quasar | d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38

Analysis

max time kernel
600s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

288KB
MD5

612513b20674942d2bcf4d0732e0b726
SHA1

26e71467d042ccc4ade033a000a1febac73170d7
SHA256

d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38
SHA512

ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a
SSDEEP

6144:6KJuiyEnCGnhJlMP5Kq+SMv0VGb7bDcllbkUC:pzCGL69zVGkllbkp

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

Ratrat2-53904.portmap.host:53904

Mutex

KvGe0Q07bhebNCip9c

Attributes

encryption_key
urBKaVmkbLbNrQbAkgkI
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Steam
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/4232-1-0x0000000000B30000-0x0000000000B7E000-memory.dmp family_quasar
C:\Program Files (x86)\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral2/memory/4232-1-0x0000000000B30000-0x0000000000B7E000-memory.dmp	family_quasar
C:\Program Files (x86)\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 29 IoCs

Processes:

pid	process
1820	Client.exe
4228	Client.exe
364	Client.exe
736	Client.exe
4344	Client.exe
2204	Client.exe
2968	Client.exe
364	Client.exe
4048	Client.exe
3836	Client.exe
3900	Client.exe
3096	Client.exe
2820	Client.exe
4960	Client.exe
1444	Client.exe
2772	Client.exe
3564	Client.exe
4360	Client.exe
2820	Client.exe
936	Client.exe
2176	Client.exe
3876	Client.exe
3012	Client.exe
1068	Client.exe
4912	Client.exe
4048	Client.exe
3668	Client.exe
5032	Client.exe
2564	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
63	ip-api.com
15	ip-api.com
54	ip-api.com
56	ip-api.com
61	ip-api.com
65	ip-api.com
19	ip-api.com
33	ip-api.com
51	ip-api.com
8	api.ipify.org
25	ip-api.com
31	ip-api.com
27	ip-api.com
29	ip-api.com
38	ip-api.com
58	ip-api.com
2	ip-api.com
13	ip-api.com
21	ip-api.com
35	ip-api.com
46	ip-api.com
48	ip-api.com
23	ip-api.com
43	ip-api.com
17	ip-api.com
41	ip-api.com

Drops file in Program Files directory 58 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File created	C:\Program Files (x86)\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4644	1820	WerFault.exe	Client.exe
1636	4228	WerFault.exe	Client.exe
4520	364	WerFault.exe	Client.exe
3916	736	WerFault.exe	Client.exe
2940	4344	WerFault.exe	Client.exe
216	2204	WerFault.exe	Client.exe
1692	2968	WerFault.exe	Client.exe
2052	364	WerFault.exe	Client.exe
936	4048	WerFault.exe	Client.exe
4140	3836	WerFault.exe	Client.exe
5024	3900	WerFault.exe	Client.exe
4308	3096	WerFault.exe	Client.exe
3572	2820	WerFault.exe	Client.exe
3684	4960	WerFault.exe	Client.exe
2428	1444	WerFault.exe	Client.exe
1280	2772	WerFault.exe	Client.exe
4008	3564	WerFault.exe	Client.exe
696	4360	WerFault.exe	Client.exe
4912	2820	WerFault.exe	Client.exe
4432	936	WerFault.exe	Client.exe
4764	2176	WerFault.exe	Client.exe
3792	3876	WerFault.exe	Client.exe
416	3012	WerFault.exe	Client.exe
4612	1068	WerFault.exe	Client.exe
4936	4912	WerFault.exe	Client.exe
1940	4048	WerFault.exe	Client.exe
1524	3668	WerFault.exe	Client.exe
3620	5032	WerFault.exe	Client.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
5000	PING.EXE
3560	PING.EXE
1724	PING.EXE
796	PING.EXE
3236	PING.EXE
3776	PING.EXE
4236	PING.EXE
1620	PING.EXE
2816	PING.EXE
4088	PING.EXE
3116	PING.EXE
4364	PING.EXE
1492	PING.EXE
3036	PING.EXE
4180	PING.EXE
2300	PING.EXE
4852	PING.EXE
2712	PING.EXE
4484	PING.EXE
2368	PING.EXE
3036	PING.EXE
2144	PING.EXE
1780	PING.EXE
3032	PING.EXE
796	PING.EXE
1384	PING.EXE
4644	PING.EXE
3220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1996	schtasks.exe
2108	schtasks.exe
4652	schtasks.exe
2708	schtasks.exe
2284	schtasks.exe
4880	schtasks.exe
3448	schtasks.exe
4472	schtasks.exe
3476	schtasks.exe
5072	schtasks.exe
5080	schtasks.exe
1496	schtasks.exe
3572	schtasks.exe
3936	schtasks.exe
1392	schtasks.exe
3028	schtasks.exe
2552	schtasks.exe
940	schtasks.exe
4304	schtasks.exe
4180	schtasks.exe
4416	schtasks.exe
4488	schtasks.exe
3620	schtasks.exe
4832	schtasks.exe
3200	schtasks.exe
1240	schtasks.exe
4804	schtasks.exe
1028	schtasks.exe
640	schtasks.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4232	Client-built.exe
Token: SeDebugPrivilege	1820	Client.exe
Token: SeDebugPrivilege	4228	Client.exe
Token: SeDebugPrivilege	364	Client.exe
Token: SeDebugPrivilege	736	Client.exe
Token: SeDebugPrivilege	4344	Client.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	2968	Client.exe
Token: SeDebugPrivilege	364	Client.exe
Token: SeDebugPrivilege	4048	Client.exe
Token: SeDebugPrivilege	3836	Client.exe
Token: SeDebugPrivilege	3900	Client.exe
Token: SeDebugPrivilege	3096	Client.exe
Token: SeDebugPrivilege	2820	Client.exe
Token: SeDebugPrivilege	4960	Client.exe
Token: SeDebugPrivilege	1444	Client.exe
Token: SeDebugPrivilege	2772	Client.exe
Token: SeDebugPrivilege	3564	Client.exe
Token: SeDebugPrivilege	4360	Client.exe
Token: SeDebugPrivilege	2820	Client.exe
Token: SeDebugPrivilege	936	Client.exe
Token: SeDebugPrivilege	2176	Client.exe
Token: SeDebugPrivilege	3876	Client.exe
Token: SeDebugPrivilege	3012	Client.exe
Token: SeDebugPrivilege	1068	Client.exe
Token: SeDebugPrivilege	4912	Client.exe
Token: SeDebugPrivilege	4048	Client.exe
Token: SeDebugPrivilege	3668	Client.exe
Token: SeDebugPrivilege	5032	Client.exe
Token: SeDebugPrivilege	2564	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
1820	Client.exe
4228	Client.exe
364	Client.exe
736	Client.exe
4344	Client.exe
2204	Client.exe
2968	Client.exe
364	Client.exe
4048	Client.exe
3836	Client.exe
3900	Client.exe
3096	Client.exe
2820	Client.exe
4960	Client.exe
1444	Client.exe
2772	Client.exe
3564	Client.exe
4360	Client.exe
2820	Client.exe
936	Client.exe
2176	Client.exe
3876	Client.exe
3012	Client.exe
1068	Client.exe
4912	Client.exe
4048	Client.exe
3668	Client.exe
5032	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4232 wrote to memory of 1996	4232	Client-built.exe	schtasks.exe
PID 4232 wrote to memory of 1996	4232	Client-built.exe	schtasks.exe
PID 4232 wrote to memory of 1996	4232	Client-built.exe	schtasks.exe
PID 4232 wrote to memory of 1820	4232	Client-built.exe	Client.exe
PID 4232 wrote to memory of 1820	4232	Client-built.exe	Client.exe
PID 4232 wrote to memory of 1820	4232	Client-built.exe	Client.exe
PID 1820 wrote to memory of 1240	1820	Client.exe	schtasks.exe
PID 1820 wrote to memory of 1240	1820	Client.exe	schtasks.exe
PID 1820 wrote to memory of 1240	1820	Client.exe	schtasks.exe
PID 1820 wrote to memory of 3944	1820	Client.exe	cmd.exe
PID 1820 wrote to memory of 3944	1820	Client.exe	cmd.exe
PID 1820 wrote to memory of 3944	1820	Client.exe	cmd.exe
PID 3944 wrote to memory of 3600	3944	cmd.exe	chcp.com
PID 3944 wrote to memory of 3600	3944	cmd.exe	chcp.com
PID 3944 wrote to memory of 3600	3944	cmd.exe	chcp.com
PID 3944 wrote to memory of 4180	3944	cmd.exe	PING.EXE
PID 3944 wrote to memory of 4180	3944	cmd.exe	PING.EXE
PID 3944 wrote to memory of 4180	3944	cmd.exe	PING.EXE
PID 3944 wrote to memory of 4228	3944	cmd.exe	Client.exe
PID 3944 wrote to memory of 4228	3944	cmd.exe	Client.exe
PID 3944 wrote to memory of 4228	3944	cmd.exe	Client.exe
PID 4228 wrote to memory of 3476	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 3476	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 3476	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 2080	4228	Client.exe	cmd.exe
PID 4228 wrote to memory of 2080	4228	Client.exe	cmd.exe
PID 4228 wrote to memory of 2080	4228	Client.exe	cmd.exe
PID 2080 wrote to memory of 1064	2080	cmd.exe	chcp.com
PID 2080 wrote to memory of 1064	2080	cmd.exe	chcp.com
PID 2080 wrote to memory of 1064	2080	cmd.exe	chcp.com
PID 2080 wrote to memory of 3776	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 3776	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 3776	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 364	2080	cmd.exe	Client.exe
PID 2080 wrote to memory of 364	2080	cmd.exe	Client.exe
PID 2080 wrote to memory of 364	2080	cmd.exe	Client.exe
PID 364 wrote to memory of 5072	364	Client.exe	schtasks.exe
PID 364 wrote to memory of 5072	364	Client.exe	schtasks.exe
PID 364 wrote to memory of 5072	364	Client.exe	schtasks.exe
PID 364 wrote to memory of 4988	364	Client.exe	cmd.exe
PID 364 wrote to memory of 4988	364	Client.exe	cmd.exe
PID 364 wrote to memory of 4988	364	Client.exe	cmd.exe
PID 4988 wrote to memory of 3000	4988	cmd.exe	chcp.com
PID 4988 wrote to memory of 3000	4988	cmd.exe	chcp.com
PID 4988 wrote to memory of 3000	4988	cmd.exe	chcp.com
PID 4988 wrote to memory of 1724	4988	cmd.exe	PING.EXE
PID 4988 wrote to memory of 1724	4988	cmd.exe	PING.EXE
PID 4988 wrote to memory of 1724	4988	cmd.exe	PING.EXE
PID 4988 wrote to memory of 736	4988	cmd.exe	Client.exe
PID 4988 wrote to memory of 736	4988	cmd.exe	Client.exe
PID 4988 wrote to memory of 736	4988	cmd.exe	Client.exe
PID 736 wrote to memory of 4488	736	Client.exe	schtasks.exe
PID 736 wrote to memory of 4488	736	Client.exe	schtasks.exe
PID 736 wrote to memory of 4488	736	Client.exe	schtasks.exe
PID 736 wrote to memory of 4608	736	Client.exe	cmd.exe
PID 736 wrote to memory of 4608	736	Client.exe	cmd.exe
PID 736 wrote to memory of 4608	736	Client.exe	cmd.exe
PID 4608 wrote to memory of 4144	4608	cmd.exe	chcp.com
PID 4608 wrote to memory of 4144	4608	cmd.exe	chcp.com
PID 4608 wrote to memory of 4144	4608	cmd.exe	chcp.com
PID 4608 wrote to memory of 796	4608	cmd.exe	PING.EXE
PID 4608 wrote to memory of 796	4608	cmd.exe	PING.EXE
PID 4608 wrote to memory of 796	4608	cmd.exe	PING.EXE
PID 4608 wrote to memory of 4344	4608	cmd.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GFtV9y4503A2.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3600

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4180

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NR5EWuUk3223.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3776

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMG7uaFkajPS.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:3000

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1724

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEpXilg76oO3.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4144

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:796

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\14LcYMaD1xTE.bat" "
11⤵
PID:2452

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4872

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3036

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wglVD229dlhn.bat" "
13⤵
PID:4636

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:5000

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4364

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xo8wQfFTRKVB.bat" "
15⤵
PID:980

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3700

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2144

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat" "
17⤵
PID:4260

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2984

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4852

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcyOhaTdfVzW.bat" "
19⤵
PID:4948

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4832

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1780

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat" "
21⤵
PID:4804

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:216

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4644

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnZtqXMsJRS5.bat" "
23⤵
PID:4468

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1832

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1492

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nc8kH9kE6u3x.bat" "
25⤵
PID:1748

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3132

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2712

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O2W1T2dCQlNw.bat" "
27⤵
PID:1764

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4720

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2300

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4XSYLt1GgK4P.bat" "
29⤵
PID:3456

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4576

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3036

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w83hCpJslKb4.bat" "
31⤵
PID:4860

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:5000

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V3HAdWalOE29.bat" "
33⤵
PID:3820

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3976

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4484

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FZ1QI789AaQV.bat" "
35⤵
PID:3560

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:3468

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4236

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x12B4VLkV48J.bat" "
37⤵
PID:1296

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3220

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VrW8b0Hti4uo.bat" "
39⤵
PID:456

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3032

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vFyJh1c4cO4A.bat" "
41⤵
PID:5052

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4356

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:3236

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PfFEZm7a2WuQ.bat" "
43⤵
PID:2496

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:1600

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:2368

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYfxDjEA9ceb.bat" "
45⤵
PID:2296

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:4544

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4088

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkmuIZnFN58Y.bat" "
47⤵
PID:1928

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:3916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3116

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2R3fAayPJVVQ.bat" "
49⤵
PID:2844

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:4244

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:1620

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFnmoSCRaAOO.bat" "
51⤵
PID:1520

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:796

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yjvatYQBKvOx.bat" "
53⤵
PID:3144

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:2428

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2816

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C1i8yTsoOpi6.bat" "
55⤵
PID:1996

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:4064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:1384

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WpSFcL6qfUc4.bat" "
57⤵
PID:3292

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:684

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:3560

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1928
57⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 2192
55⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 2224
53⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 2232
51⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 2212
49⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 2180
47⤵
- Program crash
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 936
45⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 2224
43⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 2224
41⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 2224
39⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 2192
37⤵
- Program crash
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 2224
35⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 2188
33⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 2200
31⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2196
29⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 2196
27⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 2200
25⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 2192
23⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 2200
21⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 2224
19⤵
- Program crash
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1924
17⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1932
15⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1700
13⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2168
11⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 2128
9⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1892
7⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1612
5⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1900
3⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4228 -ip 4228
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 364 -ip 364
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 736 -ip 736
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4344 -ip 4344
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2204 -ip 2204
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2968 -ip 2968
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 364 -ip 364
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4048 -ip 4048
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3836 -ip 3836
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3900 -ip 3900
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3096 -ip 3096
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2820 -ip 2820
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4960 -ip 4960
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1444 -ip 1444
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2772 -ip 2772
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3564 -ip 3564
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4360 -ip 4360
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2820 -ip 2820
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 936 -ip 936
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2176 -ip 2176
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3876 -ip 3876
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3012 -ip 3012
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1068 -ip 1068
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4912 -ip 4912
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4048 -ip 4048
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3668 -ip 3668
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5032 -ip 5032
1⤵
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SubDir\Client.exe
Filesize
288KB

MD5
612513b20674942d2bcf4d0732e0b726

SHA1
26e71467d042ccc4ade033a000a1febac73170d7

SHA256
d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38

SHA512
ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\14LcYMaD1xTE.bat
Filesize
199B

MD5
babb3ec8329cb9da9e7abf8967eb965e

SHA1
2e647943c173f2d3519fb2cdd5f6293b8342276b

SHA256
e26d8a841704e988e909fbe913d21b980692479c662eda9b55e5c52e9e8b0f95

SHA512
45836d89e721898dd013431ccb695a1ff0f6326e16016d305850ebee10e592bb97d6561d2697727dd8678814ee5f80c5d1281bf4e98e7f7aa4b2dbbd19c71626

Download Submit
C:\Users\Admin\AppData\Local\Temp\4XSYLt1GgK4P.bat
Filesize
199B

MD5
cc6b654ca7d1ddf28764791454db3aff

SHA1
f92a6d24863fb6cbdeeb4ba45c8abe754f68e3b5

SHA256
983951aeca53fddcbc90da8bec250375890734fff8049755bafa509d73d9556e

SHA512
1f66e418f33a357011e7b8046e2bd907561aec22cb46bdb22f3d5fc56f552220701afc06f4e5853f3859d4c542882f5d5866ba3b1ef1139ffe240777db2ad77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FZ1QI789AaQV.bat
Filesize
199B

MD5
fcc86cb3c292f89383ca01bdd6ccc1ca

SHA1
b3ee6ed845cd7e6a93698a73ca8aec0efb63b3ab

SHA256
98b8ad5b52689684721ed7d55a76da12d9d14897646a028c69c29391af1de2d2

SHA512
623933f7808af21f76e588d383d1788c094a22d60ff8c166f8f11c15c35af23621654537e095f067839b3237bcb8dfba8bd7fc6a40a77708242841ca2e998857

Download Submit
C:\Users\Admin\AppData\Local\Temp\GFtV9y4503A2.bat
Filesize
199B

MD5
d3d91d9225a146f85ec4f2f2eb7a7ff4

SHA1
d0350adb363892fb15007d1f57a5f8f26cee811c

SHA256
794dcb70f63ad914cdf6bf984dbcd780903ca34b54ae92b250f3d63b9f02711d

SHA512
3dfaf2e6b5d7d209425cf61f5cb93cd4864f0a0ad17abee283d617efe558badfad49c14756fb48b6f444f9595ca265b313259ad84c40cb400c1f58ec03e907e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat
Filesize
199B

MD5
6f9f3e78f7e6b43f191158a681846939

SHA1
4cf7841521a5c8e474cc88ee703b9f566ca915ca

SHA256
6e3a55a6c8dc6be22568c1248e8dce5cac77d953bb9f4c3a03102b11c756a11b

SHA512
77f0a7146c4389c1eaa20357376d238756435afee907274479c899274ef576d75fe3df57d6266f483ba019ac966a95e45c95e03a28cb39ae2091c41cabbb6717

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEpXilg76oO3.bat
Filesize
199B

MD5
5b5a3b8d76ecb475719c423f2b3190ed

SHA1
43d0bae361a2b22ae9a6fe77d14c284e9fd6a3f4

SHA256
ca9ab3a18a3046514ea57549da4a4717c14896818f94499890561a70deeb5902

SHA512
12ea61716a714c30b9a7f1c2700f9dbafe1022c590c6b05a7de8a6db809e645de00d1239812d2e251d7fef0c9ab35f00c19a618a6aaf1b837bd1d883e5f09e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NR5EWuUk3223.bat
Filesize
199B

MD5
81bb631ff6c6ba59213ce993caf5f913

SHA1
ce6cf2687da6c25183db4256ee910745044fa0b5

SHA256
aa42816b9f3ac668b200d00a70d8007128c445c5470ea6a855d56541ac4f55ec

SHA512
89524f650859529c9b02293ae6bb4d2f4df73ade5816ad0ff6d9656adc662e876a150038e44b11c558a1fbcfa92ba78cc5c25213635a95c00dd970b1170df06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2W1T2dCQlNw.bat
Filesize
199B

MD5
ed236ff5117acaa3dc285aefcb64f757

SHA1
049100f2b537a7bba68b3cfc479b1a44d56ca318

SHA256
4396f9b4b6f10437b0ee07779e5b9e84c24f6a09e35bd08325832e1a8eb28bfb

SHA512
100ee6f1fc3c49ac6c93dfa953ce8dc6cce8b6d3b450f92df1b1d0522cfe9c8cf277407425511f7851649aafa4889b09254de7518dde08276300c13b75059a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfFEZm7a2WuQ.bat
Filesize
199B

MD5
983d4109737f293a3d9fd7b94540b3a3

SHA1
787fb7612787ae2959b4d7f510fad652365b041e

SHA256
e83bc961b11457613a4d8b56a9938b33e048bf6bc079c727c3b14b96ba14fa74

SHA512
8dd47f9bc6424fe61d6ed86c75a98ff9efb238d75c047577d62dd58efb53fe836fdb47b759d166079a860784037d5490176ff68020a04570a19ca951b00db52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnZtqXMsJRS5.bat
Filesize
199B

MD5
d81078d69b2b0cf6d1ea56fbddea2062

SHA1
efc8ffd2173340af0f7e31f7bcaca0e2640e330b

SHA256
e2d708d71c0d74b9c80ae6453d6ec890cc29716279734cca0b2a753bd9800f67

SHA512
2619a38b8ca7b3584372cf3d4835ec8e8e5f5f24810f9da4fa315d5a19ec704b521feb95c2a0c12f227e60639390b08f55ee9e9dbccd9c1576459fece5a8517f

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3HAdWalOE29.bat
Filesize
199B

MD5
610d665acf27a92d880b112c45694074

SHA1
d210e778e3bcda8caefbd78d5549c497bc92c9b6

SHA256
6f29bb8b3b8a3ae379b7909be0bc64b4406d8213c338225994adbb84613ead10

SHA512
b0dbf45f9f5d8ba8d3f4b7e5b6ecc96b37646245fea0f1a96251e8a85c2012326afaf14d60da30f1c260e41bfb7c0b8b5db6a55f5165699ced141a3100490e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VrW8b0Hti4uo.bat
Filesize
199B

MD5
4c93d66b1ef60ea1c07b7d818f2c614d

SHA1
3c40cd2cee4feff3435b3026b64cf8bd79a19a4d

SHA256
e3213a7909bc3171312bf832c4e2d7b776fc2becdfc4c8bdbcd5b79149cf2822

SHA512
ab088705f6bbe75b5e54644f5e1e2716f2f5949aff4c986614c29888fa0f4f104d90c9b5bd00cda60e356e27df02e9b8843cebf4e60a5cba16a92d0610dbbe67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc8kH9kE6u3x.bat
Filesize
199B

MD5
ba7c4557eddf33b2a618bd6a2baeb619

SHA1
31e590eb389fcf125ab5103519bcfc394ec558f6

SHA256
e89677052448e8e33fbaf95a5b4c70a85769ab92fd33607633d78c05ca0a6611

SHA512
8e1e1ac2e1f3b79c7b049fb950847c3402eeb46435679c56853ebbf9ec3524f9f0c702e6f413cb484dc05b596212be777bc59a615330f6b6929f4bf5597be1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMG7uaFkajPS.bat
Filesize
199B

MD5
33151b424225bd32d3bc40e38aa9910f

SHA1
3a9b3cb034ae882fdf5d1334d0ec87477b7beb22

SHA256
941196d9a17fa4eb93dd66c3ac80de78c917ee672173f1b1d17335dface14ea6

SHA512
8cbdeef9f0a77cb40d6c5c2a8119b2c539501932c5442f4f4c59e8be4e58211034ff4f5c52517153354a8ffbcf376e5b3ba4922e56cc26feee713c3aa5f9ac82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFyJh1c4cO4A.bat
Filesize
199B

MD5
a5c96856ee44880ad9f63e95e41b7e61

SHA1
0765460bf078f66fe624bcc4162d5deabb909785

SHA256
5a24a3cb6afe2a8f4d33423f685bfbc3ba8f304731aee1bc65760cfda57658e6

SHA512
13f7187d18970102dc77370a1f3f2e5e6f0aa6073ce1e717fd3233107896912df28dc65d5156edc1b78eac792541cc0711d9a2943395e5c33a43762fd8fb3e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat
Filesize
199B

MD5
484428f75f5d8c1de1e46670c182beaa

SHA1
ceaae56963d9e5de6d9e4f83a0e23d959fa90087

SHA256
1c492c9336b6c1e4ed18895526692be014f387211e164580651db8645030bc47

SHA512
3973328742ba29a36229ab37236ee6113d17f8ec157d269a2415d740b4f772fd8fefd1fc6a93231f7dd4f1ba6cad3e7548fe7253b60b4d3843b18fc1404109af

Download Submit
C:\Users\Admin\AppData\Local\Temp\w83hCpJslKb4.bat
Filesize
199B

MD5
d9806a5a7410b710133e1ff5063d9143

SHA1
524ce187953c91cbc212c18cb6090b6fd22c9b02

SHA256
445dba6fd791ef67019f76deeb8990b261007a234e7ff5b02474f822639c2d3b

SHA512
18bc93fd0fdf4205389f3ba583cdc9cf3e5e9598d9ef29a8eb9731a6034698f929dc9acde71b9a168e1c30fbbcfd5600a8dbfba76ddc53f4be7531e551c47810

Download Submit
C:\Users\Admin\AppData\Local\Temp\wglVD229dlhn.bat
Filesize
199B

MD5
454474d41a748dd5d4cb6004170fd562

SHA1
44af4d28332dcda84ed937a6444b602f75434fd1

SHA256
0d25eb86bae41c4504d84cdf71208aaa7e875ef7cf5963a0ad4f6bd1e74f462e

SHA512
c86a3b79aaec56ca68df29aee6f3bb95d7408ce2aa28dbe4863d59e4a7df5ca37fd3ada2e73a6561b7cb8c1ac9f3f80e4bc528ddfdc727fd34ab3cddb9ae05c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x12B4VLkV48J.bat
Filesize
199B

MD5
95398e8d8aaf84bde033b880edca1332

SHA1
9507d4276d8d5b8cc08949cbd73ccdf482c8ce72

SHA256
e8d10acea2d3ef5ee11ea562437eb368f36f24a605d5cb203911ac1b90db1588

SHA512
ff7aa8c6f3ab5751d967aa937603ed1a2276b919a8d03ead11e87f80e0abcbd96f7eb71f1af5b198b8d7ebd9daacaccd30a23011d96925397ee950160e820a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\xo8wQfFTRKVB.bat
Filesize
199B

MD5
4775946fce9b390c6eaad8f0e18e9306

SHA1
fb05d331a5d65751133400feaeb5fc77a98a4114

SHA256
193224ec023acee9f9101c4ca7bd68ccf154c0451e0f9e09ca30c40ac3a42a6e

SHA512
fba6f839bf80fa45ede41007d9a6d10d0f271a3789025ede790b50452568f9f56ba26eaf893af6f193c8d5dd9da1995770cfe2252c6cb3f7c66860f0122515a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcyOhaTdfVzW.bat
Filesize
199B

MD5
20a56062fb88f138c5bfe7510dc49dd4

SHA1
26eaf4c177e6c92329fdbec8eaf1e1187d2c981e

SHA256
4004a1ad3ecdbca53995af1db150dd0906ff12d65d9699b7fd99c5140d2f4b7c

SHA512
0e28615d9ca294b7414433130a997046dcdef6360731fbce504733891a42b9246744e21b78597adc6ae63eff3b4af7383a6cd8f37183cb6088ed85adf23d4f65

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
f7b09341fdf1a552d2bcc9a80a06b787

SHA1
e4847175e9acfa960d6d50530b38873d24a9645f

SHA256
41e1ad6f4656ea00c8c7b8a6151c839d197e45b3457805b60936edcd7676181c

SHA512
74a0e204fcb3677176626cd0d64a89f1a513a7da95ad4d32180095da57b773c4cb832a58e862850dda0fe1604556f90476a224f3526c4ee5943199b723de13f1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
4edabf5bc0224cb7e8393b8366041e43

SHA1
e5a4634e0d25e67003952ed9b16eb8b459e29475

SHA256
e05628812ef7ccadcb0426ed82e66230ad3354b6c4aa3fed3f8e75267811dae7

SHA512
ac6b9d651afa7f83435721e3c105954981bb6ded9ff97c397eeba0f622750695f4c38292d4391350a6b8e8eb8b0dc1f7ad4a8c8c744caae81b4c7f9fdf37cc90

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
7cc2fda7d089e32680759ea1e70a8a80

SHA1
b1000c356a372a6ba1b7f237806b6a1d2690fb0f

SHA256
5239d1757e8a5877d5ec54a9677e5df8a20b8d132d6a7ac815f41e01681d81ea

SHA512
34e2ea2b910e0e90cc3dba411929b39307789fc6b97fd9d699b98027d8db79bd0d1070cbc6b71b707362709e085e0116edc061c5d28808beb2ca48b7348855f6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
bc1177d248e2cfb5563a51883500ad61

SHA1
d7c9ee07f77a4a0c2c6f706677c1d6e0118d271d

SHA256
adcdbb7b6e6e22d18b96fd8b69ed692786d57a721d6bba85397cf961a2fbf5b6

SHA512
4072d703460564b40afdd08dd3d91d3c62fca64abff15c4910ccd3ba0d789c5a5abc3701a8253c32beca70400f83b82d9bc508d168716b6842a074efa4f6e299

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
fcb19624f942ee07b2f5833d85daf3eb

SHA1
5560e34bb4581b9f0e87d4d600c87d42b1c6bf6d

SHA256
c0f7ae8274f6862b9947317625d938e10755fd966d554474d59daae1f78e4808

SHA512
17cb00b859e9b3b7fe710c5ce1f96955cb21c1da1b6eca4cda252cfaac324bc5406f6d053e4bea46ae7789f166fc828a04da57ecab2cb417c2e8a015cb6ebc46

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
d165039ba689620f29045c8854a2e412

SHA1
46c52223f88e60deb3ed237cbde64bf2c65ea282

SHA256
cf1db797814ac2bfb5cf470e3c669c9169fc1b1c9da57edadc4af72024f7eaf0

SHA512
3172cd8959a7fb943e2e340fbed5151552763aebf6ba9624db20b799384272168052a763e38aa057935e5944dec8082119d521bdf94c0a4d3c2e3b6b0eeeb57d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
dcf79b40a777488a7aa1b8aa9740f41d

SHA1
6431d399ebd0fa4303a955272d2f390ba70ce35f

SHA256
a805a47e47b0b28d164b3b3544460d9d8a598067d53a022ae6c2bea241367d72

SHA512
a0abb34084f31bbe0d60c8657fbb58b33382ab093f4ec77e0bd5dcaff440882603bc34ceb867a943e9934b62b19ed97b23d39bfdb948a735ca073167dd5e6df1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
960775caa8d831133d6241a623e692f2

SHA1
f5bd130e618b0d1c25d4309505f5f31b778ee705

SHA256
445cf594bbf7bfdbfa8823f46d5d0b725a232e1150ea2d3baefc8973f0079816

SHA512
359dc3320749965e61e885600950a932c7428509f1bf7543bd16bd5e24dea2a1edef4d9146bb8fac6234f9193a36f2732736f3bade3e150a96fb80fbc5a77b78

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
394fa8e9d76c47b360277cf90447b001

SHA1
bb8e9e5508793f26f8527ee89b967221d6f4bef2

SHA256
4694fde506886be7f366cfa27ddf1ac0f77ca5cc0162fac9dfe3de4b7b564e04

SHA512
4f75f75ecc1773fdaa7cc207444b439c92cdd4b45c0ab8cead54415a9a3dc9ccfb7541e83387a8c8c14ae9dd61a6de513802c8438280154d9dc4a136d46b897b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
c7a227cf797e1613017fcf9657d7bcd3

SHA1
50fb8b0db3b90343d3cdaa882750e31563c06433

SHA256
53ae526d534387bb419e44f8fec0a4efd1fca7c9f555f59cb677edd2ba07192c

SHA512
717b086def4f9ab7cc530beec59d7556df87e2243deecdb7455ea53d6ed7bd2b636053fab619d033fa437cdaeb0af2c0a4fb6c6ce1478e69d9e276d050b78f1a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
becb77621f3261b388e0d5425264fbda

SHA1
a98a5911d5fd8e0ad3ae22d3fb0a8f42cc6dd920

SHA256
507bed0ebd7683fcc97ed56c351860adfb298e1d7f534a4439d94ddf9f2ebc27

SHA512
cc6bcd2d1cd2a93f0166e75c515fccc3cfcf33521db65455fb18fe542710f4257d4df603a0f74149f493e49be092d4de6bb8a52258130687f8593e9bf4427a8f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
c1f9fb68b3a1aed8a449b8b9f050da7e

SHA1
fa7dacaa857a58e839515aabd27499bca0f88f1d

SHA256
0709a3672449740fb19eea84e02c78d19c8c0fa625b085136b1fd62d6d954876

SHA512
0f2f9b8d421e0cc953552884f66c4f709af2b8130d422e5708a4ab44d2c87c18ab4a281cfa5f959fd7b2969fc50532419aaabe93fb7c1b331237773ea56ded16

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
97fa641fc70217c055e63c90e0a0e098

SHA1
1d8092f7f3c125be3f59649756f2ae090edd087f

SHA256
6ff56697f1ea61daaccc9f09992be90cb6fffd5d03fcb6ef237f1ad50e7ebdda

SHA512
503d27e6304bab7e975826eed49a1b0ea3b01352c0bc1f02039850f53ed20bded729ed10aef4025ba7fc1d0d57ff7454b5be08d03be5caec08def8f8d378a58d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
a2b24a3b5cc96d4513646cce60608a15

SHA1
2520a4b998cc698d9f50f12ddd3053e76d525a5f

SHA256
4bbcf10e0c2a4e53aa5664d923cf71b77ee68436e47dc9aff0d58206cf5e77c8

SHA512
e3193a2fda719537cc705a80c329818cfec37831332b3e32ab644bf562a2d93a18c06235978111b6d163e13a1dc8723694c95af09bc50d16973e481e1471cf38

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
c354d29e0f5ac488970828b679e3c413

SHA1
0659a5568f4469687ddc83dd4d72bab5ad9a1364

SHA256
f015b91c9828aab88453d2161777ab56d312cef97a3d11ea1985e946c5870d0f

SHA512
2c72ce89b2a0fc13e3cf2931dedd971e58f7eba36b7475a8f6c7b2bd8468173e0dd15aeb5bd1ffd360349457bff692ac629fff2608015ca55f6501c043a1575b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
4d19b5b9d4087b7aff57622dfda631e6

SHA1
1caf9f88a43043b0e8b708835de62ed397baae57

SHA256
315cc63e688e3ef5b4bd6ee2be27c2813e5d31a7930e4dd68e789e58425c92ff

SHA512
28b47f61d9847b7f97821fc4938d8833bcf97b0d55a9f6fbea540e735e7e21c5eb03e8f56ca551f852ae0f0a6cb67ed6c0f64e7f50c0a4cf75b1da6ffe95b90a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
e5d6a629cfa28f94d3fa38d19f7eea78

SHA1
e5e03d574f423abb280f8ceaad64300c68f4ddbe

SHA256
82f99017b072234e326ba2e3a52db90346478f75a21b355c97823f6cd49aac28

SHA512
d9d2ff19c79f19627378d1431d77a6f066c88d38562dc51d022cca0960e0be92e66b9868c6344e97faf75cd484c901892e3537c1ad49d8fadf066f968ff1d9e0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
973fb6bb6bfa3011d8111d125a9fef82

SHA1
3de9d713b7d54ef54b2b9c381d5343357c52c1a7

SHA256
ef0c5cc9373facc0af4c66091b0313381f9625ad43f1579176da7c4f079c9b72

SHA512
9de426679a8bedcc9f8cace308dcf8d20a8a1ac8201398458fd90ca8f7543c46307a627021100f754e635272a32661664ef1f176f3b43448df5716d5b62a401e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024
Filesize
224B

MD5
5aacb6a2688e51cb82f8c2b10668bccf

SHA1
290052f12858324a8af36418bcacb48f3dcb4a15

SHA256
28735928ea33e260021483b8576f5751fff4c542c09eaf5f6c3f4f42a0c8e7ca

SHA512
6b18afc46f6f320a6a2e49958356cca4af7a3e0d832ef33e939225aab2469f6ff3ab0ddb2b22258b41660faa9ac551258d45ec92da6dc8dd7d56b8b1267f47ad

Download Submit
memory/1820-17-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1820-15-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1820-24-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1820-19-0x0000000006590000-0x000000000659A000-memory.dmp

Filesize
40KB

Download
memory/4232-16-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4232-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/4232-8-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4232-7-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/4232-6-0x0000000006390000-0x00000000063A2000-memory.dmp

Filesize
72KB

Download
memory/4232-5-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/4232-4-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4232-3-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4232-2-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/4232-1-0x0000000000B30000-0x0000000000B7E000-memory.dmp

Filesize
312KB

Download