quasar | 721b0ad028617eb15d6311867b92973344e6afe6fa4a338e829a242a29761f83

Analysis

max time kernel
150s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-02-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

host.exe
Size

3.1MB
MD5

966ff6505aaaec66e7ecde8655367a4e
SHA1

d229f5cb24314c9ef286758afbfbc9d7749b5f53
SHA256

721b0ad028617eb15d6311867b92973344e6afe6fa4a338e829a242a29761f83
SHA512

223c5fc1876d1cbe9b6d73641d92cd168a2b9ab26dfbf3ff16f92aac03efe4dc7b123a8ef30bf0208b13fbf0817b465ed7ed1c4d3c4935d14259ccb0fa9e0f0f
SSDEEP

49152:7v/lL26AaNeWgPhlmVqvMQ7XSKTxOEMkDk/JxfoGdjTHHB72eh2NT:7vNL26AaNeWgPhlmVqkQ7XSKTxy9

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

griskid-49933.portmap.host:49933

Mutex

fd801fd9-6e9f-4d50-974a-9131faba7017

Attributes

encryption_key
DA5B8AF9246177D1A878A01AB790DFD8E6C5562D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4400-1-0x0000000000530000-0x0000000000854000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4904	PING.EXE
2844	PING.EXE
1324	PING.EXE
1892	PING.EXE
2672	PING.EXE
5744	PING.EXE
1652	PING.EXE
1764	PING.EXE
416	PING.EXE
6084	PING.EXE
3464	PING.EXE
6052	PING.EXE
916	PING.EXE
5540	PING.EXE
4232	PING.EXE
4404	PING.EXE
5200	PING.EXE
436	PING.EXE
4068	PING.EXE
4812	PING.EXE
1676	PING.EXE
6028	PING.EXE
5428	PING.EXE
2868	PING.EXE
2088	PING.EXE
2776	PING.EXE
5932	PING.EXE
5552	PING.EXE
5240	PING.EXE
6088	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
4172	NOTEPAD.EXE
4236	NOTEPAD.EXE
5228	NOTEPAD.EXE
236	NOTEPAD.EXE

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
2672	PING.EXE
2844	PING.EXE
5744	PING.EXE
1652	PING.EXE
6052	PING.EXE
6088	PING.EXE
4904	PING.EXE
2088	PING.EXE
5200	PING.EXE
4812	PING.EXE
2776	PING.EXE
2868	PING.EXE
5932	PING.EXE
416	PING.EXE
5428	PING.EXE
1764	PING.EXE
1892	PING.EXE
6084	PING.EXE
6028	PING.EXE
4404	PING.EXE
5540	PING.EXE
5240	PING.EXE
1676	PING.EXE
3464	PING.EXE
436	PING.EXE
5552	PING.EXE
4232	PING.EXE
4068	PING.EXE
1324	PING.EXE
916	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5608	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	host.exe
Token: SeDebugPrivilege	5228	host.exe
Token: SeDebugPrivilege	5608	taskmgr.exe
Token: SeSystemProfilePrivilege	5608	taskmgr.exe
Token: SeCreateGlobalPrivilege	5608	taskmgr.exe
Token: SeDebugPrivilege	1692	host.exe
Token: SeDebugPrivilege	1420	host.exe
Token: SeDebugPrivilege	1028	host.exe
Token: SeDebugPrivilege	2168	host.exe
Token: SeDebugPrivilege	4240	host.exe
Token: SeDebugPrivilege	1192	host.exe
Token: SeDebugPrivilege	3740	host.exe
Token: SeDebugPrivilege	4292	host.exe
Token: SeDebugPrivilege	3668	host.exe
Token: SeDebugPrivilege	5904	host.exe
Token: SeDebugPrivilege	4700	host.exe
Token: SeDebugPrivilege	5716	host.exe
Token: SeDebugPrivilege	3244	host.exe
Token: SeDebugPrivilege	5700	host.exe
Token: SeDebugPrivilege	1692	host.exe
Token: SeDebugPrivilege	2428	host.exe
Token: SeDebugPrivilege	1508	host.exe
Token: SeDebugPrivilege	1688	host.exe
Token: SeDebugPrivilege	2072	host.exe
Token: SeDebugPrivilege	5148	host.exe
Token: SeDebugPrivilege	1600	host.exe
Token: SeDebugPrivilege	4804	host.exe
Token: SeDebugPrivilege	5452	host.exe
Token: SeDebugPrivilege	3468	host.exe
Token: SeDebugPrivilege	5288	host.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe
5608	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4240	host.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 5308	4400	host.exe	77
PID 4400 wrote to memory of 5308	4400	host.exe	77
PID 5308 wrote to memory of 5588	5308	cmd.exe	79
PID 5308 wrote to memory of 5588	5308	cmd.exe	79
PID 5308 wrote to memory of 1676	5308	cmd.exe	80
PID 5308 wrote to memory of 1676	5308	cmd.exe	80
PID 5308 wrote to memory of 5228	5308	cmd.exe	81
PID 5308 wrote to memory of 5228	5308	cmd.exe	81
PID 5228 wrote to memory of 5968	5228	host.exe	82
PID 5228 wrote to memory of 5968	5228	host.exe	82
PID 5968 wrote to memory of 5868	5968	cmd.exe	84
PID 5968 wrote to memory of 5868	5968	cmd.exe	84
PID 5968 wrote to memory of 6084	5968	cmd.exe	85
PID 5968 wrote to memory of 6084	5968	cmd.exe	85
PID 5968 wrote to memory of 1692	5968	cmd.exe	88
PID 5968 wrote to memory of 1692	5968	cmd.exe	88
PID 1692 wrote to memory of 220	1692	host.exe	89
PID 1692 wrote to memory of 220	1692	host.exe	89
PID 220 wrote to memory of 1240	220	cmd.exe	91
PID 220 wrote to memory of 1240	220	cmd.exe	91
PID 220 wrote to memory of 6028	220	cmd.exe	92
PID 220 wrote to memory of 6028	220	cmd.exe	92
PID 220 wrote to memory of 1420	220	cmd.exe	93
PID 220 wrote to memory of 1420	220	cmd.exe	93
PID 1420 wrote to memory of 4100	1420	host.exe	95
PID 1420 wrote to memory of 4100	1420	host.exe	95
PID 4100 wrote to memory of 4776	4100	cmd.exe	97
PID 4100 wrote to memory of 4776	4100	cmd.exe	97
PID 4100 wrote to memory of 5428	4100	cmd.exe	98
PID 4100 wrote to memory of 5428	4100	cmd.exe	98
PID 4100 wrote to memory of 1028	4100	cmd.exe	100
PID 4100 wrote to memory of 1028	4100	cmd.exe	100
PID 1028 wrote to memory of 1884	1028	host.exe	101
PID 1028 wrote to memory of 1884	1028	host.exe	101
PID 1884 wrote to memory of 2528	1884	cmd.exe	103
PID 1884 wrote to memory of 2528	1884	cmd.exe	103
PID 1884 wrote to memory of 2776	1884	cmd.exe	104
PID 1884 wrote to memory of 2776	1884	cmd.exe	104
PID 2168 wrote to memory of 5772	2168	host.exe	108
PID 2168 wrote to memory of 5772	2168	host.exe	108
PID 5772 wrote to memory of 2584	5772	cmd.exe	110
PID 5772 wrote to memory of 2584	5772	cmd.exe	110
PID 5772 wrote to memory of 3464	5772	cmd.exe	111
PID 5772 wrote to memory of 3464	5772	cmd.exe	111
PID 1884 wrote to memory of 4240	1884	cmd.exe	112
PID 1884 wrote to memory of 4240	1884	cmd.exe	112
PID 4240 wrote to memory of 5148	4240	host.exe	113
PID 4240 wrote to memory of 5148	4240	host.exe	113
PID 5148 wrote to memory of 3324	5148	cmd.exe	115
PID 5148 wrote to memory of 3324	5148	cmd.exe	115
PID 5148 wrote to memory of 436	5148	cmd.exe	116
PID 5148 wrote to memory of 436	5148	cmd.exe	116
PID 5772 wrote to memory of 1192	5772	cmd.exe	117
PID 5772 wrote to memory of 1192	5772	cmd.exe	117
PID 1192 wrote to memory of 5464	1192	host.exe	118
PID 1192 wrote to memory of 5464	1192	host.exe	118
PID 5464 wrote to memory of 2912	5464	cmd.exe	120
PID 5464 wrote to memory of 2912	5464	cmd.exe	120
PID 5464 wrote to memory of 4904	5464	cmd.exe	121
PID 5464 wrote to memory of 4904	5464	cmd.exe	121
PID 5148 wrote to memory of 3740	5148	cmd.exe	122
PID 5148 wrote to memory of 3740	5148	cmd.exe	122
PID 3740 wrote to memory of 4464	3740	host.exe	123
PID 3740 wrote to memory of 4464	3740	host.exe	123

C:\Users\Admin\AppData\Local\Temp\host.exe
"C:\Users\Admin\AppData\Local\Temp\host.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dHRTS4oXhOMd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5308
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5588
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\host.exe
    "C:\Users\Admin\AppData\Local\Temp\host.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCQJ0pjU0DJG.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5968
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5868
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VG41jvYaTRPS.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t3P4LCxv2TNh.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGw3OJ6rHtW0.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Bxg2hh45TeO.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uZAwJn8dbMnm.bat" "
        14⤵
        
        PID:4464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WY92n2durrth.bat" "
        16⤵
        
        PID:4944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGAVQVMyGVOp.bat" "
        18⤵
        
        PID:3144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6cHh0D9DuS2.bat" "
        20⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kvfQYv4pkNOm.bat" "
        22⤵
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7sAAPDTz8uCJ.bat" "
        24⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWh0vpYnO4ux.bat" "
        26⤵
        
        PID:4000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIBmjHkYb9X7.bat" "
        28⤵
        
        PID:3764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QV7JT2QkvKe2.bat" "
        30⤵
        
        PID:4400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:916

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\host.exe
"C:\Users\Admin\AppData\Local\Temp\host.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2iKST28dTy63.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5772
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2584
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3464
- - C:\Users\Admin\AppData\Local\Temp\host.exe
    "C:\Users\Admin\AppData\Local\Temp\host.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W890MaW61WNv.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5464
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2912
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jW1m5QiBxrq8.bat" "
        6⤵
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3pqehNjQXSUz.bat" "
        8⤵
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xL1IjPYptimy.bat" "
        10⤵
        
        PID:4116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9eLnxMMsqJz6.bat" "
        12⤵
        
        PID:4684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEhnsT8MzTrW.bat" "
        14⤵
        
        PID:3140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyETyFnFIdjE.bat" "
        16⤵
        
        PID:5376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKkMpW5bMMrd.bat" "
        18⤵
        
        PID:1736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHWG9L9aFGTH.bat" "
        20⤵
        
        PID:708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\host.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fPVolL9PAoZt.bat" "
        22⤵
        
        PID:3516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6088

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3Bxg2hh45TeO.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4172

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3pqehNjQXSUz.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4236

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AGAVQVMyGVOp.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5228

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\D6cHh0D9DuS2.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7sAAPDTz8uCJ.bat"
1⤵
PID:5476
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2712
- C:\Windows\system32\PING.EXE
  ping -n 10 localhost
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wyETyFnFIdjE.bat"
1⤵
PID:444
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1220
- C:\Windows\system32\PING.EXE
  ping -n 10 localhost
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:416

C:\Users\Admin\AppData\Local\Temp\host.exe
"C:\Users\Admin\AppData\Local\Temp\host.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4sr6gX9xCqzR.bat" "
  2⤵
  PID:5708
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5952
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QV7JT2QkvKe2.bat"
1⤵
PID:5124
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1116
- C:\Windows\system32\PING.EXE
  ping -n 10 localhost
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\host.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iKST28dTy63.bat

Filesize
201B

MD5
2bb13c0e0f9dd32e395241cabbc921a7

SHA1
9423130de789d28a2697b90902df6b7afed05b7a

SHA256
3d9762def73a74d918cd76455b4abf70156347dbbd4fb89a7e1921f3727f1466

SHA512
2a726e3527956bece621ba319fc51c86f85c1a0d72fe6618f5eee1ef2928577d9d6adecde323807469409f16e61d09d05f0a79ce8c49a9ecb1ca315240452b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bxg2hh45TeO.bat

Filesize
201B

MD5
24b67e2d239ed30b507a21a6dd8e6471

SHA1
f517642adfac793fa6e2574147652309be9fc234

SHA256
a0186512bd6aad937922e50a14e14f86c1e2c569a33fdf134ac9efd9ff3be66a

SHA512
96404756fdc120db4d52a0993e82237a20ad14182cace131029b8a06dd9f0e2ce74990f05e13a690f6265f4e570475cb6b9079aff6dbd4694c965e5f385dbfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pqehNjQXSUz.bat

Filesize
201B

MD5
7c4294832ccffb4df2905418baa302c9

SHA1
79a2b147e3d35e5215f31428d238073d38d5a261

SHA256
0bcf90c8b5615beda3f21f3c69b291ce071a40ddfa97e287dd45cae8975fc832

SHA512
8fcb2b679a6b68fcb29c965c93f42ab8a9acab3f0d1caf0417974dacbcd7f0336ffe15680166f051090506f10d20e3c2974c71ac544d1f83beb5b4e00e32de75

Download Submit
C:\Users\Admin\AppData\Local\Temp\4sr6gX9xCqzR.bat

Filesize
201B

MD5
23ccea2ec4c3692cb4cde2bd6e5b8596

SHA1
7d64dd406066ba1cc047959ea336b62f803ab4a9

SHA256
4550b6bb12cb78882d2cdf549b1533a31a415dccbb765aac0f7e15755f01fb47

SHA512
5b6de14cfc9de35babfa557cfe27941d89f550fa8ed232424c2251f21eedad938c46a4749ebd65af4aa5d3bd2f9dbcd6767987651cfdc1307cc0570b4e9192a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7sAAPDTz8uCJ.bat

Filesize
201B

MD5
6cf8b77c61f97c0834b4cfdd24294821

SHA1
256a68c96d78f6f468f01d19027404cefc1f06ce

SHA256
e5961beb2ec001bdafbcbfaf5d8a315a08f87c224bccfd748f99e6f2a8c71eef

SHA512
b92b07dc7e59c9b49595b7db2918e5372a68bc046e942bd3e8c032d4ec5e121d1c22484034006fb56051713b0ba27e0a120e0c7972e98fcc0c8e2e56d1698269

Download Submit
C:\Users\Admin\AppData\Local\Temp\9eLnxMMsqJz6.bat

Filesize
201B

MD5
f8469e87f1d34779a70dad6deffd1dda

SHA1
14146e6b219c15bce616eeda461b4160701b7439

SHA256
57f72d7552241220cebdb0e3a798d137890b6e91454de6f6d589e145be4aa446

SHA512
35802f8d3bd9f6b3e25dc56e8091622b51ee26df721afeac2d47f1ebc12afdbeb7d0fe39d2cb8c34402e5f8eecb26fec653d489216ba9e712f594be3ee7956fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGAVQVMyGVOp.bat

Filesize
201B

MD5
9304cb989df4ac6b87ada84440a7c016

SHA1
9a9cabfb8056707ec4aba95c11dbf58e22e278aa

SHA256
ae8d7e8b83f1f0b54b017a1dba0818535e828ff24be7aba2f8b89cbb9af395e9

SHA512
325d0e26aafd18da9b0cff4066bfe57ea607bb9c1ad002df9fbc783a7ddfaff403bbdab909b8ca8cebe5a5ac257c60d3d7eb0812433b048415ea637400884639

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKkMpW5bMMrd.bat

Filesize
201B

MD5
14723efe79f57e06338fd894f0f5439e

SHA1
c19595cc0eb86c5e5e464dabe6483911c038ff34

SHA256
9c1c8a3eea85ba69f2da279c11ee52f91d601d925027b32a2dcd589be89b0d34

SHA512
18d8e90b8a9a1ea73b1b3c616ea879029d2e38cc0976092229bee9fab60bc40bb3d88aebc8bc4dbc480a3b98c7611839c80223fe3aece5138b63561493f999fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6cHh0D9DuS2.bat

Filesize
201B

MD5
fe9c4b4ccf847a6dbbf403b850ca2d6b

SHA1
4228d0f3b35582afd6a3de5667bb29a319c413e1

SHA256
2652d42bec93d5d3a012102ea8a5ae67dd8c816e67294443a0da68fd59b52a65

SHA512
a1305b6bff2772c199d2fcb5248cd9c339ce5c51a52f870f7d6e93b15c62cac51343c19cbf895d7a57da0e1500a1c3f25fa5066218523d577f6d3c00d5183d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEhnsT8MzTrW.bat

Filesize
201B

MD5
9e5e2d2f3779e4f786d0cdb023943ca7

SHA1
a72fad9463876210ab9e66f5974dfe58a8aa9254

SHA256
578db33a90e172ffd1a4588e5b373101545fa78137f218f7667b7c0b6371a379

SHA512
a5919fa54fb80081ebd4b4c64b9609497abd5e21f1f9a6acdb0509b755012b894c2b58d80fa296d06dd569deea13f1d82b416ece7d510096256b002bbf989769

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGw3OJ6rHtW0.bat

Filesize
201B

MD5
db8a9087bf447b5a07edddfa7d15e00a

SHA1
b69d36b55ec7b728d5daceaf435d589fb18f78dc

SHA256
e2f8b88294ecd8bd29ea9c91ae5949b362844bcab360fbcf0f6653b93cb71389

SHA512
7ea966cbdf58716bacc7dd3bf894a41a0d78221b21ad70cdd359c72c708ba0cb12818ac053c07aa697b133da42e3868ce21a635fa71e1c1956ab93fa7bbbb791

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHWG9L9aFGTH.bat

Filesize
201B

MD5
822ed387688756d4202f17da247e732d

SHA1
40209888c5b8b03b47f6978aabe7b256b353c77d

SHA256
65b607a80bc9a956e518746a26b75d737c41a625912922174f9867d5f46b7911

SHA512
55a562902a479e37a0b4600b17aa74932336ab58194af43b25c69fc96fe740d1c51f63b54cefde0857e685c566f43a0db428792fec28a91836ea6bfcaf4b3d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\QV7JT2QkvKe2.bat

Filesize
201B

MD5
34c65b013d470f802a5ee17062242ee1

SHA1
61f992ff9b869cd6212d31ab48bae5c7f8572d93

SHA256
1389a82e1df18dc9acad6c9328e71cbde4e0e1564e75e54785381825c0608758

SHA512
443dedbc78614d892a28ced212e123a2043391cc1256b2195181d0da595b22e41ae07c8db863ba63649c5100cf25a837305b5b9c59bc6c48820ae20a51957a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG41jvYaTRPS.bat

Filesize
201B

MD5
13a4cfee4a3b333b2a60a59544f8129f

SHA1
befa1a4b33e6ab678b1add12db6a5a12541f866c

SHA256
61e5238cdf86ca83e7be0f70d1ec8ef53e62efcc57f261d70e9a5c63e1438e6c

SHA512
113e71eb67ce490c81225ff2b6b6323a80ec1f1348e6a8dc7191098e6b9c69f85eb286bde46fcb6a5d779ebb7ed642dede865e90be78f0ad2aee07725df9cfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\W890MaW61WNv.bat

Filesize
201B

MD5
d5d821d5c61dfd9b2991560704d10396

SHA1
0a7b50204ede04673b72598ee8cbc85e5774179e

SHA256
b22484b25ae7bdedac8e5f0dd19b52f7dd6cd6a77043d3ee2957c4fe6a01c597

SHA512
9eec6f154d6c55eceb6aceb095d43c9b500fe7aac806963ddbb947cecb628049e5ebf19897b4c7168b148015f4fdeea1d5806f62a751fe107add832690be21fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WY92n2durrth.bat

Filesize
201B

MD5
70dec1c2869234871c8b1d4dfaa12dfc

SHA1
2c120765faffd59ab6a5b199b106fa7fcaaeee57

SHA256
7b1181e82e7d9272e0292e1ae494a2529bf316bcbb8428990444f4ae8676759d

SHA512
b2aa1bfdd44b574139a845dbcee2f444d3ad85687ea4df8158eb8b8f333226094f9885df10cc6d09fb87e87746887b19d7b084811dc122020fcf91abfd41242b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dHRTS4oXhOMd.bat

Filesize
201B

MD5
620d698bdec0aae301a1a0f1182b3165

SHA1
30ea3315ea0fc2070981b4236ec3587e1ac1cfb2

SHA256
30fb4f57b5a5771a8d7bde94d6a1729d3dcabbc3e604a0cea354b00c9c673d54

SHA512
66c4f0f89395423c12d85ece4df9c6ab0430495bb868cca7f250fd9968eaeaf898a1b9f9be7b8726c1429c150c9bb06015c84598c47d4f3eb014bdeb0ac7308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPVolL9PAoZt.bat

Filesize
201B

MD5
cff37a0aee9f84ccf1f84e0ece0ab277

SHA1
9facfc2126d2f622c4d396fca3198d0648f111d3

SHA256
5873d488bc3fa63aebeaf712d225d7bed9c5e9230788a30a2bfa6cbe02b8a23a

SHA512
96a709a0231883587591c0862df6e06a8a6193b79ccf45fbfc25f5172b7de6e029f99248dae8b5bb8ecdd200e056efa8f2785fd45e4979a00f253e51a532d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jW1m5QiBxrq8.bat

Filesize
201B

MD5
d90df5541e942e407ff94257055b44e6

SHA1
6b2d073998912b5819555912375cb485191fac35

SHA256
33d1466e0e994d6957bbfc3503d707bfde163cd4e7a48954ef439c9b1fd762bc

SHA512
795fae76e8901b78181e38d777550bef583dd475493c0d213c97e9beebdc8c51de27afa1c5b2942a18275e00343dca2f4d1a886f1334feb94c233f62b8d887ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvfQYv4pkNOm.bat

Filesize
201B

MD5
dc2394391057292b4562eeac4e40c6c6

SHA1
3493f003c518158fc8b2482e9e373e06ca69f1f9

SHA256
aba341adaa01e808a1e587c7cccd790e7e8cf80ac685c8616581cd47a8883ae8

SHA512
e8eba40981f8bb2af2fa9db35c68f90d13462db6f5b12a39f73426b8d25c5123d2dffd06acb096f7dd292cbefed9637d910ec975e35f853ed01586f82c3e06d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWh0vpYnO4ux.bat

Filesize
201B

MD5
aaf46f688ffa138bfb093bf430587d92

SHA1
908d626ace158dbf595280fbb637372ac47baa8c

SHA256
b4af41f2b5495eba1dbe9985f5de2bb90b3880acd0645c85eb92caef8306ec56

SHA512
6730c1215de4971cb94c48336fcc685a4dc67dfcdcdb14cfa9ff6c01c60737c0ec31548f033324aeda1d2f2033c3ba7b9f9e9f67ae08bf5d080a72b242f75f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3P4LCxv2TNh.bat

Filesize
201B

MD5
a3b82ad3e091f426b0e3d519adfbbc2c

SHA1
b6dec7f2d3e2cec9d8b0fd80710f9decfd3e8516

SHA256
01c73fed56ef3a9c691352e3cc508290a1100801017ac3b3e6c495907cbb62f7

SHA512
926e30528a05ebcc761cd970cd5e08b9a4deeba15fd8fd7e0ace281b490ac4ece638f68bd6e858ea1d016c2f3967439323e6aaad402c8d9c6cf398c0b83f6d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZAwJn8dbMnm.bat

Filesize
201B

MD5
956f638fd77dab9bc89f4c1e47b0320f

SHA1
f4b5904461585635bd5d676471ceb0495f7ab683

SHA256
d6cd89462e8d4b8f3edfae41b83a04a1b1961ea492c0950ac65911672e24cce7

SHA512
7b9320229105cf85a4bf3634ad3c504ede3410aef06d6b7759d5074b632d1da4cc79547e719b015001af727315592a36fc7ef9f861fb046da2101ad582f92763

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCQJ0pjU0DJG.bat

Filesize
201B

MD5
325d72aa9e5946c079e3266898f50032

SHA1
e951d261d54c53a6fb0ef10c5aa66b2b9cf6b3c8

SHA256
8ccc434883c4087dcc31e49d439b559b6adaf51763a2b2e6be55469856a52c04

SHA512
6789e08e2de8e73b12c8eda67e205f5af66d46f86658389d47399f1d0477301bfc32be307a9fcbb42ab44eb624418a084238113b265f9ff0f2c9ebf47c88fa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIBmjHkYb9X7.bat

Filesize
201B

MD5
544452ca9ea7f76f77e547d5baa2c2e5

SHA1
33f0a39ead11c0f6e02a673d8e9bf17fffcec459

SHA256
eb8776195bbbc86a25c0362169638586ccaf835d6be90604b49a88f95ecceba1

SHA512
8455c822dd872c8a7c67ef75e75bec72ebb26ce3b641dae178b357f0f601e1f07d359473a9f1f4160801f76464ccd63d8e5c3d177e8a5290491026ad33b72c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyETyFnFIdjE.bat

Filesize
201B

MD5
86a58bf15e3f9d32210ab1e72b842cdb

SHA1
4dd69cef6ab90cdf7ac9adc389a0ba7ca72739e8

SHA256
0aa3f7f6eba0c82327953666835dbe5dd2a189fcc5c7ac4f064213df03ffdbf3

SHA512
ea88165bc757acc72249759e54323c5c0cc480514b3b51b6de575fa2fe619293a36a425162dbfa5707ae660e90f3bc467b190ede30abe4b6d5c8cb8cb24fdfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xL1IjPYptimy.bat

Filesize
201B

MD5
d7037997315b58eaef021fdfb1fb6cbd

SHA1
8694a0b9913305c17a7bf324349e469b954a99a6

SHA256
e52b0297ad31b6db96b9313ea2a719d60d5c07a52c9cb233dd4278296af0013d

SHA512
4000cac204f782e922a1482ded09c8a907f9f9ba44cc8780f2dde873df97f47335336f8cdc39feaa62e0bb8eb1ccc82c3e4bc9adf6aa5e0cf9264a9c8a45b43a

Download Submit
memory/4400-3-0x000000001B970000-0x000000001B9C0000-memory.dmp

Filesize
320KB

Download
memory/4400-4-0x000000001BA80000-0x000000001BB32000-memory.dmp

Filesize
712KB

Download
memory/4400-0-0x00007FF994253000-0x00007FF994255000-memory.dmp

Filesize
8KB

Download
memory/4400-10-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/4400-2-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/4400-1-0x0000000000530000-0x0000000000854000-memory.dmp

Filesize
3.1MB

Download
memory/5228-12-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5228-16-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5608-29-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-18-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-20-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-19-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-24-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-25-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-30-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-28-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-27-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download
memory/5608-26-0x000002B920FC0000-0x000002B920FC1000-memory.dmp

Filesize
4KB

Download