quasar | 809964ab91ce04e170c33c00343fa8aebc01c3ae46b32ed66821726a6fa6c753

Resubmissions

01-07-2024 21:39

240701-1hmhpa1epc 10

11-06-2024 21:46

240611-1m3epsshpd 10

11-06-2024 21:42

240611-1kjjtasgqc 10

Analysis

max time kernel
924s
max time network
457s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeee.exe
Size

3.1MB
MD5

a207f2326a2eac7a5229faadbb4efde9
SHA1

47e061e350caad04fe5249dfec6bd0e5719314a2
SHA256

809964ab91ce04e170c33c00343fa8aebc01c3ae46b32ed66821726a6fa6c753
SHA512

961e273cd252331ef100e9239fb03da60aa6b1954f6864509cd643adcfaf2afb6df7d7b20b765d0092a01b03cee8950f85f0f9298d46ce0d9d1de1385da754bf
SSDEEP

49152:fvAG42pda6D+/PjlLOlg6yQipVAiDkE2HGk/+F9oGdoRjTHHB72eh2NT:fvD42pda6D+/PjlLOlZyQipVAiDHn

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

com-cathedral.gl.at.ply.gg:60312:60312

1998:1998

Mutex

7275eed2-cfc2-4aaa-85a9-989867afc89d

Attributes

encryption_key
1F7D88978B03E5C08F9DEDBD0A0F2EF673BE9527
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/3900-1-0x0000000000950000-0x0000000000C74000-memory.dmp family_quasar
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral1/memory/3900-1-0x0000000000950000-0x0000000000C74000-memory.dmp	family_quasar

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2804	PING.EXE
2636	PING.EXE
4812	PING.EXE
3656	PING.EXE
2340	PING.EXE
3320	PING.EXE
1844	PING.EXE
3268	PING.EXE
1524	PING.EXE
964	PING.EXE
904	PING.EXE
2300	PING.EXE
1120	PING.EXE
3568	PING.EXE
3132	PING.EXE
1672	PING.EXE
2352	PING.EXE
4984	PING.EXE
4052	PING.EXE
3032	PING.EXE
4448	PING.EXE
2820	PING.EXE
3108	PING.EXE
468	PING.EXE
644	PING.EXE
1808	PING.EXE
1420	PING.EXE
1904	PING.EXE
2188	PING.EXE
1016	PING.EXE
1528	PING.EXE
3400	PING.EXE
4588	PING.EXE
2632	PING.EXE
2684	PING.EXE
4512	PING.EXE
3780	PING.EXE
4576	PING.EXE
3420	PING.EXE
4980	PING.EXE
4688	PING.EXE
3100	PING.EXE
200	PING.EXE
1604	PING.EXE
3324	PING.EXE
3276	PING.EXE
3232	PING.EXE
3616	PING.EXE
3156	PING.EXE
2868	PING.EXE
2280	PING.EXE
2672	PING.EXE
2992	PING.EXE
1460	PING.EXE
3684	PING.EXE
2004	PING.EXE
1224	PING.EXE
3232	PING.EXE
5116	PING.EXE
2368	PING.EXE
2744	PING.EXE
1188	PING.EXE
4088	PING.EXE
4544	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

eeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exeeeeeee.exe

description	pid	process
Token: SeDebugPrivilege	3900	eeeeee.exe
Token: SeDebugPrivilege	2544	eeeeee.exe
Token: SeDebugPrivilege	1588	eeeeee.exe
Token: SeDebugPrivilege	2668	eeeeee.exe
Token: SeDebugPrivilege	3860	eeeeee.exe
Token: SeDebugPrivilege	3488	eeeeee.exe
Token: SeDebugPrivilege	3588	eeeeee.exe
Token: SeDebugPrivilege	852	eeeeee.exe
Token: SeDebugPrivilege	3152	eeeeee.exe
Token: SeDebugPrivilege	1124	eeeeee.exe
Token: SeDebugPrivilege	4532	eeeeee.exe
Token: SeDebugPrivilege	3904	eeeeee.exe
Token: SeDebugPrivilege	1852	eeeeee.exe
Token: SeDebugPrivilege	4764	eeeeee.exe
Token: SeDebugPrivilege	792	eeeeee.exe
Token: SeDebugPrivilege	2176	eeeeee.exe
Token: SeDebugPrivilege	3496	eeeeee.exe
Token: SeDebugPrivilege	4972	eeeeee.exe
Token: SeDebugPrivilege	940	eeeeee.exe
Token: SeDebugPrivilege	1212	eeeeee.exe
Token: SeDebugPrivilege	2660	eeeeee.exe
Token: SeDebugPrivilege	4536	eeeeee.exe
Token: SeDebugPrivilege	4792	eeeeee.exe
Token: SeDebugPrivilege	4524	eeeeee.exe
Token: SeDebugPrivilege	4240	eeeeee.exe
Token: SeDebugPrivilege	3920	eeeeee.exe
Token: SeDebugPrivilege	4388	eeeeee.exe
Token: SeDebugPrivilege	2760	eeeeee.exe
Token: SeDebugPrivilege	3636	eeeeee.exe
Token: SeDebugPrivilege	1128	eeeeee.exe
Token: SeDebugPrivilege	808	eeeeee.exe
Token: SeDebugPrivilege	2436	eeeeee.exe
Token: SeDebugPrivilege	2396	eeeeee.exe
Token: SeDebugPrivilege	3112	eeeeee.exe
Token: SeDebugPrivilege	4220	eeeeee.exe
Token: SeDebugPrivilege	4976	eeeeee.exe
Token: SeDebugPrivilege	2700	eeeeee.exe
Token: SeDebugPrivilege	5048	eeeeee.exe
Token: SeDebugPrivilege	1436	eeeeee.exe
Token: SeDebugPrivilege	4176	eeeeee.exe
Token: SeDebugPrivilege	72	eeeeee.exe
Token: SeDebugPrivilege	4192	eeeeee.exe
Token: SeDebugPrivilege	4992	eeeeee.exe
Token: SeDebugPrivilege	4252	eeeeee.exe
Token: SeDebugPrivilege	4968	eeeeee.exe
Token: SeDebugPrivilege	5012	eeeeee.exe
Token: SeDebugPrivilege	2576	eeeeee.exe
Token: SeDebugPrivilege	3740	eeeeee.exe
Token: SeDebugPrivilege	4548	eeeeee.exe
Token: SeDebugPrivilege	904	eeeeee.exe
Token: SeDebugPrivilege	2236	eeeeee.exe
Token: SeDebugPrivilege	900	eeeeee.exe
Token: SeDebugPrivilege	2628	eeeeee.exe
Token: SeDebugPrivilege	4508	eeeeee.exe
Token: SeDebugPrivilege	4300	eeeeee.exe
Token: SeDebugPrivilege	1996	eeeeee.exe
Token: SeDebugPrivilege	2200	eeeeee.exe
Token: SeDebugPrivilege	3656	eeeeee.exe
Token: SeDebugPrivilege	3944	eeeeee.exe
Token: SeDebugPrivilege	464	eeeeee.exe
Token: SeDebugPrivilege	2068	eeeeee.exe
Token: SeDebugPrivilege	2708	eeeeee.exe
Token: SeDebugPrivilege	5116	eeeeee.exe
Token: SeDebugPrivilege	2588	eeeeee.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
3900	eeeeee.exe
2544	eeeeee.exe
1588	eeeeee.exe
2668	eeeeee.exe
3860	eeeeee.exe
3488	eeeeee.exe
3588	eeeeee.exe
852	eeeeee.exe
3152	eeeeee.exe
1124	eeeeee.exe
4532	eeeeee.exe
3904	eeeeee.exe
1852	eeeeee.exe
4764	eeeeee.exe
792	eeeeee.exe
2176	eeeeee.exe
3496	eeeeee.exe
4972	eeeeee.exe
940	eeeeee.exe
1212	eeeeee.exe
2660	eeeeee.exe
4536	eeeeee.exe
4792	eeeeee.exe
4524	eeeeee.exe
4240	eeeeee.exe
3920	eeeeee.exe
4388	eeeeee.exe
2760	eeeeee.exe
3636	eeeeee.exe
1128	eeeeee.exe
808	eeeeee.exe
2436	eeeeee.exe
2396	eeeeee.exe
3112	eeeeee.exe
4220	eeeeee.exe
4976	eeeeee.exe
2700	eeeeee.exe
5048	eeeeee.exe
1436	eeeeee.exe
4176	eeeeee.exe
72	eeeeee.exe
4192	eeeeee.exe
4992	eeeeee.exe
4252	eeeeee.exe
4968	eeeeee.exe
5012	eeeeee.exe
2576	eeeeee.exe
3740	eeeeee.exe
4548	eeeeee.exe
904	eeeeee.exe
2236	eeeeee.exe
900	eeeeee.exe
2628	eeeeee.exe
4508	eeeeee.exe
4300	eeeeee.exe
1996	eeeeee.exe
2200	eeeeee.exe
3656	eeeeee.exe
3944	eeeeee.exe
464	eeeeee.exe
2068	eeeeee.exe
2708	eeeeee.exe
5116	eeeeee.exe
2588	eeeeee.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
3900	eeeeee.exe
2544	eeeeee.exe
1588	eeeeee.exe
2668	eeeeee.exe
3860	eeeeee.exe
3488	eeeeee.exe
3588	eeeeee.exe
852	eeeeee.exe
3152	eeeeee.exe
1124	eeeeee.exe
4532	eeeeee.exe
3904	eeeeee.exe
1852	eeeeee.exe
4764	eeeeee.exe
792	eeeeee.exe
2176	eeeeee.exe
3496	eeeeee.exe
4972	eeeeee.exe
940	eeeeee.exe
1212	eeeeee.exe
2660	eeeeee.exe
4536	eeeeee.exe
4792	eeeeee.exe
4524	eeeeee.exe
4240	eeeeee.exe
3920	eeeeee.exe
4388	eeeeee.exe
2760	eeeeee.exe
3636	eeeeee.exe
1128	eeeeee.exe
808	eeeeee.exe
2436	eeeeee.exe
2396	eeeeee.exe
3112	eeeeee.exe
4220	eeeeee.exe
4976	eeeeee.exe
2700	eeeeee.exe
5048	eeeeee.exe
1436	eeeeee.exe
4176	eeeeee.exe
72	eeeeee.exe
4192	eeeeee.exe
4992	eeeeee.exe
4252	eeeeee.exe
4968	eeeeee.exe
5012	eeeeee.exe
2576	eeeeee.exe
3740	eeeeee.exe
4548	eeeeee.exe
904	eeeeee.exe
2236	eeeeee.exe
900	eeeeee.exe
2628	eeeeee.exe
4508	eeeeee.exe
4300	eeeeee.exe
1996	eeeeee.exe
2200	eeeeee.exe
3656	eeeeee.exe
3944	eeeeee.exe
464	eeeeee.exe
2068	eeeeee.exe
2708	eeeeee.exe
5116	eeeeee.exe
2588	eeeeee.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eeeeee.execmd.exeeeeeee.execmd.exeeeeeee.execmd.exeeeeeee.execmd.exeeeeeee.execmd.exeeeeeee.execmd.exeeeeeee.execmd.exeeeeeee.execmd.exe

description	pid	process	target process
PID 3900 wrote to memory of 1136	3900	eeeeee.exe	cmd.exe
PID 3900 wrote to memory of 1136	3900	eeeeee.exe	cmd.exe
PID 1136 wrote to memory of 4740	1136	cmd.exe	chcp.com
PID 1136 wrote to memory of 4740	1136	cmd.exe	chcp.com
PID 1136 wrote to memory of 3620	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 3620	1136	cmd.exe	PING.EXE
PID 1136 wrote to memory of 2544	1136	cmd.exe	eeeeee.exe
PID 1136 wrote to memory of 2544	1136	cmd.exe	eeeeee.exe
PID 2544 wrote to memory of 3356	2544	eeeeee.exe	cmd.exe
PID 2544 wrote to memory of 3356	2544	eeeeee.exe	cmd.exe
PID 3356 wrote to memory of 3884	3356	cmd.exe	chcp.com
PID 3356 wrote to memory of 3884	3356	cmd.exe	chcp.com
PID 3356 wrote to memory of 3032	3356	cmd.exe	PING.EXE
PID 3356 wrote to memory of 3032	3356	cmd.exe	PING.EXE
PID 3356 wrote to memory of 1588	3356	cmd.exe	eeeeee.exe
PID 3356 wrote to memory of 1588	3356	cmd.exe	eeeeee.exe
PID 1588 wrote to memory of 2112	1588	eeeeee.exe	cmd.exe
PID 1588 wrote to memory of 2112	1588	eeeeee.exe	cmd.exe
PID 2112 wrote to memory of 1332	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 1332	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 4448	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 4448	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 2668	2112	cmd.exe	eeeeee.exe
PID 2112 wrote to memory of 2668	2112	cmd.exe	eeeeee.exe
PID 2668 wrote to memory of 1412	2668	eeeeee.exe	cmd.exe
PID 2668 wrote to memory of 1412	2668	eeeeee.exe	cmd.exe
PID 1412 wrote to memory of 1500	1412	cmd.exe	chcp.com
PID 1412 wrote to memory of 1500	1412	cmd.exe	chcp.com
PID 1412 wrote to memory of 4360	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 4360	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3860	1412	cmd.exe	eeeeee.exe
PID 1412 wrote to memory of 3860	1412	cmd.exe	eeeeee.exe
PID 3860 wrote to memory of 2176	3860	eeeeee.exe	cmd.exe
PID 3860 wrote to memory of 2176	3860	eeeeee.exe	cmd.exe
PID 2176 wrote to memory of 3656	2176	cmd.exe	chcp.com
PID 2176 wrote to memory of 3656	2176	cmd.exe	chcp.com
PID 2176 wrote to memory of 904	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 904	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 3488	2176	cmd.exe	eeeeee.exe
PID 2176 wrote to memory of 3488	2176	cmd.exe	eeeeee.exe
PID 3488 wrote to memory of 1844	3488	eeeeee.exe	cmd.exe
PID 3488 wrote to memory of 1844	3488	eeeeee.exe	cmd.exe
PID 1844 wrote to memory of 1424	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 1424	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 2684	1844	cmd.exe	PING.EXE
PID 1844 wrote to memory of 2684	1844	cmd.exe	PING.EXE
PID 1844 wrote to memory of 3588	1844	cmd.exe	eeeeee.exe
PID 1844 wrote to memory of 3588	1844	cmd.exe	eeeeee.exe
PID 3588 wrote to memory of 3660	3588	eeeeee.exe	cmd.exe
PID 3588 wrote to memory of 3660	3588	eeeeee.exe	cmd.exe
PID 3660 wrote to memory of 2156	3660	cmd.exe	chcp.com
PID 3660 wrote to memory of 2156	3660	cmd.exe	chcp.com
PID 3660 wrote to memory of 2300	3660	cmd.exe	PING.EXE
PID 3660 wrote to memory of 2300	3660	cmd.exe	PING.EXE
PID 3660 wrote to memory of 852	3660	cmd.exe	eeeeee.exe
PID 3660 wrote to memory of 852	3660	cmd.exe	eeeeee.exe
PID 852 wrote to memory of 808	852	eeeeee.exe	cmd.exe
PID 852 wrote to memory of 808	852	eeeeee.exe	cmd.exe
PID 808 wrote to memory of 2340	808	cmd.exe	chcp.com
PID 808 wrote to memory of 2340	808	cmd.exe	chcp.com
PID 808 wrote to memory of 1120	808	cmd.exe	PING.EXE
PID 808 wrote to memory of 1120	808	cmd.exe	PING.EXE
PID 808 wrote to memory of 3152	808	cmd.exe	eeeeee.exe
PID 808 wrote to memory of 3152	808	cmd.exe	eeeeee.exe

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wk7wKdnsHMGR.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4740

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HJWz2jb7gvxa.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:3884

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:3032

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gdqTeZIoDAi2.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1332

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4448

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgjtvXJaoj2W.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:1500

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAe0JvFtlpXA.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:3656

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:904

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bdKtYRlQZ2vI.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:1424

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:2684

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mPfXYeEzo1T4.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:2156

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:2300

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9vo9vMdTZLHT.bat" "
16⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:2340

C:\Windows\system32\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:1120

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5p8PlpIdllK.bat" "
18⤵
PID:1076

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:2104

C:\Windows\system32\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:2636

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zi4cli3fsQ0v.bat" "
20⤵
PID:3376

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:3128

C:\Windows\system32\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:2004

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29517ajZcuD0.bat" "
22⤵
PID:4496

C:\Windows\system32\chcp.com
chcp 65001
23⤵
PID:1584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:1224

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YlxXfR2CK7fh.bat" "
24⤵
PID:2676

C:\Windows\system32\chcp.com
chcp 65001
25⤵
PID:4664

C:\Windows\system32\PING.EXE
ping -n 10 localhost
25⤵
- Runs ping.exe
PID:3568

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqRafQplYIhv.bat" "
26⤵
PID:4036

C:\Windows\system32\chcp.com
chcp 65001
27⤵
PID:3328

C:\Windows\system32\PING.EXE
ping -n 10 localhost
27⤵
- Runs ping.exe
PID:644

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NO3NkXKrmOL2.bat" "
28⤵
PID:1040

C:\Windows\system32\chcp.com
chcp 65001
29⤵
PID:248

C:\Windows\system32\PING.EXE
ping -n 10 localhost
29⤵
- Runs ping.exe
PID:4512

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\STJDjHUb41wH.bat" "
30⤵
PID:736

C:\Windows\system32\chcp.com
chcp 65001
31⤵
PID:2468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
31⤵
- Runs ping.exe
PID:1808

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GfJHKKI8Wur8.bat" "
32⤵
PID:2936

C:\Windows\system32\chcp.com
chcp 65001
33⤵
PID:4408

C:\Windows\system32\PING.EXE
ping -n 10 localhost
33⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
33⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUYGvErPMYC3.bat" "
34⤵
PID:3872

C:\Windows\system32\chcp.com
chcp 65001
35⤵
PID:992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
35⤵
- Runs ping.exe
PID:3100

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
35⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hf6bsHeMevHp.bat" "
36⤵
PID:3680

C:\Windows\system32\chcp.com
chcp 65001
37⤵
PID:1580

C:\Windows\system32\PING.EXE
ping -n 10 localhost
37⤵
- Runs ping.exe
PID:1420

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
37⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAwEQarpv8tx.bat" "
38⤵
PID:5112

C:\Windows\system32\chcp.com
chcp 65001
39⤵
PID:3652

C:\Windows\system32\PING.EXE
ping -n 10 localhost
39⤵
- Runs ping.exe
PID:3232

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
39⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wjfq2YJT3an2.bat" "
40⤵
PID:3824

C:\Windows\system32\chcp.com
chcp 65001
41⤵
PID:2452

C:\Windows\system32\PING.EXE
ping -n 10 localhost
41⤵
- Runs ping.exe
PID:3780

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x1TLiFWo9MK7.bat" "
42⤵
PID:1628

C:\Windows\system32\chcp.com
chcp 65001
43⤵
PID:1320

C:\Windows\system32\PING.EXE
ping -n 10 localhost
43⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
43⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DnXN90aBGioq.bat" "
44⤵
PID:2948

C:\Windows\system32\chcp.com
chcp 65001
45⤵
PID:1112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
45⤵
- Runs ping.exe
PID:2820

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
45⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCfpqMq4lA9A.bat" "
46⤵
PID:3420

C:\Windows\system32\chcp.com
chcp 65001
47⤵
PID:2216

C:\Windows\system32\PING.EXE
ping -n 10 localhost
47⤵
- Runs ping.exe
PID:3132

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
47⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCMyBoimVEmJ.bat" "
48⤵
PID:2792

C:\Windows\system32\chcp.com
chcp 65001
49⤵
PID:3060

C:\Windows\system32\PING.EXE
ping -n 10 localhost
49⤵
- Runs ping.exe
PID:3400

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
49⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z2x2QAjLsLB0.bat" "
50⤵
PID:3256

C:\Windows\system32\chcp.com
chcp 65001
51⤵
PID:3048

C:\Windows\system32\PING.EXE
ping -n 10 localhost
51⤵
- Runs ping.exe
PID:1672

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
51⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7R4uWwfhiOhB.bat" "
52⤵
PID:964

C:\Windows\system32\chcp.com
chcp 65001
53⤵
PID:3608

C:\Windows\system32\PING.EXE
ping -n 10 localhost
53⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
53⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcE1d7o8TtO4.bat" "
54⤵
PID:1456

C:\Windows\system32\chcp.com
chcp 65001
55⤵
PID:2804

C:\Windows\system32\PING.EXE
ping -n 10 localhost
55⤵
- Runs ping.exe
PID:4812

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
55⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2CzypTjhAb63.bat" "
56⤵
PID:1396

C:\Windows\system32\chcp.com
chcp 65001
57⤵
PID:2168

C:\Windows\system32\PING.EXE
ping -n 10 localhost
57⤵
- Runs ping.exe
PID:1904

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
57⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HlwJ3n2sSpjz.bat" "
58⤵
PID:3980

C:\Windows\system32\chcp.com
chcp 65001
59⤵
PID:2420

C:\Windows\system32\PING.EXE
ping -n 10 localhost
59⤵
- Runs ping.exe
PID:4576

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
59⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2YbAFuCEudc8.bat" "
60⤵
PID:1872

C:\Windows\system32\chcp.com
chcp 65001
61⤵
PID:484

C:\Windows\system32\PING.EXE
ping -n 10 localhost
61⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
61⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2tlwphDpecWT.bat" "
62⤵
PID:4800

C:\Windows\system32\chcp.com
chcp 65001
63⤵
PID:4348

C:\Windows\system32\PING.EXE
ping -n 10 localhost
63⤵
- Runs ping.exe
PID:3156

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
63⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvB6oJmOYJZQ.bat" "
64⤵
PID:672

C:\Windows\system32\chcp.com
chcp 65001
65⤵
PID:1840

C:\Windows\system32\PING.EXE
ping -n 10 localhost
65⤵
- Runs ping.exe
PID:2868

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
65⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\af6j0BcRPzZY.bat" "
66⤵
PID:1516

C:\Windows\system32\chcp.com
chcp 65001
67⤵
PID:3476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
67⤵
- Runs ping.exe
PID:3108

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
67⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wxdkO53vaz2d.bat" "
68⤵
PID:4824

C:\Windows\system32\chcp.com
chcp 65001
69⤵
PID:3736

C:\Windows\system32\PING.EXE
ping -n 10 localhost
69⤵
- Runs ping.exe
PID:2280

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
69⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOTy0KbdZEIy.bat" "
70⤵
PID:432

C:\Windows\system32\chcp.com
chcp 65001
71⤵
PID:2876

C:\Windows\system32\PING.EXE
ping -n 10 localhost
71⤵
- Runs ping.exe
PID:3420

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
71⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZvsq8qAdlRi.bat" "
72⤵
PID:1188

C:\Windows\system32\chcp.com
chcp 65001
73⤵
PID:3468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
73⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
73⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkxXvo2OwK8Q.bat" "
74⤵
PID:2188

C:\Windows\system32\chcp.com
chcp 65001
75⤵
PID:3256

C:\Windows\system32\PING.EXE
ping -n 10 localhost
75⤵
- Runs ping.exe
PID:200

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
75⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZOJd5HovEsQ.bat" "
76⤵
PID:2016

C:\Windows\system32\chcp.com
chcp 65001
77⤵
PID:4428

C:\Windows\system32\PING.EXE
ping -n 10 localhost
77⤵
- Runs ping.exe
PID:2672

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
77⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4BXvBXfCDK3.bat" "
78⤵
PID:4812

C:\Windows\system32\chcp.com
chcp 65001
79⤵
PID:1152

C:\Windows\system32\PING.EXE
ping -n 10 localhost
79⤵
- Runs ping.exe
PID:4980

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
79⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i9lZYZs20pt0.bat" "
80⤵
PID:224

C:\Windows\system32\chcp.com
chcp 65001
81⤵
PID:3076

C:\Windows\system32\PING.EXE
ping -n 10 localhost
81⤵
- Runs ping.exe
PID:5116

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
81⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:72

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E4cmBeateGZp.bat" "
82⤵
PID:3260

C:\Windows\system32\chcp.com
chcp 65001
83⤵
PID:1632

C:\Windows\system32\PING.EXE
ping -n 10 localhost
83⤵
- Runs ping.exe
PID:2368

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
83⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LRQ0nTaOPhOF.bat" "
84⤵
PID:3232

C:\Windows\system32\chcp.com
chcp 65001
85⤵
PID:2816

C:\Windows\system32\PING.EXE
ping -n 10 localhost
85⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
85⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f7AuLoFg9BiM.bat" "
86⤵
PID:4324

C:\Windows\system32\chcp.com
chcp 65001
87⤵
PID:3024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
87⤵
- Runs ping.exe
PID:1604

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
87⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bh0I7DPO1hvE.bat" "
88⤵
PID:1876

C:\Windows\system32\chcp.com
chcp 65001
89⤵
PID:4380

C:\Windows\system32\PING.EXE
ping -n 10 localhost
89⤵
- Runs ping.exe
PID:468

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
89⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7osNgFvAGwJV.bat" "
90⤵
PID:2060

C:\Windows\system32\chcp.com
chcp 65001
91⤵
PID:4816

C:\Windows\system32\PING.EXE
ping -n 10 localhost
91⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
91⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pNF3dnl8u1An.bat" "
92⤵
PID:1744

C:\Windows\system32\chcp.com
chcp 65001
93⤵
PID:4688

C:\Windows\system32\PING.EXE
ping -n 10 localhost
93⤵
- Runs ping.exe
PID:3656

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
93⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R7d8wteFtuqa.bat" "
94⤵
PID:2876

C:\Windows\system32\chcp.com
chcp 65001
95⤵
PID:1512

C:\Windows\system32\PING.EXE
ping -n 10 localhost
95⤵
- Runs ping.exe
PID:2352

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
95⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEf7G34P2oNh.bat" "
96⤵
PID:4376

C:\Windows\system32\chcp.com
chcp 65001
97⤵
PID:5104

C:\Windows\system32\PING.EXE
ping -n 10 localhost
97⤵
- Runs ping.exe
PID:3324

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
97⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8AErsbKkRr4.bat" "
98⤵
PID:1092

C:\Windows\system32\chcp.com
chcp 65001
99⤵
PID:1672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
99⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
99⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ec2Eh2ZDywKg.bat" "
100⤵
PID:1412

C:\Windows\system32\chcp.com
chcp 65001
101⤵
PID:1164

C:\Windows\system32\PING.EXE
ping -n 10 localhost
101⤵
- Runs ping.exe
PID:2804

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
101⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ty27idJJUFoH.bat" "
102⤵
PID:3252

C:\Windows\system32\chcp.com
chcp 65001
103⤵
PID:4224

C:\Windows\system32\PING.EXE
ping -n 10 localhost
103⤵
- Runs ping.exe
PID:4984

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
103⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBAdFrOez1Dt.bat" "
104⤵
PID:3712

C:\Windows\system32\chcp.com
chcp 65001
105⤵
PID:4692

C:\Windows\system32\PING.EXE
ping -n 10 localhost
105⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
105⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WDcZsXqCnSBH.bat" "
106⤵
PID:3396

C:\Windows\system32\chcp.com
chcp 65001
107⤵
PID:2288

C:\Windows\system32\PING.EXE
ping -n 10 localhost
107⤵
- Runs ping.exe
PID:2340

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
107⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qFE8m9kdhYz5.bat" "
108⤵
PID:3240

C:\Windows\system32\chcp.com
chcp 65001
109⤵
PID:1380

C:\Windows\system32\PING.EXE
ping -n 10 localhost
109⤵
- Runs ping.exe
PID:4588

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
109⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lPx43IStSODc.bat" "
110⤵
PID:4348

C:\Windows\system32\chcp.com
chcp 65001
111⤵
PID:2316

C:\Windows\system32\PING.EXE
ping -n 10 localhost
111⤵
- Runs ping.exe
PID:2744

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
111⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2h8vQu1OOLXd.bat" "
112⤵
PID:1660

C:\Windows\system32\chcp.com
chcp 65001
113⤵
PID:3320

C:\Windows\system32\PING.EXE
ping -n 10 localhost
113⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
113⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VTU6gXFiBbdU.bat" "
114⤵
PID:4396

C:\Windows\system32\chcp.com
chcp 65001
115⤵
PID:4280

C:\Windows\system32\PING.EXE
ping -n 10 localhost
115⤵
- Runs ping.exe
PID:4688

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
115⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dU5Wm6D0rwaE.bat" "
116⤵
PID:4680

C:\Windows\system32\chcp.com
chcp 65001
117⤵
PID:3132

C:\Windows\system32\PING.EXE
ping -n 10 localhost
117⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
117⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgJ3UrNGWg4z.bat" "
118⤵
PID:3792

C:\Windows\system32\chcp.com
chcp 65001
119⤵
PID:5044

C:\Windows\system32\PING.EXE
ping -n 10 localhost
119⤵
- Runs ping.exe
PID:1188

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
119⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcGUzygaZ8JO.bat" "
120⤵
PID:3256

C:\Windows\system32\chcp.com
chcp 65001
121⤵
PID:2992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
121⤵
- Runs ping.exe
PID:2188

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
121⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ER3tCLqUqK7l.bat" "
122⤵
PID:4948

C:\Windows\system32\chcp.com
chcp 65001
123⤵
PID:3568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
123⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
123⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jTNtlS790Li6.bat" "
124⤵
PID:3344

C:\Windows\system32\chcp.com
chcp 65001
125⤵
PID:436

C:\Windows\system32\PING.EXE
ping -n 10 localhost
125⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
125⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0akzCTe1s64M.bat" "
126⤵
PID:4692

C:\Windows\system32\chcp.com
chcp 65001
127⤵
PID:3712

C:\Windows\system32\PING.EXE
ping -n 10 localhost
127⤵
- Runs ping.exe
PID:1016

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
127⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X5WdQp1I840t.bat" "
128⤵
PID:1688

C:\Windows\system32\chcp.com
chcp 65001
129⤵
PID:2624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
129⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
129⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iNZTYoDiTHia.bat" "
130⤵
PID:1872

C:\Windows\system32\chcp.com
chcp 65001
131⤵
PID:5112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
131⤵
- Runs ping.exe
PID:3276

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
131⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wvJOL4uoaDzC.bat" "
132⤵
PID:3220

C:\Windows\system32\chcp.com
chcp 65001
133⤵
PID:3824

C:\Windows\system32\PING.EXE
ping -n 10 localhost
133⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
133⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMrU4cOPhLtF.bat" "
134⤵
PID:1052

C:\Windows\system32\chcp.com
chcp 65001
135⤵
PID:1276

C:\Windows\system32\PING.EXE
ping -n 10 localhost
135⤵
- Runs ping.exe
PID:3320

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
135⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QxCaFMrbxmYS.bat" "
136⤵
PID:784

C:\Windows\system32\chcp.com
chcp 65001
137⤵
PID:1808

C:\Windows\system32\PING.EXE
ping -n 10 localhost
137⤵
- Runs ping.exe
PID:1528

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
137⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z1hkcxpzkLkd.bat" "
138⤵
PID:3340

C:\Windows\system32\chcp.com
chcp 65001
139⤵
PID:1512

C:\Windows\system32\PING.EXE
ping -n 10 localhost
139⤵
- Runs ping.exe
PID:2632

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
139⤵
PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h8k9KXHm2imt.bat" "
140⤵
PID:2352

C:\Windows\system32\chcp.com
chcp 65001
141⤵
PID:3328

C:\Windows\system32\PING.EXE
ping -n 10 localhost
141⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
141⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FirSeYFeAXPD.bat" "
142⤵
PID:4488

C:\Windows\system32\chcp.com
chcp 65001
143⤵
PID:2000

C:\Windows\system32\PING.EXE
ping -n 10 localhost
143⤵
- Runs ping.exe
PID:2992

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
143⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hBMrMVHncTMa.bat" "
144⤵
PID:1116

C:\Windows\system32\chcp.com
chcp 65001
145⤵
PID:1544

C:\Windows\system32\PING.EXE
ping -n 10 localhost
145⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
145⤵
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2XOTs7fIH8xz.bat" "
146⤵
PID:3348

C:\Windows\system32\chcp.com
chcp 65001
147⤵
PID:4224

C:\Windows\system32\PING.EXE
ping -n 10 localhost
147⤵
- Runs ping.exe
PID:1844

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
147⤵
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWf2Kj12H9yh.bat" "
148⤵
PID:4504

C:\Windows\system32\chcp.com
chcp 65001
149⤵
PID:1800

C:\Windows\system32\PING.EXE
ping -n 10 localhost
149⤵
- Runs ping.exe
PID:4052

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
149⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q1GQ7QIcM6CI.bat" "
150⤵
PID:1688

C:\Windows\system32\chcp.com
chcp 65001
151⤵
PID:4500

C:\Windows\system32\PING.EXE
ping -n 10 localhost
151⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
151⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tgnh9LN7H7Wd.bat" "
152⤵
PID:2092

C:\Windows\system32\chcp.com
chcp 65001
153⤵
PID:4588

C:\Windows\system32\PING.EXE
ping -n 10 localhost
153⤵
- Runs ping.exe
PID:3232

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
153⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88NLhEZMgnhS.bat" "
154⤵
PID:3024

C:\Windows\system32\chcp.com
chcp 65001
155⤵
PID:4988

C:\Windows\system32\PING.EXE
ping -n 10 localhost
155⤵
- Runs ping.exe
PID:3616

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
155⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wTFwf7wT9Bsy.bat" "
156⤵
PID:4264

C:\Windows\system32\chcp.com
chcp 65001
157⤵
PID:5032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
157⤵
- Runs ping.exe
PID:1460

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
157⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWVwwsIGQ9Cb.bat" "
158⤵
PID:1528

C:\Windows\system32\chcp.com
chcp 65001
159⤵
PID:2572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
159⤵
- Runs ping.exe
PID:3268

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
159⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l0Ggcz143ffc.bat" "
160⤵
PID:4200

C:\Windows\system32\chcp.com
chcp 65001
161⤵
PID:4788

C:\Windows\system32\PING.EXE
ping -n 10 localhost
161⤵
- Runs ping.exe
PID:4088

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
161⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uzTsaCnkNzpR.bat" "
162⤵
PID:644

C:\Windows\system32\chcp.com
chcp 65001
163⤵
PID:112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
163⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
163⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UbdcCobYeDHu.bat" "
164⤵
PID:3468

C:\Windows\system32\chcp.com
chcp 65001
165⤵
PID:2452

C:\Windows\system32\PING.EXE
ping -n 10 localhost
165⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
165⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LnruMzZlo3zz.bat" "
166⤵
PID:1980

C:\Windows\system32\chcp.com
chcp 65001
167⤵
PID:992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
167⤵
- Runs ping.exe
PID:1524

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
167⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xL8QDTL0z8p7.bat" "
168⤵
PID:1844

C:\Windows\system32\chcp.com
chcp 65001
169⤵
PID:1904

C:\Windows\system32\PING.EXE
ping -n 10 localhost
169⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
169⤵
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1qvhJRYV3Bf.bat" "
170⤵
PID:2712

C:\Windows\system32\chcp.com
chcp 65001
171⤵
PID:2400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
171⤵
- Runs ping.exe
PID:4544

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
171⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMRcIa8NHUkK.bat" "
172⤵
PID:2540

C:\Windows\system32\chcp.com
chcp 65001
173⤵
PID:3940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
173⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
173⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJXsyPCTH7qx.bat" "
174⤵
PID:5060

C:\Windows\system32\chcp.com
chcp 65001
175⤵
PID:3664

C:\Windows\system32\PING.EXE
ping -n 10 localhost
175⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
175⤵
PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sPXuytZCzRP7.bat" "
176⤵
PID:4348

C:\Windows\system32\chcp.com
chcp 65001
177⤵
PID:5032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
177⤵
- Runs ping.exe
PID:3684

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
177⤵
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QZYcasj5JfKr.bat" "
178⤵
PID:4932

C:\Windows\system32\chcp.com
chcp 65001
179⤵
PID:4708

C:\Windows\system32\PING.EXE
ping -n 10 localhost
179⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\eeeeee.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeee.exe"
179⤵
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0baDxoGLixjW.bat" "
180⤵
PID:3120

C:\Windows\system32\chcp.com
chcp 65001
181⤵
PID:1528

C:\Windows\system32\PING.EXE
ping -n 10 localhost
181⤵
- Runs ping.exe
PID:964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eeeeee.exe.log
Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0akzCTe1s64M.bat
Filesize
203B

MD5
0d866eedbe9ab7d2bba95c8787b82187

SHA1
008c8df3e3c566c377b2fbc452716dc080dc99f1

SHA256
c55851068d3ac0612197c80ca26753b70f11a0e071dd8c1a94d493db8ecae152

SHA512
58e738d12cf82f2d8356886f94d588d62e20b5fb0b33a3b2e356ac96ae6349419417065c74f231aa555dd77a92abeca29d23168b66d7c9a01bc42222a991a31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\29517ajZcuD0.bat
Filesize
203B

MD5
7b746e89ba2183f1339e8dd116323cd6

SHA1
27f375ff460a197390e3d3a2585ad04f3012b5bf

SHA256
0820136cf5bae791066ec180f1dfba2561931558f57103a3e642c12c3eaad9ec

SHA512
85967ec1adfc5d65255a15c06d0649af8eb0c83b5db5faf608171ba72beca2e86e527a1be98e77938e39752966746b299fcf6821695a077e677bd988bf016617

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CzypTjhAb63.bat
Filesize
203B

MD5
e191ecf7a83a940729622cd821e3b27b

SHA1
ddbe14f76f4500315d677ea4b0338f453ad44cc0

SHA256
0a6f28371170dd89728bc73c2341d313f6a01c2c8ee4ccd6f2bb3d460c30faf3

SHA512
50db7e4ccfb30aa5233b59b3311329438a93dd5c15eac5cd72a22a663d6442efa0470a74aa00c0c1d80cdd97f65c222ed31aad3f65098401445c7240ec2094c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YbAFuCEudc8.bat
Filesize
203B

MD5
405aeacc13806daa5fd6ba9d42f87870

SHA1
87d7a15ee711792e0100a45c2d621e082df4c8c1

SHA256
7e5ec2b618d5dbc44f5725e55d6858e4ced1fef2fee145ead945518fd54d6311

SHA512
3f0b24e9ef2f2394383ce8acde73cd27116f0098add3fe7b4c66b6e6ceebee5d89f63829d735419a192422aa4ba765167220c6332532e00718401734e1f32a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2h8vQu1OOLXd.bat
Filesize
203B

MD5
779b330d78be78db8519d93e86578e88

SHA1
0182f24ba21d1231e48657f0cd423937e75599b7

SHA256
93f832855af6850fbab26b246a13f879957cb9f39cb42d009585110c4d7cb13f

SHA512
e6bdd5a567417f6781a30fae951d97e3b56096639c10980267f804115d71fea9d25e1f2e879d82e00139b7f277999d5c0d81029e679cba7c84d8e71b2bfc175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tlwphDpecWT.bat
Filesize
203B

MD5
b70118a03b24cf8e66802e5582362805

SHA1
fb35f755ac16582497525017264474d55ebfe6c8

SHA256
db9f1a4835e301e1f3ed5ef2cfa170f30fd03186a15a84e09b4bd8dff33182ea

SHA512
c54e5d0639b1284c8f4dded2a035e02557f129bb60ff133c517d4a43e0bd5b8387e8a1714e0589cc459c7d02c851a12c404e11964dae0ab2a5cb0890365026bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7R4uWwfhiOhB.bat
Filesize
203B

MD5
35138e91702d5e85c55faff86dcf9ab3

SHA1
174bad4bf70d61f8d8f3071c15a1032c8f62632a

SHA256
e31e39dee20e48827d664ff8f3ce25b47538db620a80390b58457e2637aa3a01

SHA512
4f0cd202b41b6d28f1613c9669fa872baee613d077f4bdb1eac6952a9f02eee458c9566cd9041b9ff4eddd75d51c76d0919b7f8fb84b66fddd171daf241487bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7osNgFvAGwJV.bat
Filesize
203B

MD5
080a3e9cf153176b4a7d743a60dca20c

SHA1
54ff799821d3b04acb97a81b174fceac53c28282

SHA256
92b848a2d6c6c79a59a1450c0d7d57a694ee2f2964fdc6a21d68209ff99c25cf

SHA512
0dda3b7d1f0a0b69595ff1f6aceeba185879a2d1131c73418df1c46ccfb54c4458f8049ef7db34ad75ccc602d715e106b0d8374a68be41a332cf854e739d001a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9vo9vMdTZLHT.bat
Filesize
203B

MD5
6dd5e6201cbbf2335f8c96db1972a0b0

SHA1
aa70285efa1ed7fe373d0554b9f17e300291c243

SHA256
39ce9f9a6f60e943d136509a7e4ecd083344466949981c5444e8811b1c4c5ede

SHA512
3a7d20b5b9b3d9be60727f3e1c3db52d31da6d7760554c6ae53a04d2cf0ee113e81134965121c19cd809203de6ad0cb37f991dc66a12451c04ef27ddec766980

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BXvBXfCDK3.bat
Filesize
203B

MD5
710e48a3e89c738fd111fc303fba1752

SHA1
2e6cb93096045bf9ab0e743dd800f949ee5cfc2b

SHA256
e7dd6cd623b245494858531d174c874c5596079519d9e1487e6de535fa4c5ebc

SHA512
85eac7dc89f4f2acf39cd993a69dfe8ab5342018de8101f749812a4f4502a366a9cb0c52d091a485c4651a54c704e5a910967b2af816e111aab95557f39135d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bh0I7DPO1hvE.bat
Filesize
203B

MD5
1211a725dd2a955957eb5a26084ddba9

SHA1
9020857bfe6921aa8554aa7baa4d5ca3ace0b1ac

SHA256
13160e5eced7d4efe25889b7d69cb2232623ad6fde046506ec745d96b4811191

SHA512
a6e8abaa12da9b6257cfce01ed387b879ba30442ffba3e693e623bfa206ba04f5693e1ec51ce9292a3517ba7db43f442c3fd7ea1c218fe9af84e218cc80576ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnXN90aBGioq.bat
Filesize
203B

MD5
b660b130a281df2baf685187163813d4

SHA1
85c842c260f2eef608c66012a170cafd65943326

SHA256
516ee77da1820e2ed8f7fe472eea8bc79efdffbb463f5432d5acc55e2127e746

SHA512
1771f41d8d027b8a9a67bec2872974be4468477b2d59bcd4323dac5b0ffefdbd0106acd8bf85fe703d574765fce94fba42cec778abb95c68a43c27f8bb2eac3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4cmBeateGZp.bat
Filesize
203B

MD5
4ce75750fdb431cb86d244b7242276a6

SHA1
f5a65b58e79239b6747574475c21081151630bac

SHA256
5a4cf2357dfb48c5ba36db6baa8ef7fcfd436928bf828fbaa235fc5a2cc5fd7e

SHA512
e2d373d99dfd9018900b43fe7f5f123ce2f2b05a5523bbba64c2083c5b7fe5f8bbd4990fd9bde97c4b64d8de192c662976467d8455f198833fb27f471848b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAdFrOez1Dt.bat
Filesize
203B

MD5
0839a5fc3841c32e4f4435aaf85991a9

SHA1
daf96121c960ee2ce71781431c1481f739919e8d

SHA256
378e13ad8a5a250354df8767f9bdf4374554d7b4a3cd5522f27de9331bd0c463

SHA512
c386ddf09eaa116c6debfbc901a748ada0e007527383f141909a24761050f982cae9d45726a4954306284b582e9eafdbd233e24daabaa75b63104be638ab534a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER3tCLqUqK7l.bat
Filesize
203B

MD5
416f2981f8ab9053879f2155c03e8e12

SHA1
7949d813d72778957d950fa743c2ad462434eb8c

SHA256
bc538e6316bda42800d6c4d3393938a521d75ac22a7d477a271fbe7cea25f03d

SHA512
a3514caebd9787a0deba70f071e16332bde7272012bcb027366da5266490e9f89f5a38160255c6c8cbeec0fd204c4c564dcad4df8cf8dc4bbaadfe6b329f7364

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcGUzygaZ8JO.bat
Filesize
203B

MD5
ccc8b57e9b4d3061f49c0456d22faf24

SHA1
fc94dd76a01f225a48acd1bb4b802b38b92e9627

SHA256
a615012f56def17573081b408fe814c3b0163a33bbf48702abab22954b7cdd24

SHA512
0320c66200c860946cab6cce99abb98374c21528690e6d02c7b7db0daba1e31e6ac4daac0437c67d26fdeded267abef0cf0dc11f08a31279153c00b95ff224c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkxXvo2OwK8Q.bat
Filesize
203B

MD5
fb33114fb569475454cd080c583c9b1a

SHA1
191e21bac8228372a28c8899cc190f908016dec6

SHA256
ea26d0b30dacf308a5b628180e11fcaae1e2063b5b8ade722c45c391794a64f9

SHA512
0677ad00d68e96107052e997cad52fd8b492e237a2674eb987d510836fb02eed947b28022f2eb1568a3fdff3663a5805aeb014acb6a5389cf02fc40ef1683e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\GfJHKKI8Wur8.bat
Filesize
203B

MD5
623a005c399ebd95952611265c4f8a05

SHA1
64c2c4b084b326c97573ea38b66e3fd964f57f63

SHA256
3e57bbcf6c26bb9e87ed1a6cd0b29104350a1459241fa8e43bcd8cf0ed6b5d35

SHA512
4768911cd5d82825a85f79d7c8f274bfb9b98aa19e7ae202fa0e5159b5a650bfc35ef6fe2ea20599ebcc14d0c4611bf52254b7b1011bf58d4ef9479aa91514aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJWz2jb7gvxa.bat
Filesize
203B

MD5
ff69f2297f9f16f38ce93d6d4c162651

SHA1
e91379ad170eb8df90591ea38702ea201f75b089

SHA256
727888fe56ef986c5d3913eca437774c56e99746ed3cba409dd0b4c323eadb4a

SHA512
c074deb54c71b705205043a48833633358ff89a14e6f3bc04f253c0a6e5bb45382f68c3aa9d18ee828ed58a017e90c4876a996fdac40b91a29a43e48afdde447

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgjtvXJaoj2W.bat
Filesize
203B

MD5
f0a8509cd8e4796e0e4d05dd9d578779

SHA1
1db9c5da9cf9da97a4863a3e48bbd96c502fe63b

SHA256
c42bc51ba75113d81976f9cac64463da600785bd256b5246300fef2ee97ba719

SHA512
1dff3d2310807cb047c74eb3284d271532954432410d057c7718345f7b1c47d2e775de2f89738b1f718571ca43c8f37ec35100a1642f62718d206e890af5ff35

Download Submit
C:\Users\Admin\AppData\Local\Temp\HlwJ3n2sSpjz.bat
Filesize
203B

MD5
b45f5bac4e65827d7956a50aea3f771a

SHA1
0cf00bc07637863b383d0410fdab8ddc7bcd3bdb

SHA256
73369164afe0edf1df650822da914d69d61f5d3d387b1d494cd1aa739ab32570

SHA512
2677a2b7c28cda2eab319ae37e9b945c1a1bb1bbe522f91366d32d4916fc9b1283ceb9b5f6399ec09b31dd51761ee61d921989d687f4d5d23a7a35c98faace82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcE1d7o8TtO4.bat
Filesize
203B

MD5
45e834aa4772f87515c24a94a680b74d

SHA1
7b2b4edc3f3c8217268be698a4e75549851c5dd5

SHA256
a208969d3329b80550f223afc287d21e2688696ee69bbd672933430d00ea0ac2

SHA512
6ae5f19bf872f719c4e2f893c69e033e15100c5d46f1b30b938055c8baf04bfcae0b911244f082716fff5d8898b5ee829405a5059839bb3b7948910a1d3d8a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRQ0nTaOPhOF.bat
Filesize
203B

MD5
fd30b28238a4a592d44ae476d7df6ec9

SHA1
54e4d95c13fbb82a545ca51839a784a2832f7e8f

SHA256
10ab0d87ed02a501c630e857b9132a29f100082d6b5f5d10b1684c7dee55d0be

SHA512
dce15331654f939f1cc5c70bbccb80868e389be5879f2abd424a5a62949373671244e702b8d3044b94face05f488f49afe4f12e7387790b076de50313896f232

Download Submit
C:\Users\Admin\AppData\Local\Temp\NO3NkXKrmOL2.bat
Filesize
203B

MD5
05a4febc314b32ad967f95b0e61a374d

SHA1
c14ff5ac29d4133b6fe42d414a111fc5107f75da

SHA256
71e8d29bfc65ebae658a7722abd7dd03eee016ebba13f8bf980ddfa538e5985e

SHA512
ee17c47e2549910d052e53d955e641077253f46ca59ab16746e120a84d595e74d1ebd9eee31e0e64226f42d9b10ebd8e063124b33bea6480d8e57f2d90ec0cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqRafQplYIhv.bat
Filesize
203B

MD5
7d4f6b40337ce312f1519930c771cba4

SHA1
d562b8aa0e95499376aea15185acb924c9b2004b

SHA256
8ad2ee6bc391395b696551b313b4c1249debceb83e39c99224f09d6a3412726d

SHA512
8e7a8c16040d9cc7ef7fb2fc904c1e6f06205850d842efd364af2d79a3b0ce84ae001ff0cd86cb29cee4ad40d8dcb07f1dc880969c783bd5bd7900dfff5e0ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\R7d8wteFtuqa.bat
Filesize
203B

MD5
02f053a69378f7bc22735c998bbd0a1a

SHA1
d854464b2b6631a37ef5c795a875dc8d3ea8975f

SHA256
71f648aef1abae1627fa4efa760411d7d670ea7b0823b081d231dae1174424b5

SHA512
9fdec39f51fe67b576c16f4d5539af0527d221d2865f65292ace3926618ece88dafb80ce184171809bcbb13cd00598982c98a5dfbb0b97b6b5cc78425a55d865

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8AErsbKkRr4.bat
Filesize
203B

MD5
2f07cc01491d90049cf8626e6a7280a5

SHA1
e560d5dd7c85db1582524cb96d825c95c50e4e59

SHA256
efa3a381b2f764479efe5a7f54204e2399d99610aeff4ca5f67983da86f066f3

SHA512
05c158cf3c02a46357977f96f364c72d7add49615f047d5ea0b99c431257c548361dce352b633d7696de5aa869f77a54222e642f4324a3a25fd327f43a4c1ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCfpqMq4lA9A.bat
Filesize
203B

MD5
53b1cf62d6cee15f3bb62dc416d7a22f

SHA1
155b89a04c1ef4e23db803180af117669bbf77e7

SHA256
892d130e4f5635d8e2a0697dc163377dd341682a3293044287b8878f0254d387

SHA512
0f6e1d54451066a7b4bea108d3afab4f5ab189188d1e7b8490a6ceeee1829d21ce376ed1eb42ef442b71d68896f8cf963a707f5cfd5a0d2a0bbd4370d787d42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\STJDjHUb41wH.bat
Filesize
203B

MD5
1f0842e3bb40c942c2b5eabc790b5e00

SHA1
e3dad403073778cb10ea049b206af9a0361992e0

SHA256
0b675546631472d75eb6da577eb1d40488e7441cf5dce904707bff72aa0dce68

SHA512
03c8ec5a5bcb68b5ae1ae6e9daadc96ffe6061147c5303bea0b6af6039cee4d6ab695b4fddc2743118c4bf1dc5310f12d3ef10a3a803a3a2d095753450cf2914

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgJ3UrNGWg4z.bat
Filesize
203B

MD5
c196eec76aa3785458669331eeaeee5b

SHA1
9b2d01ffeb8963bfc6bfd27b630d496b518f24c7

SHA256
86fb56846a1c18af02cfa94c45871176626f4ede07fece8d7ddad2d2b7b8d583

SHA512
463abd6a67d77c9ca7e17c8372398dbc44c4c1b9df42ec7e7a0b2a43b4b084acd7930a46a2fc61935074b90c98d7583cf48ce35fc7739a79818280a6587c319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ty27idJJUFoH.bat
Filesize
203B

MD5
7a8075ddc0c0401f1d268b48b2bef220

SHA1
30c6782e71d2e1844116c38d3160e1897bfe0354

SHA256
b0f2b6c5c588bf2fdd8dde5a1da1f130aa6b6b20fca3d68758d38a237153b666

SHA512
c8cbe81645266b35abdc203fc394173a8a1b42bff1f9ff94309961cc95db860d7cb52fe799ecf09ec10c61272502215485a57dac6a49a1f1f46d08f12e0aba55

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAe0JvFtlpXA.bat
Filesize
203B

MD5
0a0aa5f79736735840e500e0e98a0be9

SHA1
e6439c5d8dd46c7ce96cd9d2ccba2f27adefeff6

SHA256
09098ea2d49e32b65c6df544ca2478f439cc3f813e2eeba6b2cfadaf2d41df7b

SHA512
22044b74ca2102bf81540c4ed73de0bb8b5254bc8d69d0d2c34bd912c40e0bdcc710cc97c6422d25176a77db4f0c14c6011700ac5f933d12a615d5599fc9ee0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VOTy0KbdZEIy.bat
Filesize
203B

MD5
80751f11a86fd063fdb77de5e03e3fcb

SHA1
dde9438ec802934c64e8cb232b17ec0a49a8b23f

SHA256
e8c30612d2b81d5cf32b6746bac691a039cc6ac1be18cb0de4a17b10cd88e12b

SHA512
cc072d9f45c8a608fcfc469b3df691a20a59630ddec4b799acbddfe453651e6a09ba917dbcef6e14fc0d81051fea914c3672a128d0d3b3bb147a2850148573f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTU6gXFiBbdU.bat
Filesize
203B

MD5
d4eafc973f191589973d885dcea49ada

SHA1
accd399208184cc60925cd12faade6e1f6da6802

SHA256
3b5c4d3b77b5a715beb8a267044da37b36a2f45033df128f526bae1a63744cbd

SHA512
d38f65e0ba78057463ae540f2948896d5caddde6818a4a93d9c1d1ed621a2673755b74239f039bf904f75391611967bd696b3366df3d43883f1d56d15ba26400

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDcZsXqCnSBH.bat
Filesize
203B

MD5
c7520e8a78f14c3b911b096a7854a9b3

SHA1
a1449227bc1f5a5f38c9fa79655890ef1f4f61a0

SHA256
9c9a699a69515286814c639e041f48789a179f7e650d0459aabf31591987ae88

SHA512
cd3406529113be86491146ea7b1008b1d94c770b23a94ab2b40dc52fc64f1aadcdb41b20208b5aab1891d96bb3b2ef46d77a164a763fb78d4dd450de23c6c717

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wjfq2YJT3an2.bat
Filesize
203B

MD5
80a8919c92ae78a19ba46f7aac1e9346

SHA1
fb4420cfe2c69c0e2bdb60a62936182d12f9c7f1

SHA256
60603f050556b8a74a38bd76c3ddd020cfa268b512019dfb6007d0782e981825

SHA512
2cbf04891354dfe157fc6bfeeeae43f95747d1b656c04e6971806972b4a39b7538636a7408b3fe9de5207820bead1a8bddd87e0fdb8d199019f44eefabd1750f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wk7wKdnsHMGR.bat
Filesize
203B

MD5
6fe365dafbce9d216d00b7c9a5bdb81c

SHA1
06336c05c01163d2d16957a4c58af2ecdfc87d91

SHA256
2df740a8da522e6ebf1038381413e294847260d15219f0d76fcb529c19d510c5

SHA512
b6e6fe82d32de7db7991edffc7e6ec6eece1c4aa88dca645d49e31c6b1547b06a8cc174e5f146a235751ee9c44bbccc6aa422cd9e1f11ca122445009b734175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAwEQarpv8tx.bat
Filesize
203B

MD5
61a569708cce382705d5a392d17575d9

SHA1
f056deb0fadf69a9e88eff3bda0a6a6fef4ce2d7

SHA256
38b59b9ffefbb7771a5329c8eda117444de79207f62dc67843350ed794bd99b8

SHA512
5badf20a184f19f3550e32bca0a3d62459badbf15bd86339b91111b950e52820d405f47c55d66de3671ab1370341132666f623cc0632beb08ceeea553c722908

Download Submit
C:\Users\Admin\AppData\Local\Temp\YlxXfR2CK7fh.bat
Filesize
203B

MD5
c1bed4c9af943ac59be3a2e381551192

SHA1
4bd5b8333258f5d32d7416c56f680092d7b0c341

SHA256
8a3e1bdb2a3f1cc1ad2f81a9805b0e16ae7e62edfb529f06c9fede6a70380722

SHA512
b8333f874c5af5cb689e176fa625f56d949c32c6de69ad3143b487e075ad556992400c6fe246275a5d51f309579d09219423233327025039811969ee8072f1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi4cli3fsQ0v.bat
Filesize
203B

MD5
53dda8e8e0df2581efe73e1b808ca92c

SHA1
e9edb1704dd3440fc7e25b1f95fe240672ce86dd

SHA256
2c0c4ef1372326f191b3919d47773847a8a19841b9553dcbb0ba84125605e40f

SHA512
c83660379b7cd08d51b0f92ad19c8f3ad3704e4912372a64d3840f381bc5b5155eadf1f3e41942b704d629b895a29c270cea07583e7c5448ac2ca4033aea5cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\af6j0BcRPzZY.bat
Filesize
203B

MD5
6df55e8478202c2343884754c45ce98c

SHA1
2c76deb820ef6029e8b7f04ae300d34daa1ed99f

SHA256
83f68313612e4f32ec028781510c1dffca90e2f0dcead430c004300d62b60175

SHA512
88d61f35e7795469003d6be0edfb59bd06513d0ac9b78e39d1c1c37ebeaebd31374dfc3d9be04779acb8b7c79cf2dbcb43b46cea0e35a0e928dfb5974117afd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdKtYRlQZ2vI.bat
Filesize
203B

MD5
b7c1a3f6e94c136b3afa7cef689fba78

SHA1
3f87f279ad1fdc6f963e26a6de3cf737d3e97287

SHA256
114c504ef3489bc9daf2bc17071d60a7a6188b33387a4f72e54be0d39a29ec8a

SHA512
1710495b51bcd39570ae62451ba257aaca5b43f543a41b3c301cffd5090b1cabd77f1402d464f666da12c8cd62b72cfc169bf53c48341544f65d6f68ad54dd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\dU5Wm6D0rwaE.bat
Filesize
203B

MD5
3d5746ffd4b743fa2f8153656c30f19a

SHA1
aac6b3f162ce4b14cbc7177adacaa7291e1ccd69

SHA256
720fbe44a5b471e169a49a43421c533ce961087c6738998bcecad418e4ce6c31

SHA512
7287d85c53b35fa5fdf93b6b44d002311270faf9b9238306fcae2795cd00f5d331fe9b54aa9c31d9e2b406639a3e3ff7e0162d48ba0b0fb8e8d0f3f4f2ebbdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5p8PlpIdllK.bat
Filesize
203B

MD5
4ff2464f16a37d74bf9fc62a98027cd3

SHA1
4bc28442109e2b48c8243777063b565f0ab9b079

SHA256
3befe1e40ab907cc34b5861f5eb263b4c9b95b7d7230f2a8337f52d0d2e8beff

SHA512
f5d720af16e3d850bbbdaf1bdc5c6f46c1fdc5e8be226a0b200874cd6322e06882ab02541d00d18bd83a00b12781d8e48b46ab353adea6f88e17d3139d248b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEf7G34P2oNh.bat
Filesize
203B

MD5
a6502122fbe936461a56fb6077fcd189

SHA1
411dc602e9b6e586f7c4cc08cad8165bfb1122d0

SHA256
241f0e9f7ec9415ad7ac4187b5269ba0e5b61f53c7b44fc007a5890ed60c9a23

SHA512
5b2534db8d5634c44c8c2a5742591b87b3d7cf9190202579bbe3850d3c5cd0d8123642560bc3bb53f7a4df3e4e575ba8d25d7d3848186e7731494e5067d45a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec2Eh2ZDywKg.bat
Filesize
203B

MD5
175d78c129447ec53c37c992d7f68c30

SHA1
1caa10882e3845182c82d7d1e7311d31d3c7e848

SHA256
9de093148cc2ffcc9d88389d9ea627f3441fe4488e9ecf8a389d86b12d17644e

SHA512
a7cf79fc3e640becebcfe0dc2157f5b8bb9b0177456e399924516f3a97db596ce95b9735bd83ee1c33ba232b87bd1e3e07df7c54717b441fdece45873b184f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7AuLoFg9BiM.bat
Filesize
203B

MD5
1ff5d86751c583615520b1db7664615b

SHA1
481cc618eef21f84fb8b3346c4d1595d05f82425

SHA256
bc9ca3418cd4586f1ba00ad20c138ca8569f3fb97066cf1f746e8e857d94da95

SHA512
97a3657f014992e6ae173559c629ecd216b2ffb24eef4638f73db422029c4233431b6461bb1b623822f3ca1c34988d00f1e53afa20e6912a59b6f7288bd5be1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdqTeZIoDAi2.bat
Filesize
203B

MD5
7f629345695bbc454a075ed92b422352

SHA1
fc641c3bab605a2d010b6f06775cfd48da338671

SHA256
e57f902a4dbc56126784d68c58fbda7546c9be6f3d0dd04630a49d67b36349c4

SHA512
283300a3c56bacd1f883dbe52d85f57c7427d1242b7d2bff507fa7c05d1774ac82f8392dcf07bbe8de6520d638f60f20d27969c6c90eee7b30c103603de454cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hf6bsHeMevHp.bat
Filesize
203B

MD5
a6399a9cdfff15279a4f0f32cd9c8469

SHA1
b450907dc267d5bae28014e17e1b62e2a565757f

SHA256
a90b0e84257f5ff33afff0a34f81bf10ae5fe7822693529d83877a4396cca336

SHA512
ce5dc700255374e20b16333b64ebcc56f62c64bf3c8d103f032d9ad159c9e8ca3e3bbb6f7916808b74fb433b5de5a455907cace2e8365dd090544cfe1e6ed9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\i9lZYZs20pt0.bat
Filesize
203B

MD5
c8698ce889deedba5ae05a165ef8aaa6

SHA1
196fba818e0e07d0dc34921b288ea6823cd2d5dc

SHA256
2c8c6cb23a61d14b2f070577f460c81688d6646821b31aae8220334ad467e016

SHA512
9191824bddd28e4e4195155c6f42250e03bdffe4999247f2e054132f5ebdbcc67fa5da0eda7b65ec42ef6a5eb93e518bf27a8a3f5129ba9e0e309a41f70ea94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jTNtlS790Li6.bat
Filesize
203B

MD5
823ed937527018f4ce96ddcb65e88ba0

SHA1
acc7ba6f88add9e2aeac94f4fa822a7fd3faf2f3

SHA256
590655e22926e30005120f83a3f42d1ac431d1d9c51a67ac147c371f4e5fbbe2

SHA512
f3f7090b706be03aad9298cca19234fb38942e97e5e458104e995c89561571e4e308bc36ef6aa171971f892bc58e54d998e2f46d688128b0c8b147026e0b4d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lPx43IStSODc.bat
Filesize
203B

MD5
28c1d7c22d8e3aa7ce09cc4983c4a089

SHA1
246cac07a639d15c93a66a6375e9431de4e66eb3

SHA256
6c89baab7b67353759b68a6d505a9892f07b96db5d131a802f851678cf4c3de0

SHA512
c44ee6bd95137544dffcea085fd42cca23f6de50e31852902145c2d3bec1e1fb20af028589707b4f682340f3fee78138daa5b8c75fee7a43ec110f84a1540319

Download Submit
C:\Users\Admin\AppData\Local\Temp\mPfXYeEzo1T4.bat
Filesize
203B

MD5
4140d8f441fe54c748227282c79bbb1a

SHA1
2c4b2d160e71e9e4af8a753659c5848db9ceddef

SHA256
8d8448ae35bfd108c6ce19cbba9a3fa59d9572edc7f5b63fb4e629457683bf83

SHA512
8691f2733c1cc2f64ba319b53dbc1ad626a371524272b0fc70a59e7ac5445487e317a9f3865e7800260ef52585b7105f3bd0e7fd76f1b93877bf5233ffc7f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCMyBoimVEmJ.bat
Filesize
203B

MD5
ef272c58f85f7ac4f6cc4b6f9f6fb815

SHA1
4b8f1801d2eb558f799d53fd031273fb59f91443

SHA256
2b602f278d2cdba21ded571caf750913fbd37deb2d9ea6a58d55bb6b4ce92194

SHA512
57a8e365f88d16073c37cd63599ec909d45d5f35ab03a8d2583f2fecb7a73a5c554610c1efd1205b19e88ec93c75b213ed604ebea2d5b9ce492ca90d48b30bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNF3dnl8u1An.bat
Filesize
203B

MD5
525bb4dc0dee69640e45cb2eee0cfb3e

SHA1
284ff63ec28f69b812ad314e6904247896b5c8ee

SHA256
83fe7d0b18033af95e38cf6f0ff6cd3686abfa7b9b6e167069f69bc38a9a9651

SHA512
266257020d4dcb4ba399af808a1b9a6e0efb0544344f65fe44b5d09390989422c29e7516bf3831735081d5bc719d569ec6d754e5d6ae946c8566e98110882312

Download Submit
C:\Users\Admin\AppData\Local\Temp\qFE8m9kdhYz5.bat
Filesize
203B

MD5
b52d57e9892d4c557d6b18834445d2ff

SHA1
b6ff9c949ab496e1547ffdd08347109d0b333408

SHA256
a2d98bc5deb79478c27e46006db0a4925419d6d6913c52ad4851090d9137edad

SHA512
74d0eff1c9bc508300a4d9ccc8b9718673e34df943d9897daf98119b67264d26ccef21c5985b126e28aee6e01172e02946612c0fd829cdaa43159d54cfa6efda

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYGvErPMYC3.bat
Filesize
203B

MD5
ae13c4c5fccd94b956ff9e9fbee69c6a

SHA1
b7184ba3ab138806331ff8c6f98d72e99730c2f9

SHA256
148ad92e2eb42780d32c5fc2d7da6b6f86148c3e024086d4d73185640965b9f4

SHA512
a1f32c70d60fd1bb1be8d33b38475e959c32a3812e46217ccce56f97ff84898de667a0380a3bc6ccec6056b3bdf4c3da2bdbc72caa5d94d6e578303ab634d32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZvsq8qAdlRi.bat
Filesize
203B

MD5
c590a2a5105c95fab6fefc69f93d3725

SHA1
91d9b306457c8b70a245275dcb6a4f6c5fa0eb05

SHA256
1551dba5d0339416eba407504de497d943c2319e04a9f502e84748203acbfdf8

SHA512
c689935d639424b3d1aac82662167fd892e76f46a348ac4a37f1e8ad6899cdd83e3c4f1103a0e74ac69e2b136635f904ea15c25bd6111aa07fca8f345ad89636

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZOJd5HovEsQ.bat
Filesize
203B

MD5
316905627f0a552b6f7f8e389a0173bd

SHA1
b6dc8bfb7b6fa051c7218cd62b6ebbef5170421e

SHA256
8f4b7d0f4f0dc596db56bc0c1ec1507e99a972e026a824ca425a6fd197a3a31f

SHA512
2b945fd2f03eadecb46995402dfbbaa30000ab7842a2b91502db60d63070625442e07dfc275c33e0b6c0a8f9b6d329e8ea80fdbba4aeee36647280fbcb5fbc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvB6oJmOYJZQ.bat
Filesize
203B

MD5
9dd48c69179a245cfd5375e89683bafa

SHA1
852caa67c744f7332c02a0772d25b634a63bc945

SHA256
23f537a61329ba62b4943506d63b88cfda06ca048694db71037946590a1a8b09

SHA512
1d8c9ca30ad827b1b0636d1a4e866201f010d99736203672b0c1c65a30bcf3c049d8367c4309b18b2989a50a806e5cdd2147664ad49a2279b91f31a3755df211

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxdkO53vaz2d.bat
Filesize
203B

MD5
3cca708d0fcabbbe24e4aede7da80742

SHA1
ed2f44219d3e7dc92f40f25cb7e3453cf60ae2cd

SHA256
5449448099c292e45bb3ca112bd021a4f70b0f05a402797961d796abf053e37b

SHA512
49b029466261eb660baa98defb909ac2ae6dcd3963b79dbc0c3cb060b7fb2a8affade600923cf74f6da44f7f682cf3c7f3baf570cfacdead050d7eb893ad48f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1TLiFWo9MK7.bat
Filesize
203B

MD5
a92d664a76edbd36e11a4c86f6791a5f

SHA1
dc6373f1904df8f01c83ab1a0aad299f1b9bd84e

SHA256
1e95770d9c5128e4b0b1380a597049d162fcd80ac1502febcbe8550cfdabc931

SHA512
4988f6097428c8445e7f469408894fe642a39e26c3a8a51c3d47ddefd6cacbb7f2334933c47c7557d239db7c78f1cbdb6098baba68c2dca7618dc58e66b1611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2x2QAjLsLB0.bat
Filesize
203B

MD5
87a13de4032cbae3c7bdc1bc6bcc4489

SHA1
bfcc3802b86e57ddf6c8f9b70de11720c0465cd7

SHA256
1b95fceb223b3e3875a3d94f04ac724ed73ab26c4eb0ff8510b1ac3a15ca1b5b

SHA512
3a8774006f53b6d35ba984f4879f9ad4a5804cd0e3e64fe1d6d4b197946685d12003c570ed1fa4764c13c55f4289cfadf46ca3302d8f426b1bde9c248050ea3d

Download Submit
memory/2544-17-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp

Filesize
10.8MB

Download
memory/2544-12-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp

Filesize
10.8MB

Download
memory/3900-10-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp

Filesize
10.8MB

Download
memory/3900-4-0x000000001C3E0000-0x000000001C492000-memory.dmp

Filesize
712KB

Download
memory/3900-3-0x000000001C2D0000-0x000000001C320000-memory.dmp

Filesize
320KB

Download
memory/3900-2-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp

Filesize
10.8MB

Download
memory/3900-0-0x00007FFCC4293000-0x00007FFCC4295000-memory.dmp

Filesize
8KB

Download
memory/3900-1-0x0000000000950000-0x0000000000C74000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads