quasar | 629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024

Analysis

max time kernel
896s
max time network
897s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-de
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-delocale:de-deos:windows10-ltsc 2021-x64systemwindows
submitted
25-01-2025 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

43ba56942448efaf6200c561be3aa4cd
SHA1

26a8f505a3e1aee989c56b35cef729fc77b1c028
SHA256

629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024
SHA512

59e0b28de0ca1d67a3654e84235222ab64f5a9f4818db32c5ee51e2270a2a9c954f64d4714a8040ada194c04a36d8ba6fa8d55296e297160cdc1e9f3fe976dfe
SSDEEP

49152:6vsG42pda6D+/PjlLOlg6yQipV9fBtIBxwMoGdaYTHHB72eh2NT:6v342pda6D+/PjlLOlZyQipVLtg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.178.56:4782

tcp://5.tcp.eu.ngrok.io:13134:7771

Mutex

0552115c-2459-453f-980d-c60aebb9957e

Attributes

encryption_key
1DEED326568BA39A5A6D6473414A146E2A7F5724
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3436-1-0x0000000000420000-0x0000000000744000-memory.dmp	family_quasar
behavioral1/files/0x002900000004612a-3.dat	family_quasar

Checks computer location settings 2 TTPs 25 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 26 IoCs

pid	Process
112	Client.exe
4292	Client.exe
4768	Client.exe
4544	Client.exe
532	Client.exe
2768	Client.exe
1296	Client.exe
3372	Client.exe
1544	Client.exe
3824	Client.exe
2888	Client.exe
2812	Client.exe
572	Client.exe
3436	Client.exe
1856	Client.exe
1496	Client.exe
4996	Client.exe
4824	Client.exe
4640	Client.exe
2424	Client.exe
2904	Client.exe
1116	Client.exe
2524	Client.exe
4316	Client.exe
4284	Client.exe
1132	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 25 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1084	PING.EXE
4464	PING.EXE
8	PING.EXE
4128	PING.EXE
1924	PING.EXE
4980	PING.EXE
3524	PING.EXE
436	PING.EXE
4976	PING.EXE
1448	PING.EXE
3744	PING.EXE
2144	PING.EXE
4836	PING.EXE
5024	PING.EXE
4788	PING.EXE
3040	PING.EXE
1060	PING.EXE
2920	PING.EXE
2312	PING.EXE
4904	PING.EXE
2376	PING.EXE
3968	PING.EXE
4232	PING.EXE
4948	PING.EXE
2496	PING.EXE

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

pid	Process
4976	PING.EXE
4948	PING.EXE
5024	PING.EXE
8	PING.EXE
3040	PING.EXE
4980	PING.EXE
3968	PING.EXE
4904	PING.EXE
4128	PING.EXE
2496	PING.EXE
4232	PING.EXE
4788	PING.EXE
3744	PING.EXE
436	PING.EXE
4836	PING.EXE
4464	PING.EXE
1448	PING.EXE
1924	PING.EXE
2376	PING.EXE
3524	PING.EXE
1060	PING.EXE
2144	PING.EXE
1084	PING.EXE
2920	PING.EXE
2312	PING.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	Client-built.exe
Token: SeDebugPrivilege	112	Client.exe
Token: SeDebugPrivilege	4292	Client.exe
Token: SeDebugPrivilege	4768	Client.exe
Token: SeDebugPrivilege	4544	Client.exe
Token: SeDebugPrivilege	532	Client.exe
Token: SeDebugPrivilege	2768	Client.exe
Token: SeDebugPrivilege	1296	Client.exe
Token: SeDebugPrivilege	3372	Client.exe
Token: SeDebugPrivilege	1544	Client.exe
Token: SeDebugPrivilege	3824	Client.exe
Token: SeDebugPrivilege	2888	Client.exe
Token: SeDebugPrivilege	2812	Client.exe
Token: SeDebugPrivilege	572	Client.exe
Token: SeDebugPrivilege	3436	Client.exe
Token: SeDebugPrivilege	1856	Client.exe
Token: SeDebugPrivilege	1496	Client.exe
Token: SeDebugPrivilege	4996	Client.exe
Token: SeDebugPrivilege	4824	Client.exe
Token: SeDebugPrivilege	4640	Client.exe
Token: SeDebugPrivilege	2424	Client.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	1116	Client.exe
Token: SeDebugPrivilege	2524	Client.exe
Token: SeDebugPrivilege	4316	Client.exe
Token: SeDebugPrivilege	4284	Client.exe
Token: SeDebugPrivilege	1132	Client.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
112	Client.exe
4292	Client.exe
4768	Client.exe
4544	Client.exe
532	Client.exe
2768	Client.exe
1296	Client.exe
3372	Client.exe
1544	Client.exe
3824	Client.exe
2888	Client.exe
2812	Client.exe
572	Client.exe
3436	Client.exe
1856	Client.exe
1496	Client.exe
4996	Client.exe
4824	Client.exe
4640	Client.exe
2424	Client.exe
2904	Client.exe
1116	Client.exe
2524	Client.exe
4316	Client.exe
4284	Client.exe
1132	Client.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
112	Client.exe
4292	Client.exe
4768	Client.exe
4544	Client.exe
532	Client.exe
2768	Client.exe
1296	Client.exe
3372	Client.exe
1544	Client.exe
3824	Client.exe
2888	Client.exe
2812	Client.exe
572	Client.exe
3436	Client.exe
1856	Client.exe
1496	Client.exe
4996	Client.exe
4824	Client.exe
4640	Client.exe
2424	Client.exe
2904	Client.exe
1116	Client.exe
2524	Client.exe
4316	Client.exe
4284	Client.exe
1132	Client.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
112	Client.exe
4292	Client.exe
4768	Client.exe
4544	Client.exe
532	Client.exe
2768	Client.exe
1296	Client.exe
3372	Client.exe
1544	Client.exe
3824	Client.exe
2888	Client.exe
2812	Client.exe
572	Client.exe
3436	Client.exe
1856	Client.exe
1496	Client.exe
4996	Client.exe
4824	Client.exe
4640	Client.exe
2424	Client.exe
2904	Client.exe
1116	Client.exe
2524	Client.exe
4316	Client.exe
4284	Client.exe
1132	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 112	3436	Client-built.exe	83
PID 3436 wrote to memory of 112	3436	Client-built.exe	83
PID 112 wrote to memory of 3284	112	Client.exe	91
PID 112 wrote to memory of 3284	112	Client.exe	91
PID 3284 wrote to memory of 2636	3284	cmd.exe	93
PID 3284 wrote to memory of 2636	3284	cmd.exe	93
PID 3284 wrote to memory of 4232	3284	cmd.exe	94
PID 3284 wrote to memory of 4232	3284	cmd.exe	94
PID 3284 wrote to memory of 4292	3284	cmd.exe	96
PID 3284 wrote to memory of 4292	3284	cmd.exe	96
PID 4292 wrote to memory of 3224	4292	Client.exe	97
PID 4292 wrote to memory of 3224	4292	Client.exe	97
PID 3224 wrote to memory of 2896	3224	cmd.exe	99
PID 3224 wrote to memory of 2896	3224	cmd.exe	99
PID 3224 wrote to memory of 3524	3224	cmd.exe	100
PID 3224 wrote to memory of 3524	3224	cmd.exe	100
PID 3224 wrote to memory of 4768	3224	cmd.exe	101
PID 3224 wrote to memory of 4768	3224	cmd.exe	101
PID 4768 wrote to memory of 3792	4768	Client.exe	102
PID 4768 wrote to memory of 3792	4768	Client.exe	102
PID 3792 wrote to memory of 3956	3792	cmd.exe	104
PID 3792 wrote to memory of 3956	3792	cmd.exe	104
PID 3792 wrote to memory of 4948	3792	cmd.exe	105
PID 3792 wrote to memory of 4948	3792	cmd.exe	105
PID 3792 wrote to memory of 4544	3792	cmd.exe	106
PID 3792 wrote to memory of 4544	3792	cmd.exe	106
PID 4544 wrote to memory of 3508	4544	Client.exe	107
PID 4544 wrote to memory of 3508	4544	Client.exe	107
PID 3508 wrote to memory of 3268	3508	cmd.exe	109
PID 3508 wrote to memory of 3268	3508	cmd.exe	109
PID 3508 wrote to memory of 5024	3508	cmd.exe	110
PID 3508 wrote to memory of 5024	3508	cmd.exe	110
PID 3508 wrote to memory of 532	3508	cmd.exe	111
PID 3508 wrote to memory of 532	3508	cmd.exe	111
PID 532 wrote to memory of 4468	532	Client.exe	112
PID 532 wrote to memory of 4468	532	Client.exe	112
PID 4468 wrote to memory of 2364	4468	cmd.exe	114
PID 4468 wrote to memory of 2364	4468	cmd.exe	114
PID 4468 wrote to memory of 4788	4468	cmd.exe	115
PID 4468 wrote to memory of 4788	4468	cmd.exe	115
PID 4468 wrote to memory of 2768	4468	cmd.exe	116
PID 4468 wrote to memory of 2768	4468	cmd.exe	116
PID 2768 wrote to memory of 4316	2768	Client.exe	117
PID 2768 wrote to memory of 4316	2768	Client.exe	117
PID 4316 wrote to memory of 4280	4316	cmd.exe	119
PID 4316 wrote to memory of 4280	4316	cmd.exe	119
PID 4316 wrote to memory of 3744	4316	cmd.exe	120
PID 4316 wrote to memory of 3744	4316	cmd.exe	120
PID 4316 wrote to memory of 1296	4316	cmd.exe	121
PID 4316 wrote to memory of 1296	4316	cmd.exe	121
PID 1296 wrote to memory of 3668	1296	Client.exe	122
PID 1296 wrote to memory of 3668	1296	Client.exe	122
PID 3668 wrote to memory of 2924	3668	cmd.exe	124
PID 3668 wrote to memory of 2924	3668	cmd.exe	124
PID 3668 wrote to memory of 1060	3668	cmd.exe	125
PID 3668 wrote to memory of 1060	3668	cmd.exe	125
PID 3668 wrote to memory of 3372	3668	cmd.exe	126
PID 3668 wrote to memory of 3372	3668	cmd.exe	126
PID 3372 wrote to memory of 4716	3372	Client.exe	129
PID 3372 wrote to memory of 4716	3372	Client.exe	129
PID 4716 wrote to memory of 676	4716	cmd.exe	131
PID 4716 wrote to memory of 676	4716	cmd.exe	131
PID 4716 wrote to memory of 2144	4716	cmd.exe	132
PID 4716 wrote to memory of 2144	4716	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EZKDpVjP4fUe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2636
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4232
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K4wYXqznfhLs.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2896
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3524
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qTvJ5VtIPmTV.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eW9jL3P46dyc.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FJ2q2OVRzzkA.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9OdWjygikbXy.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysW0t8Nu36Qc.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K2mIDlOo1bax.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6soezdbzf2cW.bat" "
        19⤵
        
        PID:4864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rhua2B0NAOiV.bat" "
        21⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6FKzFhglLMTi.bat" "
        23⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCyyqiFaRrKH.bat" "
        25⤵
        
        PID:1200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaqSvxkhHbNZ.bat" "
        27⤵
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q2tIjbRjgGqK.bat" "
        29⤵
        
        PID:3740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2FXpNHS7M22o.bat" "
        31⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcSvuw9hWdaF.bat" "
        33⤵
        
        PID:2860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4128
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v0UiwClUuRDG.bat" "
        35⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YU6CDGYqRdhH.bat" "
        37⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lLM7eDYwdqNB.bat" "
        39⤵
        
        PID:1180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wtPibjcEnIBM.bat" "
        41⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:3200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwRQhW8IzvEl.bat" "
        43⤵
        
        PID:1288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4HnmhafZUIeg.bat" "
        45⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGC3Dn3kcH7y.bat" "
        47⤵
        
        PID:3272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:3680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eh3Wisq6qWp9.bat" "
        49⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:1904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkLVZ8aQrEdL.bat" "
        51⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:1172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FXpNHS7M22o.bat

Filesize
207B

MD5
76376c246be0db6f11df6e50a2727d97

SHA1
a48ceec76f999f44e35e7126aa0001cc79a20ca3

SHA256
5eda1517003958c5c369a4bfe14bed8ae1f716293fa1c8be27940f1052986f68

SHA512
318c102889c49eeeba209e4eac26efd832b301357e5a41cdd0c54f77c512a8675b9230eaa7ac1a6ae34c4121366f9dabdfc7b0a5ffb74d190bd709642c40f3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4HnmhafZUIeg.bat

Filesize
207B

MD5
a4d7735018510b1b09a2e05b72dec4a4

SHA1
ce32062b8097bce450d02950b5c20c0184b05af0

SHA256
6cf12195f0e54972b9d8ae9fc126541546464a5eba6bd321c43ba533c0543c7f

SHA512
ea3182621055dfea554d2ed03977d8bcc19edb0f00a69e744a1223d4a7518283fa85bd80a8d46e40566429a267b7b2b0c5746efcfeadaf388c2678e7b3dfd626

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FKzFhglLMTi.bat

Filesize
207B

MD5
7b99d751a9c125a46f6727cde4e467d1

SHA1
c520c9bfbbfe73b9886dd6a7ea6815a364d879b6

SHA256
13e3dfc55c2f12dc193ec34da2ea1edc14ff165d37a1a55388998aec899205a5

SHA512
2c85bc5c119d5cf49228e0e44dbb671faf4d605c0c44d6742ca310357c7cf245b90b059dd5c2b366233192e96ad2f931be7ec683480be57bd5f42b417b1d1fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6soezdbzf2cW.bat

Filesize
207B

MD5
9ca7f17d96f469a2b4a4fc495c0be62f

SHA1
c8f8b4d405cf5e7609037836811e4c821f1cc3a3

SHA256
8511d7ba223b16d62fd6004170bf9c10ab29e5d9583aee5892f3940f66855c9b

SHA512
5b01b070cc1c98ecfcb927d58ba4f458a0ad1b879b49c6e4ab78b154b7763f93b31c414a3f7373973a566df4f08d76847fda45e7df67bb5e1c0d3920c776eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9OdWjygikbXy.bat

Filesize
207B

MD5
712609181dc0d5dc076df5afa6d44bef

SHA1
4f387ae88a4c766cb91d536fc9181cba4914fef5

SHA256
c9e6f660edf563ed6c9b1b2a8c001b6d633bedadd5f341b5aa3d07af02421a51

SHA512
3249760a28bec54ff16f753110eee3d869dfdca4223909edb0577a94c782e5fabc51547f29fc5bf3c0d7b8ece82d559688b025d99459e6a7f49c55c9b9de5308

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwRQhW8IzvEl.bat

Filesize
207B

MD5
d9bb13c14b56f2ac92079dde4f1cefe7

SHA1
31c37978e40cf26401dcf3ecb0403d3b8580c704

SHA256
cdd917c8f19865735aac51b6c672eff0d00838772796bbf156ae6598f07aa9d3

SHA512
d44922babc8e1a19a51aa98efce93a89a947d60be6815d179e095dea042bb90bc5be8a5eaa6b9ef42366855e7ced370bcce196b3c59bdd7c673acbc043436f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGC3Dn3kcH7y.bat

Filesize
207B

MD5
fa9abc56c10555262d05e13d4d035355

SHA1
6616369dd7bdd98f004cf9d6ea02feaf3fc67c91

SHA256
fd9f3e1ebbd1b04ac9780f5e534c796b880c393b5cfcb731b42ba443127f4a5c

SHA512
dd580ab1fe6612a9deff50f7f2da37aeb37686bedc556c53602e2456140d03de947dbc705f12e8cc0fce9296e67397b32de629cb7cd09cea6215a60b1aa8228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZKDpVjP4fUe.bat

Filesize
207B

MD5
caf4130d60d5fde3af11aa7e965943c1

SHA1
95f6cc53e49c0fcac513a49003e82dd40977b818

SHA256
a3cc43b8aa9440c1644ad098d955fe204bd539f835e8cc4c5ddf821038b5b65c

SHA512
b0778deb8a9ce2519c39f0062ff376ab0f186914e90669892196c3a52190274e467dc15cafa4bb8913218c6ea34491bead3c51ffecc5527acbd85064d594d876

Download Submit
C:\Users\Admin\AppData\Local\Temp\FJ2q2OVRzzkA.bat

Filesize
207B

MD5
2230d7c18755db3f85373dcbd32f1d19

SHA1
69544deb5313440cf6050d2ea783c65d8de1619d

SHA256
4ba077c8430fff2a69077cf8886b3cbfb5c5607f1f531a6015f6c8ad1cb4a8a3

SHA512
f892f33d1cb5594dabd57581b9a4543a0765bcb044fda1be7c27060b07693eb76acbc310822329a17c7776c772109eac1f015951fcbc1c21601ee5067d5fa59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaqSvxkhHbNZ.bat

Filesize
207B

MD5
6ce3326ce6807c7b9412ee36cff48215

SHA1
dfeece5ff3cdf152a8679a125b6045108ea4afcd

SHA256
512ac28f3045f4c11c9a9d3c0c39d36629f9c7199f7fe421ef8635b793495e7f

SHA512
4e4ff528679d77d887ba6f74c74b9b84a665afe955e12edebc57d6baf102f399fe790e5315dac3a749801fe4bb99f15e80db36eb30573247df1ebf423355bcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\K2mIDlOo1bax.bat

Filesize
207B

MD5
cf2f9c6fa19becf8b380a405c6d72c70

SHA1
7254e2ff022cadf1253b9489d77e6257b86db86f

SHA256
e083434d6b2cbf9f73c0a70f6b51a56ae9ed2ebfbd97c2e21b53e5eebc63fff8

SHA512
cd1455c85929b4c4caf9bbac5beb5933f93af855e559d8019b99f5eb6922a97c6b3e949d25056c29bd62bfccab45ef58405439b97e6b6205b585802253458433

Download Submit
C:\Users\Admin\AppData\Local\Temp\K4wYXqznfhLs.bat

Filesize
207B

MD5
8af916d86ca483f1771983e8828425a5

SHA1
3b88698009595c6a3fa7804d6431e8c23c5698e1

SHA256
cefc24c143d6f31e718ef0254945ee991b6815e6fb1c8227946dd008c7d56843

SHA512
41bf10c45ac847548c9aa877fbe7f9a321d49f6d49d0fe8da5ffbf718d786b81aa59106e28e022cd5a18dad6494180b99d1a07662af880a42dcfd4ea988eb0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCyyqiFaRrKH.bat

Filesize
207B

MD5
dba866e9d354766725bf501402b597ca

SHA1
4851def23ecf105b1a0599e03bf7ba317394fc41

SHA256
320fee2ac9d150550661217a8bf7971ea4881d312e3e0b0b83020d61985cbe1d

SHA512
dddbb2b0909b83343e65762b48d79c3ce2905bfeef8e37f953c97d63f0e2d17b3c392d0f98b8e99db12ccb7cf9337b5fa28220d4ae15123620a95bcaa9797bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhua2B0NAOiV.bat

Filesize
207B

MD5
8e0abd98d991fd20223b7985973b4faa

SHA1
6d0e96e22488ce2cf92a58e8880ed5ca0e0b8a99

SHA256
f144c3eec8f0ffb5f2af75decffd8e0829aa6bded7954d9d161a353315cae18e

SHA512
a7bf9660c35edd02ae9cdce0cf93b5e8fa57944a61bb6fab2a77644b970cc101e6b7b6c67c70dc3b201a51fa9a6a581bd11fd0eceaf103a75b371db0feb9e0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkLVZ8aQrEdL.bat

Filesize
207B

MD5
14e5d1233f77e83f2c0d5d54454d54ca

SHA1
737873acb810a2b54426cc1a24940d32aba17c0c

SHA256
cfc9deb1ebd75b434a67694b411b1c723774602f60bd389270503684f6f3eeb3

SHA512
d58e28070f89bd24b7dd3cf566e3502e3230a0b6988edb6b12e2d1d8e31d7a6dcd390fcdd596fb84e58169d8a2ed12dca58e5e9db3f55c1783a2535e850770cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcSvuw9hWdaF.bat

Filesize
207B

MD5
217d71e7e3e624b96b57f0ef336e0cfb

SHA1
735833547c471d9a675b58185e422b09444b926e

SHA256
1a87d6beb3bb7d6d6bb7f0e61ee8e674956df297a92e4d113aee5cbf4096b0c5

SHA512
d8ca9d22ecdc4a62309ac2ebbb03ebb5a36460af162da99532f2c84bc423a78b4de86282ac1924644f4ff8a378f27999baa91fe7253feee2366d5f02c9b32439

Download Submit
C:\Users\Admin\AppData\Local\Temp\YU6CDGYqRdhH.bat

Filesize
207B

MD5
2184f4d2bf6617e7757e837e3fe173a4

SHA1
bb0b564a183576ca1db827a56a5f0111ccb43ad4

SHA256
1c8596edea30a827adbcfff8fdac9f00f9bc0850ee954281d68172cbbe88ff75

SHA512
7c5f148d853c97904c22c2394e6e1c20ba562a95d1ed9258309715b6054e3cff0423499d5fc2d1dc216bcec056cdbada60fb3b15d641f3ba66e80967461f1f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\eW9jL3P46dyc.bat

Filesize
207B

MD5
a9e6176255137ceca1325c862bea607c

SHA1
c03085fe0d7027e1dc244a58e96a75f87d06b0fe

SHA256
125edc1da7eb3f57130f9d89bf4dc4b4a9bb15bf957130b0593cbcb11b8aec98

SHA512
2a56e8a03e2d5e557c875607038277ad2014724f5f8395b1173ef8c380465ee9ac8244bc037601447c2ab2e9c4c87191af3ccdf847a73731a7a9e73a084f2f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\eh3Wisq6qWp9.bat

Filesize
207B

MD5
78f9b0257e5e0afae7c70613b58e4f1b

SHA1
e8907977509e25a6178c0b5f6130dd63f3466c8f

SHA256
612e28e801e71f0616c17d621c5977791b8fd3b687c8bf559223af467d094b10

SHA512
a89a89c534dedc5e7c6d778e13f09b9e8e83a663530b23e185ea691d8ce8322f63b4bfe9d4928268de3c39e836497132f646cff03a5dc36085ab55fb5f45c57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLM7eDYwdqNB.bat

Filesize
207B

MD5
98e672923afc485fbe5c98f3963c18bd

SHA1
74e4c5425fc02532264087e2dfb1c536a4180f7b

SHA256
c820aa17aecf221d40ce78096304f3bb09cbf92b6f1a137317a40b119fbdf512

SHA512
c5586b11199790fc0fd651f2879942e8b75169b2d199705f74029dfeeec5022e061d8abf50132acd43e9a18b3425888235b61e2ae43dbad2eede0d69d23c2a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2tIjbRjgGqK.bat

Filesize
207B

MD5
12ffc665738a9ee9c4907d2504236d5c

SHA1
3e1ad5eb5ed079c5930f8dd3d3ba5e859c126f01

SHA256
617b6eda1444204f6a98efcc7a5caaabaabc4cfd266e5d5b86c9803e50191429

SHA512
47bf97553b5633d97e40878edb8177c1282ae606131fb0dea6f9e7b8884e7f1344cfb4eb843adba8e7bc341a84ad68948898e76d3b328bea56cf05c60a15965a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qTvJ5VtIPmTV.bat

Filesize
207B

MD5
3ee5a73f1cdec89fe83316d89419a570

SHA1
9e11a75d8ec0663ecdd40382d484b7890af557e4

SHA256
bfbb803d562ee8d7f4f68257765db741388b52bca2461f72d31905c038468baf

SHA512
05f2ae892eafab9164571eb2ccd4494dc4a54ae6dc07887cff4d93d9b8812eacbf4a0b28e116e4f47db54fa792b29383b5299ae77243bbfa8dbfa9529bebd8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0UiwClUuRDG.bat

Filesize
207B

MD5
0971f2711b012e82cf1b66d84610399a

SHA1
4f135534b5b8b515c45b49d87e678c90d5591a0d

SHA256
fd4547786f765016a6683e60aa75749ebd264e5dc1458f07d1340d1fba265d05

SHA512
75c76d60befbafc851779e1ecd3134244a466b5ad1823eeabf1ddb8fcfc0a3af43131dd2928982cb400d8c36dc086e067cba4fa47f70bb3067f4d4cb6e0c33b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtPibjcEnIBM.bat

Filesize
207B

MD5
6319229d5037d6efd31b78e331f17929

SHA1
37b40887f5ea435288b4f0ab12e639f61e3d6e8b

SHA256
9458172c607dd5e1bf882ee5a47110cc512a8477290484cdc9fcdbd5ce0ed4ae

SHA512
369cd43d5c5827c72ac778c2c2b307241c490ec425e17413fafc3f37fe370c72dc0b3777e372c7ff0cf57e8a98dcba8fd5748d3c5af8fbff6613bcb0f0b780ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysW0t8Nu36Qc.bat

Filesize
207B

MD5
f5ccd6d33db8c6a96ef8176ddee7bd52

SHA1
a7a0990de4b6eafdbf4979d295acb1f9aae10b6d

SHA256
66c1a74a820178ae475f46d547b6d47ad112da2507dc18af8cef02e7a1c3e7d4

SHA512
db5f8a90432d3fc681b0dfe8969fb2b21b413a53af947a6d3fe8986b457b5e85f5425cb6aec80e809ca6b869830279b815eeb476b7ef257eee1f6b35005dd254

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
43ba56942448efaf6200c561be3aa4cd

SHA1
26a8f505a3e1aee989c56b35cef729fc77b1c028

SHA256
629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024

SHA512
59e0b28de0ca1d67a3654e84235222ab64f5a9f4818db32c5ee51e2270a2a9c954f64d4714a8040ada194c04a36d8ba6fa8d55296e297160cdc1e9f3fe976dfe

Download Submit
memory/112-18-0x00007FF9E5F40000-0x00007FF9E6A02000-memory.dmp

Filesize
10.8MB

Download
memory/112-10-0x00007FF9E5F40000-0x00007FF9E6A02000-memory.dmp

Filesize
10.8MB

Download
memory/112-9-0x000000001D610000-0x000000001D6C2000-memory.dmp

Filesize
712KB

Download
memory/112-8-0x000000001D500000-0x000000001D550000-memory.dmp

Filesize
320KB

Download
memory/112-7-0x00007FF9E5F40000-0x00007FF9E6A02000-memory.dmp

Filesize
10.8MB

Download
memory/112-5-0x00007FF9E5F40000-0x00007FF9E6A02000-memory.dmp

Filesize
10.8MB

Download
memory/3436-0-0x00007FF9E5F43000-0x00007FF9E5F45000-memory.dmp

Filesize
8KB

Download
memory/3436-6-0x00007FF9E5F40000-0x00007FF9E6A02000-memory.dmp

Filesize
10.8MB

Download
memory/3436-2-0x00007FF9E5F40000-0x00007FF9E6A02000-memory.dmp

Filesize
10.8MB

Download
memory/3436-1-0x0000000000420000-0x0000000000744000-memory.dmp

Filesize
3.1MB

Download