Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2023, 15:38

General

  • Target

    b5b0a0a082b9f9ed7e1216805dce73dc.exe

  • Size

    502KB

  • MD5

    b5b0a0a082b9f9ed7e1216805dce73dc

  • SHA1

    ebc4c036a30a003a399c6c1a6fd96fbd60cbbf35

  • SHA256

    486a7709a844ef4a1770299b51b3bdd519c8881ea3190705ab7890780998e84a

  • SHA512

    4c025030525fcbb0de7b7890ccf8c9b9c9e09bb25e1adbdc9f8e5e49097531c7bf4ebde85ec36409e743c3b079133d9527aae70c6bb5dc733aa2a671889b4158

  • SSDEEP

    6144:ITEgdc0YYXAGbgiIN2RSBMUZz6wudTEDQK6DkQfocEgOb8F9vWlM3lBi0U3vLcTQ:ITEgdfYqbgjqDkwp9WCY0UfLcdm

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

xsaz3412.duckdns.org:4782

Mutex

339a0ca9-655c-474f-ae0b-8b93c0a5acb0

Attributes
  • encryption_key

    5BA53C22C08AF30F643D1CE3AEA974DFD7C76979

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
    "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QlBWeGUfTaF0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2724
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:3556
        • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
          "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3uJzLaFNua54.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4168
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:5104
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:392
              • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5056
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQt7P3eQ00Vg.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1992
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:2968
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:4204
                    • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                      "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1192
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pa0ft07xdwyA.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3692
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:3892
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • Runs ping.exe
                            PID:2240
                          • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                            "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                            9⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4828
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v3XbqbwgbC0i.bat" "
                              10⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1308
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                11⤵
                                  PID:4500
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  11⤵
                                  • Runs ping.exe
                                  PID:5100
                                • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                  "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                  11⤵
                                  • Checks computer location settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:2784
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJp0g8n8FMVJ.bat" "
                                    12⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4584
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:4940
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • Runs ping.exe
                                        PID:4216
                                      • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                        "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4532
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsv8rWOGxLRz.bat" "
                                          14⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:724
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            15⤵
                                              PID:1372
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              15⤵
                                              • Runs ping.exe
                                              PID:4700
                                            • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                              "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                              15⤵
                                              • Checks computer location settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:3664
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xd667c9NiRNU.bat" "
                                                16⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:1860
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  17⤵
                                                    PID:1880
                                                  • C:\Windows\system32\PING.EXE
                                                    ping -n 10 localhost
                                                    17⤵
                                                    • Runs ping.exe
                                                    PID:3220
                                                  • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                    17⤵
                                                    • Checks computer location settings
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2972
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ylGrbuxHDroT.bat" "
                                                      18⤵
                                                        PID:1432
                                                        • C:\Windows\system32\chcp.com
                                                          chcp 65001
                                                          19⤵
                                                            PID:2756
                                                          • C:\Windows\system32\PING.EXE
                                                            ping -n 10 localhost
                                                            19⤵
                                                            • Runs ping.exe
                                                            PID:4396
                                                          • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                            19⤵
                                                            • Checks computer location settings
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3024
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxu7JOJaNrss.bat" "
                                                              20⤵
                                                                PID:3804
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  21⤵
                                                                    PID:4564
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping -n 10 localhost
                                                                    21⤵
                                                                    • Runs ping.exe
                                                                    PID:2180
                                                                  • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                                    21⤵
                                                                    • Checks computer location settings
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2188
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3MJa3slgjilP.bat" "
                                                                      22⤵
                                                                        PID:3660
                                                                        • C:\Windows\system32\chcp.com
                                                                          chcp 65001
                                                                          23⤵
                                                                            PID:3620
                                                                          • C:\Windows\system32\PING.EXE
                                                                            ping -n 10 localhost
                                                                            23⤵
                                                                            • Runs ping.exe
                                                                            PID:4836
                                                                          • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                                            23⤵
                                                                            • Checks computer location settings
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2084
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8z33Hy6vCmlI.bat" "
                                                                              24⤵
                                                                                PID:4768
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  25⤵
                                                                                    PID:4296
                                                                                  • C:\Windows\system32\PING.EXE
                                                                                    ping -n 10 localhost
                                                                                    25⤵
                                                                                    • Runs ping.exe
                                                                                    PID:2980
                                                                                  • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                                                    25⤵
                                                                                    • Checks computer location settings
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1992
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZLPiOsWW9LI6.bat" "
                                                                                      26⤵
                                                                                        PID:376
                                                                                        • C:\Windows\system32\chcp.com
                                                                                          chcp 65001
                                                                                          27⤵
                                                                                            PID:1916
                                                                                          • C:\Windows\system32\PING.EXE
                                                                                            ping -n 10 localhost
                                                                                            27⤵
                                                                                            • Runs ping.exe
                                                                                            PID:1664
                                                                                          • C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"
                                                                                            27⤵
                                                                                            • Checks computer location settings
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2744
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ZmdwM2ztVV0.bat" "
                                                                                              28⤵
                                                                                                PID:4556
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  29⤵
                                                                                                    PID:3796
                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                    ping -n 10 localhost
                                                                                                    29⤵
                                                                                                    • Runs ping.exe
                                                                                                    PID:4460

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b5b0a0a082b9f9ed7e1216805dce73dc.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            8f0271a63446aef01cf2bfc7b7c7976b

                                            SHA1

                                            b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                            SHA256

                                            da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                            SHA512

                                            78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                          • C:\Users\Admin\AppData\Local\Temp\3MJa3slgjilP.bat

                                            Filesize

                                            229B

                                            MD5

                                            c2852738056735d6f23f56d48053de18

                                            SHA1

                                            114c86c416d60eb7f5c44e1560d60d52108be9ac

                                            SHA256

                                            c98904ba9372e5957304786f66ae71b23e33918384182d1902562aa9dd574c97

                                            SHA512

                                            6f083424eddd809f461b8ef934749cae12ded92f30dbbc3b349794d4804653d61f3cfc8184a883c4403b8f2a8cf70a4fee79c366215e315e71187a12b5e658c2

                                          • C:\Users\Admin\AppData\Local\Temp\3uJzLaFNua54.bat

                                            Filesize

                                            229B

                                            MD5

                                            089c7fe596487967be328b58a39026af

                                            SHA1

                                            f137d86d394ef4aadd4ea323e59cfc86ac77c9b2

                                            SHA256

                                            b1acde7152f57909ace13a82763b4255a98b9b5718e248c36b8c07caecf6e63f

                                            SHA512

                                            7c6ed7d0d5b68f55031025f62daec1a592b55f22b6a2c4775899aa9f7ce0516a1e58b86da90c8834620043d6c0f66654188cdda3408442acf1c159eaacf8f203

                                          • C:\Users\Admin\AppData\Local\Temp\8z33Hy6vCmlI.bat

                                            Filesize

                                            229B

                                            MD5

                                            50f98e384987bed46c4c9b3d0c7c606d

                                            SHA1

                                            c1fa1be0fa1f4e29627670b3f041d4d9a60cd9c7

                                            SHA256

                                            2bdc793509262205d2dee664a079cb5aafb46f81767e5325501c0c0042e9d5e5

                                            SHA512

                                            8ef48a08f58d4125910d280ccc24c894df050143db91319544463499f40c9f94b083ddd9f75b4f7f1a5b7c85dfd3e5b88f9db02fffb1f951d3ebfa534c8744f7

                                          • C:\Users\Admin\AppData\Local\Temp\9ZmdwM2ztVV0.bat

                                            Filesize

                                            229B

                                            MD5

                                            2744d6c38d4e2088fc4472b23133c52f

                                            SHA1

                                            a677a4d2aa1c5304a24f4d526138c614855f1307

                                            SHA256

                                            18fc16568b0d3f44cc16ce8a4069ee91f1dcac23f79e141b10f265da54bcf770

                                            SHA512

                                            88471486cbf8d595d488a4bf17185e65fe4ef9dec56389d0e48bb5d7ba502e90b433e2d984d9b70a6d4278f4e0a92d358aaf00169ae9dea5c13ed99803ab1cf5

                                          • C:\Users\Admin\AppData\Local\Temp\BJp0g8n8FMVJ.bat

                                            Filesize

                                            229B

                                            MD5

                                            58cbbc17bb9b180092ada63f3b36d6ad

                                            SHA1

                                            1b2c67eb4914821e99b9311a0e94fe8733d9e055

                                            SHA256

                                            dc1f0d6935d4d98910cc3449ee5199e661d8a83ea085bcf7c86e1e8c4f3378ec

                                            SHA512

                                            bb4262286e22c4e6581398716010637ba5cf7883e8e6b83b67e539f8105f9059a2e4fb9f673412e5dd458814b2375385de0293757771ff28868f3ceccb15d70c

                                          • C:\Users\Admin\AppData\Local\Temp\QlBWeGUfTaF0.bat

                                            Filesize

                                            229B

                                            MD5

                                            3701679af3203177e3b5dfd35072d395

                                            SHA1

                                            00958c86b8cb574b40a7bcc93498d31573f051bc

                                            SHA256

                                            f2e72cfd365b458afee4b083b6863154755ed68d43cc54df6869d2980dffaa16

                                            SHA512

                                            148f062fd971bd31dff33141a0d29b4ff94fe569e599f4a174f9fa0aaa53f0eff67ed4a492bbb5a89c678e9a31e1ca6b1a6440614a80713d53ba10b0f2f08ce0

                                          • C:\Users\Admin\AppData\Local\Temp\UQt7P3eQ00Vg.bat

                                            Filesize

                                            229B

                                            MD5

                                            f4b818a00a3027a821fea62fc03103cc

                                            SHA1

                                            50be68a1b30e787c9214011b149d2afba0dc0f5b

                                            SHA256

                                            262a48072c0821fff9d72d7538ae5d9553d6241b4173ec84ba00490f2fdfe907

                                            SHA512

                                            f273fc9e47e5a315b1ce44f54b9f2c229ce55dd41e798b4bb8bebc495bba66946989244a90b8ec1634e3fd8552ed6acc5d9120a73fb8bafabcf45434e3350a7b

                                          • C:\Users\Admin\AppData\Local\Temp\ZLPiOsWW9LI6.bat

                                            Filesize

                                            229B

                                            MD5

                                            f741e130fc08e9595ad406a01e32e937

                                            SHA1

                                            61dbcd90b4da73a2fba40ed4f7beded7f9b83959

                                            SHA256

                                            fd0de66f21da247481c5a0361061a2c4c0446449863e194c370fe98ab886be76

                                            SHA512

                                            aafb27ff5d7795bdbca6963ef48a06375b66eb47bf2d4f120eaddcaf3e10eea55e2eb8f8f3a4a3a41573fc13a6a1ca01cb7aad8aef742e2c29a835eb6529c796

                                          • C:\Users\Admin\AppData\Local\Temp\bxu7JOJaNrss.bat

                                            Filesize

                                            229B

                                            MD5

                                            a4d8a5a4125ce79e49520aa6d40d6d3d

                                            SHA1

                                            57472e97e0028fe95f644c503b729dec346c85b5

                                            SHA256

                                            29932427355c6653358c82235a01de7c680347628bf76bb5ade99fa11d046629

                                            SHA512

                                            c3791cd5f62484a260e79fe33fd7ebde9ca75153b66f99469f9a557d43649840fc15a2fddae6d086c6296d82ace5ce47664187461a6e4ebbd5d2bc4760812104

                                          • C:\Users\Admin\AppData\Local\Temp\pa0ft07xdwyA.bat

                                            Filesize

                                            229B

                                            MD5

                                            23595b8e965bcf4576f6269cbb899d02

                                            SHA1

                                            e61a98cde8cb2c4ed6241be2f6eb370703a18cf1

                                            SHA256

                                            5407695536e9b395e46e04bdf28d60da8b24b598f6d9f49ac5a46cfef6cf800d

                                            SHA512

                                            592f33b3436c96b72a65c256c2bf9eaffdf65f108353224e1581e3f802f725c92195a503b52bf5c32f5c9406d8a2c163d05a63ce2424101d039df8e970539c1a

                                          • C:\Users\Admin\AppData\Local\Temp\v3XbqbwgbC0i.bat

                                            Filesize

                                            229B

                                            MD5

                                            12e42dcca182d66b53e7adc40d90be2f

                                            SHA1

                                            88b81ffb0a2f9898539f2e2c78d8b1b404310c5b

                                            SHA256

                                            ace54be51d591c6792f2e70f940aaea7ce22f5c759cc7eb8201da7336bab927f

                                            SHA512

                                            92df3670484203c7ef33faedc37943bbdbefa9b1288747d20bfbdc99efcf2c0fd23fb90dcac11f8db8c560b725899b427de93457aac4ad7e527de24f0695f5ce

                                          • C:\Users\Admin\AppData\Local\Temp\wsv8rWOGxLRz.bat

                                            Filesize

                                            229B

                                            MD5

                                            fb7218c8e909e63ffe314c11c491650a

                                            SHA1

                                            f247b1a2d642f7202753286eb692a50a55a38444

                                            SHA256

                                            0f3fc1c19b3f1ff3633676370a788918f85ca2150f4cd14e1dbbc51aea7193d2

                                            SHA512

                                            3c0f33eeb882a30ca95ff9627cdfb2643f8ddf8b311457187ea9d0cab2a7abb7b7069ca8ff2e15ccb5502922ae9373c191e9cbb7f8a0bd66cc0f6fa03d809fd5

                                          • C:\Users\Admin\AppData\Local\Temp\xd667c9NiRNU.bat

                                            Filesize

                                            229B

                                            MD5

                                            442e1bc80599269a7bb114dcfed1d3a3

                                            SHA1

                                            4403f1898ce83796d0394588e08fcc844ee1f38a

                                            SHA256

                                            d15616d4fd974749a2bb3f8e88dcb5511002b53373c548da21b64b08cb88bfe0

                                            SHA512

                                            2e91559c512190d6a07bf520e9c9ba976403348ff3f25655cf6fc9d49468f804b2402464fd0e3dbf915b2e395f9daa5d5ac02c7a618a6d2969b359ac8944f25d

                                          • C:\Users\Admin\AppData\Local\Temp\ylGrbuxHDroT.bat

                                            Filesize

                                            229B

                                            MD5

                                            834700ec23e264cb8db8e3e7c5abbe1c

                                            SHA1

                                            d672a4f4066b75108074845be8edf85195a30647

                                            SHA256

                                            073747b08070baf54cc1660488a8ac8c11afe167e91d0fcb26856cfc060b87db

                                            SHA512

                                            673f3276f4f3850ff6a619ff6b84240539800271ad920221fff4903e829009c33468b19c5bf05fc5c242e04b0f1567bbb68fc1269abf4d8f901cb7dc8a7212a7

                                          • memory/1192-157-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/1192-161-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/1992-220-0x00007FF853070000-0x00007FF853B31000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/1992-225-0x00007FF853070000-0x00007FF853B31000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2084-213-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2084-218-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2188-210-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2188-206-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2744-227-0x00007FF853070000-0x00007FF853B31000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2744-231-0x00007FF853070000-0x00007FF853B31000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2784-175-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2784-171-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2972-197-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/2972-192-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3024-201-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3024-199-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3144-132-0x0000000000520000-0x00000000005A4000-memory.dmp

                                            Filesize

                                            528KB

                                          • memory/3144-140-0x00007FF852980000-0x00007FF853441000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3144-135-0x000000001C2D0000-0x000000001C382000-memory.dmp

                                            Filesize

                                            712KB

                                          • memory/3144-134-0x000000001B190000-0x000000001B1E0000-memory.dmp

                                            Filesize

                                            320KB

                                          • memory/3144-133-0x00007FF852980000-0x00007FF853441000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3664-190-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3664-185-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4532-178-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4532-182-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4720-143-0x00007FF852670000-0x00007FF853131000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4720-145-0x00007FF852670000-0x00007FF853131000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4828-168-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4828-164-0x00007FF852790000-0x00007FF853251000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/5056-150-0x00007FF8526E0000-0x00007FF8531A1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/5056-155-0x00007FF8526E0000-0x00007FF8531A1000-memory.dmp

                                            Filesize

                                            10.8MB