Analysis
-
max time kernel
600s -
max time network
599s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 23:01
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240508-en
General
-
Target
Client-built.exe
-
Size
288KB
-
MD5
612513b20674942d2bcf4d0732e0b726
-
SHA1
26e71467d042ccc4ade033a000a1febac73170d7
-
SHA256
d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38
-
SHA512
ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a
-
SSDEEP
6144:6KJuiyEnCGnhJlMP5Kq+SMv0VGb7bDcllbkUC:pzCGL69zVGkllbkp
Malware Config
Extracted
quasar
1.4.0.0
Office04
Ratrat2-53904.portmap.host:53904
KvGe0Q07bhebNCip9c
-
encryption_key
urBKaVmkbLbNrQbAkgkI
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-1-0x0000000000B30000-0x0000000000B7E000-memory.dmp family_quasar C:\Program Files (x86)\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 28 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 29 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1820 Client.exe 4228 Client.exe 364 Client.exe 736 Client.exe 4344 Client.exe 2204 Client.exe 2968 Client.exe 364 Client.exe 4048 Client.exe 3836 Client.exe 3900 Client.exe 3096 Client.exe 2820 Client.exe 4960 Client.exe 1444 Client.exe 2772 Client.exe 3564 Client.exe 4360 Client.exe 2820 Client.exe 936 Client.exe 2176 Client.exe 3876 Client.exe 3012 Client.exe 1068 Client.exe 4912 Client.exe 4048 Client.exe 3668 Client.exe 5032 Client.exe 2564 Client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Client.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\SubDir\\Client.exe\"" Client.exe -
Looks up external IP address via web service 26 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 63 ip-api.com 15 ip-api.com 54 ip-api.com 56 ip-api.com 61 ip-api.com 65 ip-api.com 19 ip-api.com 33 ip-api.com 51 ip-api.com 8 api.ipify.org 25 ip-api.com 31 ip-api.com 27 ip-api.com 29 ip-api.com 38 ip-api.com 58 ip-api.com 2 ip-api.com 13 ip-api.com 21 ip-api.com 35 ip-api.com 46 ip-api.com 48 ip-api.com 23 ip-api.com 43 ip-api.com 17 ip-api.com 41 ip-api.com -
Drops file in Program Files directory 58 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient-built.exeClient.exeClient.exedescription ioc process File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File created C:\Program Files (x86)\SubDir\Client.exe Client-built.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 28 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4644 1820 WerFault.exe Client.exe 1636 4228 WerFault.exe Client.exe 4520 364 WerFault.exe Client.exe 3916 736 WerFault.exe Client.exe 2940 4344 WerFault.exe Client.exe 216 2204 WerFault.exe Client.exe 1692 2968 WerFault.exe Client.exe 2052 364 WerFault.exe Client.exe 936 4048 WerFault.exe Client.exe 4140 3836 WerFault.exe Client.exe 5024 3900 WerFault.exe Client.exe 4308 3096 WerFault.exe Client.exe 3572 2820 WerFault.exe Client.exe 3684 4960 WerFault.exe Client.exe 2428 1444 WerFault.exe Client.exe 1280 2772 WerFault.exe Client.exe 4008 3564 WerFault.exe Client.exe 696 4360 WerFault.exe Client.exe 4912 2820 WerFault.exe Client.exe 4432 936 WerFault.exe Client.exe 4764 2176 WerFault.exe Client.exe 3792 3876 WerFault.exe Client.exe 416 3012 WerFault.exe Client.exe 4612 1068 WerFault.exe Client.exe 4936 4912 WerFault.exe Client.exe 1940 4048 WerFault.exe Client.exe 1524 3668 WerFault.exe Client.exe 3620 5032 WerFault.exe Client.exe -
Runs ping.exe 1 TTPs 28 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 5000 PING.EXE 3560 PING.EXE 1724 PING.EXE 796 PING.EXE 3236 PING.EXE 3776 PING.EXE 4236 PING.EXE 1620 PING.EXE 2816 PING.EXE 4088 PING.EXE 3116 PING.EXE 4364 PING.EXE 1492 PING.EXE 3036 PING.EXE 4180 PING.EXE 2300 PING.EXE 4852 PING.EXE 2712 PING.EXE 4484 PING.EXE 2368 PING.EXE 3036 PING.EXE 2144 PING.EXE 1780 PING.EXE 3032 PING.EXE 796 PING.EXE 1384 PING.EXE 4644 PING.EXE 3220 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 29 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1996 schtasks.exe 2108 schtasks.exe 4652 schtasks.exe 2708 schtasks.exe 2284 schtasks.exe 4880 schtasks.exe 3448 schtasks.exe 4472 schtasks.exe 3476 schtasks.exe 5072 schtasks.exe 5080 schtasks.exe 1496 schtasks.exe 3572 schtasks.exe 3936 schtasks.exe 1392 schtasks.exe 3028 schtasks.exe 2552 schtasks.exe 940 schtasks.exe 4304 schtasks.exe 4180 schtasks.exe 4416 schtasks.exe 4488 schtasks.exe 3620 schtasks.exe 4832 schtasks.exe 3200 schtasks.exe 1240 schtasks.exe 4804 schtasks.exe 1028 schtasks.exe 640 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 4232 Client-built.exe Token: SeDebugPrivilege 1820 Client.exe Token: SeDebugPrivilege 4228 Client.exe Token: SeDebugPrivilege 364 Client.exe Token: SeDebugPrivilege 736 Client.exe Token: SeDebugPrivilege 4344 Client.exe Token: SeDebugPrivilege 2204 Client.exe Token: SeDebugPrivilege 2968 Client.exe Token: SeDebugPrivilege 364 Client.exe Token: SeDebugPrivilege 4048 Client.exe Token: SeDebugPrivilege 3836 Client.exe Token: SeDebugPrivilege 3900 Client.exe Token: SeDebugPrivilege 3096 Client.exe Token: SeDebugPrivilege 2820 Client.exe Token: SeDebugPrivilege 4960 Client.exe Token: SeDebugPrivilege 1444 Client.exe Token: SeDebugPrivilege 2772 Client.exe Token: SeDebugPrivilege 3564 Client.exe Token: SeDebugPrivilege 4360 Client.exe Token: SeDebugPrivilege 2820 Client.exe Token: SeDebugPrivilege 936 Client.exe Token: SeDebugPrivilege 2176 Client.exe Token: SeDebugPrivilege 3876 Client.exe Token: SeDebugPrivilege 3012 Client.exe Token: SeDebugPrivilege 1068 Client.exe Token: SeDebugPrivilege 4912 Client.exe Token: SeDebugPrivilege 4048 Client.exe Token: SeDebugPrivilege 3668 Client.exe Token: SeDebugPrivilege 5032 Client.exe Token: SeDebugPrivilege 2564 Client.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1820 Client.exe 4228 Client.exe 364 Client.exe 736 Client.exe 4344 Client.exe 2204 Client.exe 2968 Client.exe 364 Client.exe 4048 Client.exe 3836 Client.exe 3900 Client.exe 3096 Client.exe 2820 Client.exe 4960 Client.exe 1444 Client.exe 2772 Client.exe 3564 Client.exe 4360 Client.exe 2820 Client.exe 936 Client.exe 2176 Client.exe 3876 Client.exe 3012 Client.exe 1068 Client.exe 4912 Client.exe 4048 Client.exe 3668 Client.exe 5032 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 4232 wrote to memory of 1996 4232 Client-built.exe schtasks.exe PID 4232 wrote to memory of 1996 4232 Client-built.exe schtasks.exe PID 4232 wrote to memory of 1996 4232 Client-built.exe schtasks.exe PID 4232 wrote to memory of 1820 4232 Client-built.exe Client.exe PID 4232 wrote to memory of 1820 4232 Client-built.exe Client.exe PID 4232 wrote to memory of 1820 4232 Client-built.exe Client.exe PID 1820 wrote to memory of 1240 1820 Client.exe schtasks.exe PID 1820 wrote to memory of 1240 1820 Client.exe schtasks.exe PID 1820 wrote to memory of 1240 1820 Client.exe schtasks.exe PID 1820 wrote to memory of 3944 1820 Client.exe cmd.exe PID 1820 wrote to memory of 3944 1820 Client.exe cmd.exe PID 1820 wrote to memory of 3944 1820 Client.exe cmd.exe PID 3944 wrote to memory of 3600 3944 cmd.exe chcp.com PID 3944 wrote to memory of 3600 3944 cmd.exe chcp.com PID 3944 wrote to memory of 3600 3944 cmd.exe chcp.com PID 3944 wrote to memory of 4180 3944 cmd.exe PING.EXE PID 3944 wrote to memory of 4180 3944 cmd.exe PING.EXE PID 3944 wrote to memory of 4180 3944 cmd.exe PING.EXE PID 3944 wrote to memory of 4228 3944 cmd.exe Client.exe PID 3944 wrote to memory of 4228 3944 cmd.exe Client.exe PID 3944 wrote to memory of 4228 3944 cmd.exe Client.exe PID 4228 wrote to memory of 3476 4228 Client.exe schtasks.exe PID 4228 wrote to memory of 3476 4228 Client.exe schtasks.exe PID 4228 wrote to memory of 3476 4228 Client.exe schtasks.exe PID 4228 wrote to memory of 2080 4228 Client.exe cmd.exe PID 4228 wrote to memory of 2080 4228 Client.exe cmd.exe PID 4228 wrote to memory of 2080 4228 Client.exe cmd.exe PID 2080 wrote to memory of 1064 2080 cmd.exe chcp.com PID 2080 wrote to memory of 1064 2080 cmd.exe chcp.com PID 2080 wrote to memory of 1064 2080 cmd.exe chcp.com PID 2080 wrote to memory of 3776 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 3776 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 3776 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 364 2080 cmd.exe Client.exe PID 2080 wrote to memory of 364 2080 cmd.exe Client.exe PID 2080 wrote to memory of 364 2080 cmd.exe Client.exe PID 364 wrote to memory of 5072 364 Client.exe schtasks.exe PID 364 wrote to memory of 5072 364 Client.exe schtasks.exe PID 364 wrote to memory of 5072 364 Client.exe schtasks.exe PID 364 wrote to memory of 4988 364 Client.exe cmd.exe PID 364 wrote to memory of 4988 364 Client.exe cmd.exe PID 364 wrote to memory of 4988 364 Client.exe cmd.exe PID 4988 wrote to memory of 3000 4988 cmd.exe chcp.com PID 4988 wrote to memory of 3000 4988 cmd.exe chcp.com PID 4988 wrote to memory of 3000 4988 cmd.exe chcp.com PID 4988 wrote to memory of 1724 4988 cmd.exe PING.EXE PID 4988 wrote to memory of 1724 4988 cmd.exe PING.EXE PID 4988 wrote to memory of 1724 4988 cmd.exe PING.EXE PID 4988 wrote to memory of 736 4988 cmd.exe Client.exe PID 4988 wrote to memory of 736 4988 cmd.exe Client.exe PID 4988 wrote to memory of 736 4988 cmd.exe Client.exe PID 736 wrote to memory of 4488 736 Client.exe schtasks.exe PID 736 wrote to memory of 4488 736 Client.exe schtasks.exe PID 736 wrote to memory of 4488 736 Client.exe schtasks.exe PID 736 wrote to memory of 4608 736 Client.exe cmd.exe PID 736 wrote to memory of 4608 736 Client.exe cmd.exe PID 736 wrote to memory of 4608 736 Client.exe cmd.exe PID 4608 wrote to memory of 4144 4608 cmd.exe chcp.com PID 4608 wrote to memory of 4144 4608 cmd.exe chcp.com PID 4608 wrote to memory of 4144 4608 cmd.exe chcp.com PID 4608 wrote to memory of 796 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 796 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 796 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 4344 4608 cmd.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GFtV9y4503A2.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NR5EWuUk3223.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMG7uaFkajPS.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEpXilg76oO3.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\14LcYMaD1xTE.bat" "11⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wglVD229dlhn.bat" "13⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xo8wQfFTRKVB.bat" "15⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat" "17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcyOhaTdfVzW.bat" "19⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat" "21⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnZtqXMsJRS5.bat" "23⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nc8kH9kE6u3x.bat" "25⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O2W1T2dCQlNw.bat" "27⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4XSYLt1GgK4P.bat" "29⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w83hCpJslKb4.bat" "31⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500132⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V3HAdWalOE29.bat" "33⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500134⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost34⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f35⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FZ1QI789AaQV.bat" "35⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500136⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost36⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x12B4VLkV48J.bat" "37⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500138⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost38⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VrW8b0Hti4uo.bat" "39⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500140⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vFyJh1c4cO4A.bat" "41⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500142⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost42⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f43⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PfFEZm7a2WuQ.bat" "43⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500144⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost44⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYfxDjEA9ceb.bat" "45⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500146⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost46⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f47⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkmuIZnFN58Y.bat" "47⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500148⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost48⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f49⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2R3fAayPJVVQ.bat" "49⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500150⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost50⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f51⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFnmoSCRaAOO.bat" "51⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500152⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost52⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f53⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yjvatYQBKvOx.bat" "53⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500154⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost54⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f55⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C1i8yTsoOpi6.bat" "55⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500156⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost56⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f57⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WpSFcL6qfUc4.bat" "57⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500158⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost58⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 192857⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 219255⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 222453⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 223251⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 221249⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 218047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 93645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 222443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 222441⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 222439⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 219237⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 222435⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 218833⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 220031⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 219629⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 219627⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 220025⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 219223⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 220021⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 222419⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 192417⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 193215⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 170013⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 216811⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 21289⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 18927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 16125⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 19003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 18201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4228 -ip 42281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 364 -ip 3641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 736 -ip 7361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4344 -ip 43441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2204 -ip 22041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2968 -ip 29681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 364 -ip 3641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4048 -ip 40481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3836 -ip 38361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3900 -ip 39001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3096 -ip 30961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2820 -ip 28201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4960 -ip 49601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1444 -ip 14441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2772 -ip 27721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3564 -ip 35641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4360 -ip 43601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2820 -ip 28201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 936 -ip 9361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2176 -ip 21761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3876 -ip 38761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3012 -ip 30121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1068 -ip 10681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4912 -ip 49121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4048 -ip 40481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3668 -ip 36681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5032 -ip 50321⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SubDir\Client.exeFilesize
288KB
MD5612513b20674942d2bcf4d0732e0b726
SHA126e71467d042ccc4ade033a000a1febac73170d7
SHA256d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38
SHA512ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a
-
C:\Users\Admin\AppData\Local\Temp\14LcYMaD1xTE.batFilesize
199B
MD5babb3ec8329cb9da9e7abf8967eb965e
SHA12e647943c173f2d3519fb2cdd5f6293b8342276b
SHA256e26d8a841704e988e909fbe913d21b980692479c662eda9b55e5c52e9e8b0f95
SHA51245836d89e721898dd013431ccb695a1ff0f6326e16016d305850ebee10e592bb97d6561d2697727dd8678814ee5f80c5d1281bf4e98e7f7aa4b2dbbd19c71626
-
C:\Users\Admin\AppData\Local\Temp\4XSYLt1GgK4P.batFilesize
199B
MD5cc6b654ca7d1ddf28764791454db3aff
SHA1f92a6d24863fb6cbdeeb4ba45c8abe754f68e3b5
SHA256983951aeca53fddcbc90da8bec250375890734fff8049755bafa509d73d9556e
SHA5121f66e418f33a357011e7b8046e2bd907561aec22cb46bdb22f3d5fc56f552220701afc06f4e5853f3859d4c542882f5d5866ba3b1ef1139ffe240777db2ad77a
-
C:\Users\Admin\AppData\Local\Temp\FZ1QI789AaQV.batFilesize
199B
MD5fcc86cb3c292f89383ca01bdd6ccc1ca
SHA1b3ee6ed845cd7e6a93698a73ca8aec0efb63b3ab
SHA25698b8ad5b52689684721ed7d55a76da12d9d14897646a028c69c29391af1de2d2
SHA512623933f7808af21f76e588d383d1788c094a22d60ff8c166f8f11c15c35af23621654537e095f067839b3237bcb8dfba8bd7fc6a40a77708242841ca2e998857
-
C:\Users\Admin\AppData\Local\Temp\GFtV9y4503A2.batFilesize
199B
MD5d3d91d9225a146f85ec4f2f2eb7a7ff4
SHA1d0350adb363892fb15007d1f57a5f8f26cee811c
SHA256794dcb70f63ad914cdf6bf984dbcd780903ca34b54ae92b250f3d63b9f02711d
SHA5123dfaf2e6b5d7d209425cf61f5cb93cd4864f0a0ad17abee283d617efe558badfad49c14756fb48b6f444f9595ca265b313259ad84c40cb400c1f58ec03e907e0
-
C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.batFilesize
199B
MD56f9f3e78f7e6b43f191158a681846939
SHA14cf7841521a5c8e474cc88ee703b9f566ca915ca
SHA2566e3a55a6c8dc6be22568c1248e8dce5cac77d953bb9f4c3a03102b11c756a11b
SHA51277f0a7146c4389c1eaa20357376d238756435afee907274479c899274ef576d75fe3df57d6266f483ba019ac966a95e45c95e03a28cb39ae2091c41cabbb6717
-
C:\Users\Admin\AppData\Local\Temp\JEpXilg76oO3.batFilesize
199B
MD55b5a3b8d76ecb475719c423f2b3190ed
SHA143d0bae361a2b22ae9a6fe77d14c284e9fd6a3f4
SHA256ca9ab3a18a3046514ea57549da4a4717c14896818f94499890561a70deeb5902
SHA51212ea61716a714c30b9a7f1c2700f9dbafe1022c590c6b05a7de8a6db809e645de00d1239812d2e251d7fef0c9ab35f00c19a618a6aaf1b837bd1d883e5f09e6e
-
C:\Users\Admin\AppData\Local\Temp\NR5EWuUk3223.batFilesize
199B
MD581bb631ff6c6ba59213ce993caf5f913
SHA1ce6cf2687da6c25183db4256ee910745044fa0b5
SHA256aa42816b9f3ac668b200d00a70d8007128c445c5470ea6a855d56541ac4f55ec
SHA51289524f650859529c9b02293ae6bb4d2f4df73ade5816ad0ff6d9656adc662e876a150038e44b11c558a1fbcfa92ba78cc5c25213635a95c00dd970b1170df06a
-
C:\Users\Admin\AppData\Local\Temp\O2W1T2dCQlNw.batFilesize
199B
MD5ed236ff5117acaa3dc285aefcb64f757
SHA1049100f2b537a7bba68b3cfc479b1a44d56ca318
SHA2564396f9b4b6f10437b0ee07779e5b9e84c24f6a09e35bd08325832e1a8eb28bfb
SHA512100ee6f1fc3c49ac6c93dfa953ce8dc6cce8b6d3b450f92df1b1d0522cfe9c8cf277407425511f7851649aafa4889b09254de7518dde08276300c13b75059a51
-
C:\Users\Admin\AppData\Local\Temp\PfFEZm7a2WuQ.batFilesize
199B
MD5983d4109737f293a3d9fd7b94540b3a3
SHA1787fb7612787ae2959b4d7f510fad652365b041e
SHA256e83bc961b11457613a4d8b56a9938b33e048bf6bc079c727c3b14b96ba14fa74
SHA5128dd47f9bc6424fe61d6ed86c75a98ff9efb238d75c047577d62dd58efb53fe836fdb47b759d166079a860784037d5490176ff68020a04570a19ca951b00db52a
-
C:\Users\Admin\AppData\Local\Temp\PnZtqXMsJRS5.batFilesize
199B
MD5d81078d69b2b0cf6d1ea56fbddea2062
SHA1efc8ffd2173340af0f7e31f7bcaca0e2640e330b
SHA256e2d708d71c0d74b9c80ae6453d6ec890cc29716279734cca0b2a753bd9800f67
SHA5122619a38b8ca7b3584372cf3d4835ec8e8e5f5f24810f9da4fa315d5a19ec704b521feb95c2a0c12f227e60639390b08f55ee9e9dbccd9c1576459fece5a8517f
-
C:\Users\Admin\AppData\Local\Temp\V3HAdWalOE29.batFilesize
199B
MD5610d665acf27a92d880b112c45694074
SHA1d210e778e3bcda8caefbd78d5549c497bc92c9b6
SHA2566f29bb8b3b8a3ae379b7909be0bc64b4406d8213c338225994adbb84613ead10
SHA512b0dbf45f9f5d8ba8d3f4b7e5b6ecc96b37646245fea0f1a96251e8a85c2012326afaf14d60da30f1c260e41bfb7c0b8b5db6a55f5165699ced141a3100490e8d
-
C:\Users\Admin\AppData\Local\Temp\VrW8b0Hti4uo.batFilesize
199B
MD54c93d66b1ef60ea1c07b7d818f2c614d
SHA13c40cd2cee4feff3435b3026b64cf8bd79a19a4d
SHA256e3213a7909bc3171312bf832c4e2d7b776fc2becdfc4c8bdbcd5b79149cf2822
SHA512ab088705f6bbe75b5e54644f5e1e2716f2f5949aff4c986614c29888fa0f4f104d90c9b5bd00cda60e356e27df02e9b8843cebf4e60a5cba16a92d0610dbbe67
-
C:\Users\Admin\AppData\Local\Temp\nc8kH9kE6u3x.batFilesize
199B
MD5ba7c4557eddf33b2a618bd6a2baeb619
SHA131e590eb389fcf125ab5103519bcfc394ec558f6
SHA256e89677052448e8e33fbaf95a5b4c70a85769ab92fd33607633d78c05ca0a6611
SHA5128e1e1ac2e1f3b79c7b049fb950847c3402eeb46435679c56853ebbf9ec3524f9f0c702e6f413cb484dc05b596212be777bc59a615330f6b6929f4bf5597be1a1
-
C:\Users\Admin\AppData\Local\Temp\tMG7uaFkajPS.batFilesize
199B
MD533151b424225bd32d3bc40e38aa9910f
SHA13a9b3cb034ae882fdf5d1334d0ec87477b7beb22
SHA256941196d9a17fa4eb93dd66c3ac80de78c917ee672173f1b1d17335dface14ea6
SHA5128cbdeef9f0a77cb40d6c5c2a8119b2c539501932c5442f4f4c59e8be4e58211034ff4f5c52517153354a8ffbcf376e5b3ba4922e56cc26feee713c3aa5f9ac82
-
C:\Users\Admin\AppData\Local\Temp\vFyJh1c4cO4A.batFilesize
199B
MD5a5c96856ee44880ad9f63e95e41b7e61
SHA10765460bf078f66fe624bcc4162d5deabb909785
SHA2565a24a3cb6afe2a8f4d33423f685bfbc3ba8f304731aee1bc65760cfda57658e6
SHA51213f7187d18970102dc77370a1f3f2e5e6f0aa6073ce1e717fd3233107896912df28dc65d5156edc1b78eac792541cc0711d9a2943395e5c33a43762fd8fb3e74
-
C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.batFilesize
199B
MD5484428f75f5d8c1de1e46670c182beaa
SHA1ceaae56963d9e5de6d9e4f83a0e23d959fa90087
SHA2561c492c9336b6c1e4ed18895526692be014f387211e164580651db8645030bc47
SHA5123973328742ba29a36229ab37236ee6113d17f8ec157d269a2415d740b4f772fd8fefd1fc6a93231f7dd4f1ba6cad3e7548fe7253b60b4d3843b18fc1404109af
-
C:\Users\Admin\AppData\Local\Temp\w83hCpJslKb4.batFilesize
199B
MD5d9806a5a7410b710133e1ff5063d9143
SHA1524ce187953c91cbc212c18cb6090b6fd22c9b02
SHA256445dba6fd791ef67019f76deeb8990b261007a234e7ff5b02474f822639c2d3b
SHA51218bc93fd0fdf4205389f3ba583cdc9cf3e5e9598d9ef29a8eb9731a6034698f929dc9acde71b9a168e1c30fbbcfd5600a8dbfba76ddc53f4be7531e551c47810
-
C:\Users\Admin\AppData\Local\Temp\wglVD229dlhn.batFilesize
199B
MD5454474d41a748dd5d4cb6004170fd562
SHA144af4d28332dcda84ed937a6444b602f75434fd1
SHA2560d25eb86bae41c4504d84cdf71208aaa7e875ef7cf5963a0ad4f6bd1e74f462e
SHA512c86a3b79aaec56ca68df29aee6f3bb95d7408ce2aa28dbe4863d59e4a7df5ca37fd3ada2e73a6561b7cb8c1ac9f3f80e4bc528ddfdc727fd34ab3cddb9ae05c2
-
C:\Users\Admin\AppData\Local\Temp\x12B4VLkV48J.batFilesize
199B
MD595398e8d8aaf84bde033b880edca1332
SHA19507d4276d8d5b8cc08949cbd73ccdf482c8ce72
SHA256e8d10acea2d3ef5ee11ea562437eb368f36f24a605d5cb203911ac1b90db1588
SHA512ff7aa8c6f3ab5751d967aa937603ed1a2276b919a8d03ead11e87f80e0abcbd96f7eb71f1af5b198b8d7ebd9daacaccd30a23011d96925397ee950160e820a63
-
C:\Users\Admin\AppData\Local\Temp\xo8wQfFTRKVB.batFilesize
199B
MD54775946fce9b390c6eaad8f0e18e9306
SHA1fb05d331a5d65751133400feaeb5fc77a98a4114
SHA256193224ec023acee9f9101c4ca7bd68ccf154c0451e0f9e09ca30c40ac3a42a6e
SHA512fba6f839bf80fa45ede41007d9a6d10d0f271a3789025ede790b50452568f9f56ba26eaf893af6f193c8d5dd9da1995770cfe2252c6cb3f7c66860f0122515a0
-
C:\Users\Admin\AppData\Local\Temp\zcyOhaTdfVzW.batFilesize
199B
MD520a56062fb88f138c5bfe7510dc49dd4
SHA126eaf4c177e6c92329fdbec8eaf1e1187d2c981e
SHA2564004a1ad3ecdbca53995af1db150dd0906ff12d65d9699b7fd99c5140d2f4b7c
SHA5120e28615d9ca294b7414433130a997046dcdef6360731fbce504733891a42b9246744e21b78597adc6ae63eff3b4af7383a6cd8f37183cb6088ed85adf23d4f65
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5f7b09341fdf1a552d2bcc9a80a06b787
SHA1e4847175e9acfa960d6d50530b38873d24a9645f
SHA25641e1ad6f4656ea00c8c7b8a6151c839d197e45b3457805b60936edcd7676181c
SHA51274a0e204fcb3677176626cd0d64a89f1a513a7da95ad4d32180095da57b773c4cb832a58e862850dda0fe1604556f90476a224f3526c4ee5943199b723de13f1
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD54edabf5bc0224cb7e8393b8366041e43
SHA1e5a4634e0d25e67003952ed9b16eb8b459e29475
SHA256e05628812ef7ccadcb0426ed82e66230ad3354b6c4aa3fed3f8e75267811dae7
SHA512ac6b9d651afa7f83435721e3c105954981bb6ded9ff97c397eeba0f622750695f4c38292d4391350a6b8e8eb8b0dc1f7ad4a8c8c744caae81b4c7f9fdf37cc90
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD57cc2fda7d089e32680759ea1e70a8a80
SHA1b1000c356a372a6ba1b7f237806b6a1d2690fb0f
SHA2565239d1757e8a5877d5ec54a9677e5df8a20b8d132d6a7ac815f41e01681d81ea
SHA51234e2ea2b910e0e90cc3dba411929b39307789fc6b97fd9d699b98027d8db79bd0d1070cbc6b71b707362709e085e0116edc061c5d28808beb2ca48b7348855f6
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5bc1177d248e2cfb5563a51883500ad61
SHA1d7c9ee07f77a4a0c2c6f706677c1d6e0118d271d
SHA256adcdbb7b6e6e22d18b96fd8b69ed692786d57a721d6bba85397cf961a2fbf5b6
SHA5124072d703460564b40afdd08dd3d91d3c62fca64abff15c4910ccd3ba0d789c5a5abc3701a8253c32beca70400f83b82d9bc508d168716b6842a074efa4f6e299
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5fcb19624f942ee07b2f5833d85daf3eb
SHA15560e34bb4581b9f0e87d4d600c87d42b1c6bf6d
SHA256c0f7ae8274f6862b9947317625d938e10755fd966d554474d59daae1f78e4808
SHA51217cb00b859e9b3b7fe710c5ce1f96955cb21c1da1b6eca4cda252cfaac324bc5406f6d053e4bea46ae7789f166fc828a04da57ecab2cb417c2e8a015cb6ebc46
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5d165039ba689620f29045c8854a2e412
SHA146c52223f88e60deb3ed237cbde64bf2c65ea282
SHA256cf1db797814ac2bfb5cf470e3c669c9169fc1b1c9da57edadc4af72024f7eaf0
SHA5123172cd8959a7fb943e2e340fbed5151552763aebf6ba9624db20b799384272168052a763e38aa057935e5944dec8082119d521bdf94c0a4d3c2e3b6b0eeeb57d
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5dcf79b40a777488a7aa1b8aa9740f41d
SHA16431d399ebd0fa4303a955272d2f390ba70ce35f
SHA256a805a47e47b0b28d164b3b3544460d9d8a598067d53a022ae6c2bea241367d72
SHA512a0abb34084f31bbe0d60c8657fbb58b33382ab093f4ec77e0bd5dcaff440882603bc34ceb867a943e9934b62b19ed97b23d39bfdb948a735ca073167dd5e6df1
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5960775caa8d831133d6241a623e692f2
SHA1f5bd130e618b0d1c25d4309505f5f31b778ee705
SHA256445cf594bbf7bfdbfa8823f46d5d0b725a232e1150ea2d3baefc8973f0079816
SHA512359dc3320749965e61e885600950a932c7428509f1bf7543bd16bd5e24dea2a1edef4d9146bb8fac6234f9193a36f2732736f3bade3e150a96fb80fbc5a77b78
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5394fa8e9d76c47b360277cf90447b001
SHA1bb8e9e5508793f26f8527ee89b967221d6f4bef2
SHA2564694fde506886be7f366cfa27ddf1ac0f77ca5cc0162fac9dfe3de4b7b564e04
SHA5124f75f75ecc1773fdaa7cc207444b439c92cdd4b45c0ab8cead54415a9a3dc9ccfb7541e83387a8c8c14ae9dd61a6de513802c8438280154d9dc4a136d46b897b
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5c7a227cf797e1613017fcf9657d7bcd3
SHA150fb8b0db3b90343d3cdaa882750e31563c06433
SHA25653ae526d534387bb419e44f8fec0a4efd1fca7c9f555f59cb677edd2ba07192c
SHA512717b086def4f9ab7cc530beec59d7556df87e2243deecdb7455ea53d6ed7bd2b636053fab619d033fa437cdaeb0af2c0a4fb6c6ce1478e69d9e276d050b78f1a
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5becb77621f3261b388e0d5425264fbda
SHA1a98a5911d5fd8e0ad3ae22d3fb0a8f42cc6dd920
SHA256507bed0ebd7683fcc97ed56c351860adfb298e1d7f534a4439d94ddf9f2ebc27
SHA512cc6bcd2d1cd2a93f0166e75c515fccc3cfcf33521db65455fb18fe542710f4257d4df603a0f74149f493e49be092d4de6bb8a52258130687f8593e9bf4427a8f
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5c1f9fb68b3a1aed8a449b8b9f050da7e
SHA1fa7dacaa857a58e839515aabd27499bca0f88f1d
SHA2560709a3672449740fb19eea84e02c78d19c8c0fa625b085136b1fd62d6d954876
SHA5120f2f9b8d421e0cc953552884f66c4f709af2b8130d422e5708a4ab44d2c87c18ab4a281cfa5f959fd7b2969fc50532419aaabe93fb7c1b331237773ea56ded16
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD597fa641fc70217c055e63c90e0a0e098
SHA11d8092f7f3c125be3f59649756f2ae090edd087f
SHA2566ff56697f1ea61daaccc9f09992be90cb6fffd5d03fcb6ef237f1ad50e7ebdda
SHA512503d27e6304bab7e975826eed49a1b0ea3b01352c0bc1f02039850f53ed20bded729ed10aef4025ba7fc1d0d57ff7454b5be08d03be5caec08def8f8d378a58d
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5a2b24a3b5cc96d4513646cce60608a15
SHA12520a4b998cc698d9f50f12ddd3053e76d525a5f
SHA2564bbcf10e0c2a4e53aa5664d923cf71b77ee68436e47dc9aff0d58206cf5e77c8
SHA512e3193a2fda719537cc705a80c329818cfec37831332b3e32ab644bf562a2d93a18c06235978111b6d163e13a1dc8723694c95af09bc50d16973e481e1471cf38
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5c354d29e0f5ac488970828b679e3c413
SHA10659a5568f4469687ddc83dd4d72bab5ad9a1364
SHA256f015b91c9828aab88453d2161777ab56d312cef97a3d11ea1985e946c5870d0f
SHA5122c72ce89b2a0fc13e3cf2931dedd971e58f7eba36b7475a8f6c7b2bd8468173e0dd15aeb5bd1ffd360349457bff692ac629fff2608015ca55f6501c043a1575b
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD54d19b5b9d4087b7aff57622dfda631e6
SHA11caf9f88a43043b0e8b708835de62ed397baae57
SHA256315cc63e688e3ef5b4bd6ee2be27c2813e5d31a7930e4dd68e789e58425c92ff
SHA51228b47f61d9847b7f97821fc4938d8833bcf97b0d55a9f6fbea540e735e7e21c5eb03e8f56ca551f852ae0f0a6cb67ed6c0f64e7f50c0a4cf75b1da6ffe95b90a
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5e5d6a629cfa28f94d3fa38d19f7eea78
SHA1e5e03d574f423abb280f8ceaad64300c68f4ddbe
SHA25682f99017b072234e326ba2e3a52db90346478f75a21b355c97823f6cd49aac28
SHA512d9d2ff19c79f19627378d1431d77a6f066c88d38562dc51d022cca0960e0be92e66b9868c6344e97faf75cd484c901892e3537c1ad49d8fadf066f968ff1d9e0
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD5973fb6bb6bfa3011d8111d125a9fef82
SHA13de9d713b7d54ef54b2b9c381d5343357c52c1a7
SHA256ef0c5cc9373facc0af4c66091b0313381f9625ad43f1579176da7c4f079c9b72
SHA5129de426679a8bedcc9f8cace308dcf8d20a8a1ac8201398458fd90ca8f7543c46307a627021100f754e635272a32661664ef1f176f3b43448df5716d5b62a401e
-
C:\Users\Admin\AppData\Roaming\Logs\06-29-2024Filesize
224B
MD55aacb6a2688e51cb82f8c2b10668bccf
SHA1290052f12858324a8af36418bcacb48f3dcb4a15
SHA25628735928ea33e260021483b8576f5751fff4c542c09eaf5f6c3f4f42a0c8e7ca
SHA5126b18afc46f6f320a6a2e49958356cca4af7a3e0d832ef33e939225aab2469f6ff3ab0ddb2b22258b41660faa9ac551258d45ec92da6dc8dd7d56b8b1267f47ad
-
memory/1820-17-0x00000000749F0000-0x00000000751A0000-memory.dmpFilesize
7.7MB
-
memory/1820-15-0x00000000749F0000-0x00000000751A0000-memory.dmpFilesize
7.7MB
-
memory/1820-24-0x00000000749F0000-0x00000000751A0000-memory.dmpFilesize
7.7MB
-
memory/1820-19-0x0000000006590000-0x000000000659A000-memory.dmpFilesize
40KB
-
memory/4232-16-0x00000000749F0000-0x00000000751A0000-memory.dmpFilesize
7.7MB
-
memory/4232-0-0x00000000749FE000-0x00000000749FF000-memory.dmpFilesize
4KB
-
memory/4232-8-0x00000000749F0000-0x00000000751A0000-memory.dmpFilesize
7.7MB
-
memory/4232-7-0x00000000749FE000-0x00000000749FF000-memory.dmpFilesize
4KB
-
memory/4232-6-0x0000000006390000-0x00000000063A2000-memory.dmpFilesize
72KB
-
memory/4232-5-0x0000000005570000-0x00000000055D6000-memory.dmpFilesize
408KB
-
memory/4232-4-0x00000000749F0000-0x00000000751A0000-memory.dmpFilesize
7.7MB
-
memory/4232-3-0x00000000055F0000-0x0000000005682000-memory.dmpFilesize
584KB
-
memory/4232-2-0x0000000005BA0000-0x0000000006144000-memory.dmpFilesize
5.6MB
-
memory/4232-1-0x0000000000B30000-0x0000000000B7E000-memory.dmpFilesize
312KB