quasar | hxxp://github[.]com/Legendary-BYPASS/Trash/releases/download/1/Client[.]exe

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com/Legendary-BYPASS/Trash/releases/download/1/Client.exe

Score

10^/10

quasar vm-ku discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

VM-KU

adidya354-21806.portmap.host:21806

Mutex

cf7c4d30-a326-47cc-a5f0-5a19aa014204

Attributes

encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
install_name
Windows Shell Interactive.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Shell Interactive

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0056000000023272-38.dat	family_quasar
behavioral1/memory/4264-163-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar

Downloads MZ/PE file

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Windows Shell Interactive.exe

Executes dropped EXE 14 IoCs

pid	Process
4264	Client.exe
1684	Windows Shell Interactive.exe
3576	Windows Shell Interactive.exe
3252	Windows Shell Interactive.exe
1840	Windows Shell Interactive.exe
4916	Windows Shell Interactive.exe
4508	Windows Shell Interactive.exe
4968	Windows Shell Interactive.exe
916	Windows Shell Interactive.exe
5092	Windows Shell Interactive.exe
3316	Windows Shell Interactive.exe
1532	Windows Shell Interactive.exe
1376	Windows Shell Interactive.exe
1316	Windows Shell Interactive.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File created	C:\Windows\System32\Windows Shell Interactive.exe\:SmartScreen:$DATA	Client.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File created	C:\Windows\system32\Windows Shell Interactive.exe	Client.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Client.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3644	PING.EXE
3868	PING.EXE
216	PING.EXE
1836	PING.EXE
3296	PING.EXE
3276	PING.EXE
2892	PING.EXE
384	PING.EXE
3760	PING.EXE
4836	PING.EXE
4860	PING.EXE
2288	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 481536.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
4836	PING.EXE
2892	PING.EXE
3644	PING.EXE
3296	PING.EXE
3760	PING.EXE
216	PING.EXE
1836	PING.EXE
3276	PING.EXE
384	PING.EXE
3868	PING.EXE
4860	PING.EXE
2288	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4252	schtasks.exe
4320	schtasks.exe
2336	schtasks.exe
2656	schtasks.exe
4264	schtasks.exe
4932	schtasks.exe
640	schtasks.exe
3644	schtasks.exe
3336	schtasks.exe
4180	schtasks.exe
832	schtasks.exe
644	schtasks.exe
212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2824	msedge.exe
2824	msedge.exe
3172	msedge.exe
3172	msedge.exe
468	identity_helper.exe
468	identity_helper.exe
2200	msedge.exe
2200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	Client.exe
Token: SeDebugPrivilege	1684	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3576	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3252	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1840	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4916	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4508	Windows Shell Interactive.exe
Token: SeDebugPrivilege	4968	Windows Shell Interactive.exe
Token: SeDebugPrivilege	916	Windows Shell Interactive.exe
Token: SeDebugPrivilege	5092	Windows Shell Interactive.exe
Token: SeDebugPrivilege	3316	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1532	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1376	Windows Shell Interactive.exe
Token: SeDebugPrivilege	1316	Windows Shell Interactive.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3820	3172	msedge.exe	85
PID 3172 wrote to memory of 3820	3172	msedge.exe	85
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 4888	3172	msedge.exe	86
PID 3172 wrote to memory of 2824	3172	msedge.exe	87
PID 3172 wrote to memory of 2824	3172	msedge.exe	87
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88
PID 3172 wrote to memory of 2156	3172	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com/Legendary-BYPASS/Trash/releases/download/1/Client.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe06a046f8,0x7ffe06a04708,0x7ffe06a04718
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10201561608921700679,17265612766145757601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1376

C:\Users\Admin\Downloads\Client.exe
"C:\Users\Admin\Downloads\Client.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4264
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:640
- C:\Windows\system32\Windows Shell Interactive.exe
  "C:\Windows\system32\Windows Shell Interactive.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\04MSuZMivw2B.bat" "
    3⤵
    PID:2340
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4564
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4836
  - - C:\Windows\system32\Windows Shell Interactive.exe
      "C:\Windows\system32\Windows Shell Interactive.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:3576
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSNdtfqPQF1I.bat" "
        5⤵
        
        PID:2824
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5104
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3276
      - C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYAUUXnM8ThP.bat" "
        7⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3NOX1LNHvams.bat" "
        9⤵
        
        PID:4980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:384
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\atwZWyrqtVRZ.bat" "
        11⤵
        
        PID:4836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3644
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zjFyR6gZVMjj.bat" "
        13⤵
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NxBjlvQ9zQFG.bat" "
        15⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4860
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f4SN0rRryMzB.bat" "
        17⤵
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YlnOajaJV4Af.bat" "
        19⤵
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:216
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z9F56Yfor35W.bat" "
        21⤵
        
        PID:964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQTQu7pq86X2.bat" "
        23⤵
        
        PID:4032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3296
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3dKX4JwieWjj.bat" "
        25⤵
        
        PID:1132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3760
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Shell Interactive.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1417d2f0a8e1f350257a9f9ce27ee053

SHA1
af8840ed42c9cd1d7660d39bdd0476e8fc79bd56

SHA256
3830471d401ee2cdb612c17536548be422de8f784656cd0135488390ddcb9b55

SHA512
72012d1eaf619757788d1e7f2abd3e386a5d1b1c95d078dbc5d3c19e4aa04022953648b1e66898064052ab228770d8ae18645c2277f1329ac00dc83ede349628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8336c9447dd8c21715dc1f79230941a

SHA1
92e33b2116c419bb0755c84fcf147d82db54e4f1

SHA256
ae40a303805be28d8b91dccec01bad3513678394f61bff75e4672be8bac227ea

SHA512
668832823e00b554848c3ac944984c979329b4e34579f540051c94915c8ca8e32b03e0316acac6d22bc61db351e8c4abe0e07b21f63513c331e458e4d77d268b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d6997842-8d4e-4795-82b5-91ba940d50e7.tmp

Filesize
6KB

MD5
002c68147bacb574242bf50b25e97a19

SHA1
7ec28ee62f459936d624668f41f42a4d3f4e31b3

SHA256
5dfbda800ad15f2dd8bcdc5f8a235182c15982f154e53929d676f04c79143459

SHA512
c50cad179181495cc0fcd426b107117e46dddc312a2edb38b69d3edc2473b4dedc418aef86e569201f0c20ae08f881cea2d57d4daf6d3e4670939f34ec7957ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a92fa1c1ad63726697084da1cb7fec1a

SHA1
26f8285130f0f491895954cef6c1efc61768ce01

SHA256
9c8e12fb7ed055d854c950d801670922c7ac3315f7d04c18e058416016dab3df

SHA512
2504d9501044e6b6efe01bfbaa2b9560e2ef8b4652fd17be564bfd1dfaffb2a3cdfd5fb77d690560e06344b822cc5f2629acf6ed1fd5dfe29ac27c9461a3f639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ca8ec3941e626c2b94ba2838e30b164

SHA1
57afd4b5f8a0329d38a40b90440a6e851b4c5238

SHA256
ae4a36e19ec957e1547d96adac7f2705beaa54295894fd2d36cf68ee2f9675d3

SHA512
ec9e4aea9211f8841ecaaeca92912864ab10a174ee38ef2dd5f9127e1bc80f14d88c142807f605d45b7bd33aeb078c9eb85ad4fea82fb65dd8e63f3e7046d055

Download Submit
C:\Users\Admin\AppData\Local\Temp\04MSuZMivw2B.bat

Filesize
208B

MD5
93e1a8c7bd8db4211e9609f4ea1f1602

SHA1
683fb45a5d738ff2fd58bbd54c65ce48fe88bf10

SHA256
2eec26c4498eb65ee6814b86c942e65b97a43ec8cd28ea20fc3b9e792769f553

SHA512
09c2572b19447b24129361e33b891ec6bdf9fd77143afc89aa7f22f16a96e9c693e87321323884e162b350b6cca1ae82081c90ab53014e1eb9b1338b94d3bdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3NOX1LNHvams.bat

Filesize
208B

MD5
e0b877975a5cdf4af7d7471f24ec48b9

SHA1
b0bc4489df263c136c378832627d830ff8aefdc2

SHA256
2b933422bd91d1b2e0c9c43a13393c74c5640fd818f18b430270de18d6d5f949

SHA512
e348dbf5db01ddd510e7396b88e176c78d5efd3bac612d6c8fc2d4738ae6b504142c3216d29753245c70c393327953f8f3e1cc8c108f9e41dc548c40860b2fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dKX4JwieWjj.bat

Filesize
208B

MD5
0b19b3ea2663e884520715bd6d1cf725

SHA1
deecd8e20efca9c2d276569c350cf4fe8479a2a3

SHA256
248d443f3d9497ccfe581963c63c07ca5e89f751b39a955f6a7ffdbc1f5e2193

SHA512
aad45b3b03a17a329e49f8729e861705dbf5c94e3bf2cb33a2a6a8d576c50752b8a5a08ef6a08b7800743e76b8b9d79e59387cc8ae04499a3b0f501d2b536c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\NxBjlvQ9zQFG.bat

Filesize
208B

MD5
3ac3f613f4d912c36348043a96ea2ca1

SHA1
e9c375a7c7a58e6364096609440934a6a0cdd1a9

SHA256
6eca562c66af1ce6fe316b8c03519116e684cfc18fe6717c435400347a12c201

SHA512
0d99ffc1d14cfa5828190ed30267b6d639235dbbcfd7c2354f013c51f5583b31a1c693a27ec1aca5100518edadc1902def5548d2d57c2c6d1190c208e684d254

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSNdtfqPQF1I.bat

Filesize
208B

MD5
9bc2c7db5040c38e23c6d0bcaacdf72a

SHA1
0c5a5c377cfb2ad91bf7bf37eabb994740a62a87

SHA256
d819989c4321302d89e11bd24f7f67a7f4272bd368309beb474d83ceeec63f63

SHA512
a9fc3d9c7a44a1ae2838c79a1c3ddc86f8da91add665b2778f8d2274edeec61793bf4e85c44511fbd55a5635cd07de37d5b053815cdaefd0417b3eb9a0df6623

Download Submit
C:\Users\Admin\AppData\Local\Temp\YlnOajaJV4Af.bat

Filesize
208B

MD5
e15bab3263c10422553a7144ba47b551

SHA1
e7a0d61f156f67df6bb88fae9c1f50c59d465f71

SHA256
98f81f540a5b910f3636689f164ccf82a68601dba1f13477e0928521a829312d

SHA512
fc575d41d43246b095d706d40be3365fca42da907f492c3f2475dc55176444821cbdc0229f225ea0b6fd82279cc510549246c9d82feaa7d3cc64397f67d7ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\atwZWyrqtVRZ.bat

Filesize
208B

MD5
f7510328bb9b8404e77b69d084aed2c2

SHA1
9d40814d2a3bcfdf58cf3e3fc92c03b28e86057e

SHA256
f6fb9d9ca9cd0bb8362f37484d41c1ded9c3888d37f38467afb45597e8abd6fd

SHA512
7cb21e4437b9b7658c1baf49faf42efab09f7de88046c5d12cf72b26dfe7693d1b1ea9c1e85744be252937fd1d008fa3ef35443b8f981b9c7c4fec1b830bc4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQTQu7pq86X2.bat

Filesize
208B

MD5
e1fd8449fe4efdee9998c4dec5b1f7da

SHA1
c163c41d93fd7572eafac16cda9a6a3afce77f47

SHA256
e072e290955b07cf745e8806554a32ba134de4c1860264ad86bbb1ff7d11362e

SHA512
adaf2ebe794df1acfa85f3d723ce29447ad57c71fc7b9e3702abf23aa8987d6aeefcfed5ed6f520f8c37e6edf4fcf9fc456b678a05ec655a6737677c188c567e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4SN0rRryMzB.bat

Filesize
208B

MD5
a18368c99159ccacce954abe3d9b8622

SHA1
561fe407d83405045b7572e7a7e2c7636a18dc88

SHA256
2e0f450c422479ccef925a15629c02517b7f8fcc9203d71dbaa178119e4505e0

SHA512
948a4a483bedda0feda881a89d82359029bd5a555623fa6144dd9532e1e67c26391e236ea6f7e10fd256d3277cf42687029086f6105fb86e7d720a4c9f95d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYAUUXnM8ThP.bat

Filesize
208B

MD5
c143afd497c1fa0f3bf9d8182a8c5657

SHA1
dca7e555b3dc4a971b5b505c47b470947b0b18a4

SHA256
ec2f3c7a1fdd1222472c1336e7f47e028635a60afa2cbc825fc3affe346390a2

SHA512
0cfef41836472ecc6a0e2d49b555e7a07e4c9da417c5f1e2896cbcb5e44c7e643a02dc89aee8848aa1acefb9ce77e0d78d59904fbee6a22712344b146f36aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9F56Yfor35W.bat

Filesize
208B

MD5
d87946277c5a005db552f99d1b10520a

SHA1
7564b179faf3e2a0cb47268e26d0d8d7c392769d

SHA256
b0faefbf91b7c65a30689c8c98137d2615efc07924d0be67b09c25fd36904bea

SHA512
95aec4293c8228f1530c8b487c1ccaeb387172cf396ed1e16d9ceba2c1592d198a114085b1e68f4024d21cef831f77aced40723e8a29b83bea3483cf400531e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjFyR6gZVMjj.bat

Filesize
208B

MD5
34f26b772fe9b6fc3a66f741f9b09c39

SHA1
5c90e94ad8c83f406e9ee1766fa78e314faa1b7f

SHA256
d33aa2a463c677d3974d6a060cc9549a043593a1fd19780ed612f68944647948

SHA512
1aa6871dfbaac248448ffa7ea44cc7acb431fcc98051244c78254f286ffd15cab26313a94254089c829b35818bcdc4a09ca773547864aad72b889e85fd991f54

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 481536.crdownload

Filesize
3.1MB

MD5
aad11067aa90b9d96958aae378c45747

SHA1
13dc757a06a092ab0ef34482c307604a67fd74b9

SHA256
2787d416bf228915debc5d9c9e058cc246f8da7217c706d8a1fe0cb788a9155b

SHA512
8a2fc9cfc72b7f9fb0ff54292022d738013813f222ebe3d7e54f1d916a6307d7652a5f4276d38550e6c515e637358b039a3f784e70a187e2d754b60eaff26813

Download Submit
memory/1684-171-0x000000001BAB0000-0x000000001BB00000-memory.dmp

Filesize
320KB

Download
memory/1684-172-0x000000001C0C0000-0x000000001C172000-memory.dmp

Filesize
712KB

Download
memory/4264-163-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download