "
        5⤵
        
        PID:860
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4908
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3256
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kfTdYG0DNiu1.bat" "
        7⤵
        
        PID:5000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e4UKK0ce4e4B.bat" "
        9⤵
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4856

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2576
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXYmpO5QskO9.bat" "
    3⤵
    PID:4292
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2856
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2596
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5096
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ajh1EPQxzlYR.bat" "
        5⤵
        
        PID:2344
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:808
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1296
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f5k0nBvXR6Hh.bat" "
        7⤵
        
        PID:3236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
PID:1884
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2480
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4672
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQP1D4BQc3Ub.bat" "
    3⤵
    PID:4584
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2992
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4660
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      PID:5016
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fv5xPeS0cKQU.bat" "
        5⤵
        
        PID:1448
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5096
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4164

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
PID:768
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4296
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4640
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaY0F44XYL69.bat" "
    3⤵
    PID:3180
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2596
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b46dfd5c9b1482387a6dca49d1480d2d

SHA1
1194c1d1d88afe372959172cb3234dfc72a8f0d1

SHA256
f7161b0bb9a5c86053f2d0fb3e964462a59135f8379bf17cff2e29573fcf27b6

SHA512
27c18694165429114933eda409401e32965e9b4acbc5fcde96b4edc57bb373d996870a706a39c75839973c637481ae23e22843708daf2840c624378278cfc521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f954b2ab4f662fd9d37bdd2707012ab

SHA1
b13937ae69641cceab17a739f3eaf323b2fb55b9

SHA256
3bc5c97b27e20e07d6380850379b9c4d4a378d1532d628152e06fb95410fa19d

SHA512
3ee118ec7dff6faa9300cc8e1ff70ac2894461bc8d73be2d4267aa6eb6185e280f452f0f1fbbb2299c47ea3f81de8bad0134bb9a47dbb58e7c866b60a7c69b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
efda04032756d64ef01078c5ea44daa0

SHA1
315c482f794ff13b5a7537f3b06aa786b0d46bba

SHA256
ccce4387ad3a564d1fa1bb463de875f078c484d812938b609702205850273471

SHA512
3953f17e8285d319ec458bfeefc18437899c035889239168d82553da31841d7b61b528a33cd27c428d74c4c53224f8ccfde3b0a96cf1cf1194ccda43d3e72045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8661e71ede0c38b7b2f03d7b8c4525bd

SHA1
3dc02bec4bc649a1c94228b519091df681c86468

SHA256
1bdfc0ce552860d561aa74acf0b748de40fb50bd6522b55e8b4073e8b57aee4d

SHA512
2c68b2207d20a19f3897abcf92cf23e16848eee8801c746df79bf2b298a31b4a8575b9fbfebbc8483d7a4f0d1ede17aa9a83b77b009c5712cc8aecdb1899c0f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58885d57271afd4350e0e655cdbcafc3

SHA1
4b6edaf0ed95c3a2ac27134802e5ab7376717aa6

SHA256
68345c02f8c39f32db243e13fe46fbc067bf9bfd2ddf47492a45240c0be0d25c

SHA512
ef9ae3fdd04b71d3a721ffee1d4db8e1a27909ef1d01293ba120f3d781fcef29e6ac8550fbb22e6a10d257a4397766d6cbce402e14ffac99e944e03305fafd37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b33ff105c0e043ca18f4e427126c14aa

SHA1
027cfc121cc88c526fb956359f907dcfc4ac4715

SHA256
b66a3998e15be6f0a5c4f57121d35887838fd41b9af7f8b3524df7883e0fae0f

SHA512
12ad471610e267926439aa3a1dff046b96d505599dabb1ccb17a216f134961621f24c51400dc0f38d4f6c9015996e6a599a47e9f7c0cde4fbef80322e2af2c88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e0aa6bdb247f4c3b68668a46032852e5

SHA1
5800a90bc782fc805a363dfa3cf8b527bc928c9c

SHA256
99018cb6afd9c95a64a9e85609512f70f47175a030f4866b6a60dfe88cf68f6d

SHA512
67acd237a131710580225751ad3a5562059e0ff071ddfca0750329d5d484ebb01e908b0a17af9b0539731a9b56421abdbf79d09a1335871053f63b6fe9c57ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Exm Premium.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pUr5FWbfUTr.bat

Filesize
207B

MD5
af4adf59ff59ceeac316ab4c44e291e2

SHA1
3f20acc4a0b435c36607dafed25f3426fc5a80ad

SHA256
f25d3c6fda6e86e9f8a5eb82fa25768c5a35dff5ce29b0fc20a612cfc9eb10cf

SHA512
11a92b804984cf671503820293f3bb0f3f42627f3a6851b6caa8c85a614586ab9e597c2cf3e0e0710ee2a5e2055d076a98dd15195cc7ea6a41079c7bc5c4330f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ajh1EPQxzlYR.bat

Filesize
207B

MD5
2a6278a9071deaab321de27ad9fd9a51

SHA1
36923c739f8f23d71637d25976fc9543d7c0bd44

SHA256
870030fc5d3387e509e66a4a5c8bdda20c8d8e60348a949e584c70f67b3f06e2

SHA512
23164f90cfaa4ef7722c5d4d5a87dca74378114f163976139cb8beedfd44337f236520b48f59d803472a693100224f3fb838d7cb22f3fa6252848b6b7d115ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaY0F44XYL69.bat

Filesize
207B

MD5
b30f670e323c72cd37da53456bfbc55e

SHA1
bc2ec04a53c092f984be17290724894fa7f03dda

SHA256
ef7b40f449bd78355060d735cb93b72763ba21abc9daaf654140675eec9c9784

SHA512
90045a367dd08ecae80e883fa74548dbb48fc2d2c6b6d4719a9750bd0eb198cf2c340bb9708afc65bc795acb85272f9c9dcd0eca896a107d8164e9b50b9006ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RvMHuR3ZxLbn.bat

Filesize
207B

MD5
ab0ef13930b1b40d86f48fa51fe179fb

SHA1
c352dff70ff37eb0cfd85ef5b787aa6ae3ee8ad0

SHA256
861745b42bb93df094a2932b856d0c4f64633204e8baf2dcd00fb4e08bba0e36

SHA512
6be05331b8ba8828f35d374c2c0b06cc8b7cdb036c84b206da836614e67c06ed7552001a8aa75b37508bbe20fcb281501cde0de7cb10159f8006c30a00fa9f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYQvNFapPOcm.bat

Filesize
207B

MD5
9b35fd0847c11f2a391199ff13546df2

SHA1
4b80369331e6756caf44fa4c78505b0d4fbccce7

SHA256
5199718ae7fc925a7c4ba5d4c6d48ddd11e7c04e4dab7e41a0b2bae7a63356a6

SHA512
1fccbb715f517ee7d27c354d2bc5a0467c2bf0e360aafc16f47d290cf6d25da88e622867a513735c43f1ea8926d22066a44e65c48e2f988fb20a856c0a8b2372

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQP1D4BQc3Ub.bat

Filesize
207B

MD5
dc0d231d0c9ee0850c43610683e3468b

SHA1
80715167ee53a30367c8e8d214de70922b65c3f6

SHA256
451b3dc5f971702b63f84f2cc7b8bb3cf8db37cd3bfed169579416f6788a8dd6

SHA512
9574fc44b3896178b4e59297669c92ce9d2e699fb158c72dbfe3ecec556b90afb7753c322a16603fc9dab61da5a4cfb45f1b3fc0b4dc3bc752db060fd940e028

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4UKK0ce4e4B.bat

Filesize
207B

MD5
281d7411803c382be99e2266da20a7be

SHA1
b423d989bcfac6c204bf3a2cfd6c0e4b162049ec

SHA256
dc64fafac96f1b2fc189dc3061847b357102a5f9539da995b4b869f5415b6154

SHA512
bac4c902f580d45076eb20150f2aae8aa96c15cf0537a3d36ddc9d9e97e7b911b13b51bd6bc809a01d66e46b37eb9e0ec00cac3357b0f788a84c89767b099c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5k0nBvXR6Hh.bat

Filesize
207B

MD5
7cbf8b1749a6f3dbeae935f6d6ae33cd

SHA1
6d4f6fcaa9a39c1217caf85a7bc00c27cbb9118d

SHA256
46ecf86f32e7b0e60fcb8d5aebdf143e0bf142b79d0b8cc91530a42655599c98

SHA512
d091faea410af3c1bbbe794c2dc547e7abc74ad9367bc069909807a02dd66afae482d1a88be90ff156aa8d42fc42acb4042030cc045d06661ffe54fcc125bccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fv5xPeS0cKQU.bat

Filesize
207B

MD5
065df9963eee07b7b727f765166c1624

SHA1
b394e7281f61c3bc1c230197af224a80d4981c24

SHA256
98f602a89d7ab1fee4353e1fc08ecd3aefb6179672ee1be4210c10d05ab907bd

SHA512
7d1b5e449e4913ab921f5c5ab4c2dc09d9ac393830f8f45fcb6fa3a2d829b05f036de97fedc4c74244eb2ef6730299d6e24d6d32836ba06975f1a2ac6e02f220

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfTdYG0DNiu1.bat

Filesize
207B

MD5
78ca12d162841efaede35b1640ef65a5

SHA1
947d63be10e7f4deae83fe08926b31e174f4a690

SHA256
1d70eda5b423437810963acd21e684860d0c8bd06cd8c980e2d33bee33594fa3

SHA512
a9f7b2370a6708ea70b8cd71c818667570b31d73e97269f1141f05f24b205e331d747bd2319fd47bdb8937e2e93a303217c592ac2d33f8197bef327796af827f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXYmpO5QskO9.bat

Filesize
207B

MD5
011563307bc645f7f7291a7c888f2da2

SHA1
2694206ff5d89654fbf87d481b220eb5aa96eb05

SHA256
f3910f064e7c1dd97eb6ea48725d0919bac7796e641d880408746af1570e89be

SHA512
634736ce60e3c140b20df052044321d717603481bbcbcee341244cf6ef5558c426f3df85adffb4970f38388354f34a0aa0d46b45df21be2cb72e627067feabb9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 371526.crdownload

Filesize
3.5MB

MD5
1e0a2e8cc5ce58715fc43c44004f637c

SHA1
f85ba3c4bd766e12ac11840939f5773ecc2f90f3

SHA256
4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

SHA512
75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859

Download Submit
memory/1068-72-0x000000001C180000-0x000000001C232000-memory.dmp

Filesize
712KB

Download
memory/1068-71-0x000000001B840000-0x000000001B890000-memory.dmp

Filesize
320KB

Download
memory/4824-51-0x00007FFB58483000-0x00007FFB58485000-memory.dmp

Filesize
8KB

Download
memory/4824-52-0x0000000000570000-0x00000000008FE000-memory.dmp

Filesize
3.6MB

Download
memory/4824-53-0x00007FFB58480000-0x00007FFB58F41000-memory.dmp

Filesize
10.8MB

Download
memory/4824-65-0x00007FFB58480000-0x00007FFB58F41000-memory.dmp

Filesize
10.8MB

Download