Analysis Overview
SHA256
8ca13a2a0324e267849401c770ff7d759d4a52c91954476bbd0f5fb9f596cc23
Threat Level: Known bad
The file Roblox-UWP-Executor-main.zip was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-04 09:00
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-04 09:00
Reported
2023-12-04 09:03
Platform
win7-20231023-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\Execution.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\Execution.dll,#1
Network
Files
memory/2056-0-0x0000000074B30000-0x0000000074B79000-memory.dmp
memory/2056-1-0x0000000074AE0000-0x0000000074B29000-memory.dmp
memory/2056-2-0x0000000074AE0000-0x0000000074AF3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-04 09:00
Reported
2023-12-04 09:03
Platform
win10v2004-20231127-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 212 wrote to memory of 4788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 212 wrote to memory of 4788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 212 wrote to memory of 4788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\Execution.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\Execution.dll,#1
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HideSkip.bat
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8d3d608728ad45299ece0ebaba5e01fe /t 4628 /p 4412
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
Files
memory/4788-0-0x0000000074ED0000-0x0000000074F19000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-04 09:00
Reported
2023-12-04 09:03
Platform
win7-20231023-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 232
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-04 09:00
Reported
2023-12-04 09:03
Platform
win10v2004-20231130-en
Max time kernel
125s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4976 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4976 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4976 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-12-04 09:00
Reported
2023-12-04 09:03
Platform
win7-20231129-en
Max time kernel
147s
Max time network
143s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSAoVxMgZLOy.bat" "
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3Kjaw31GnX6K.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hikiA94lON3j.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sngyeydey1je.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yK5RFjpXTs8H.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8vBqg7QGZtF4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ezULDGz348vO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
Files
memory/1764-0-0x0000000000130000-0x0000000000454000-memory.dmp
memory/1764-1-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/1764-2-0x000000001B2E0000-0x000000001B360000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/1996-8-0x0000000000D00000-0x0000000001024000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/1764-10-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/1996-9-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/1996-11-0x000000001B170000-0x000000001B1F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RSAoVxMgZLOy.bat
| MD5 | f052318f3a6401964a784adb20b07d4c |
| SHA1 | 4e539e06c17aeac580b98555640bf103227f3d69 |
| SHA256 | b081af4b84a5bb6960bcd75d6e89ba58f3325a7d8b4cd907f31cd5148efb4cd6 |
| SHA512 | 1782175c7bb217e1e9d7fc19bac803286e557f68e61e02eeee77f7b83c3497470d94b99c4bcd464c1c7d521a5bdc2fabd3a7d573b7311f0625909469ac0e9cc5 |
memory/1996-20-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RSAoVxMgZLOy.bat
| MD5 | f052318f3a6401964a784adb20b07d4c |
| SHA1 | 4e539e06c17aeac580b98555640bf103227f3d69 |
| SHA256 | b081af4b84a5bb6960bcd75d6e89ba58f3325a7d8b4cd907f31cd5148efb4cd6 |
| SHA512 | 1782175c7bb217e1e9d7fc19bac803286e557f68e61e02eeee77f7b83c3497470d94b99c4bcd464c1c7d521a5bdc2fabd3a7d573b7311f0625909469ac0e9cc5 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/1744-24-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/1744-23-0x0000000000D40000-0x0000000001064000-memory.dmp
memory/1744-25-0x00000000024C0000-0x0000000002540000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\3Kjaw31GnX6K.bat
| MD5 | 1871a8320768851e9186fc98004489dd |
| SHA1 | 3a6ca8603755cab4fb589ae0609c835be19b31b1 |
| SHA256 | 61d7d79eebdae12beb3b7c5be2eec1502ba30bfcab8b44a4bc6a570959bade1f |
| SHA512 | 7c8844ca47f20c66f9fdfd12fe1a58ded3e939d07d43dd896e9235a1f247acd312d35709a6bc3eef4c46b39b3910100aaa700a0694ebd7d36e5911e6fa84f0bc |
C:\Users\Admin\AppData\Local\Temp\3Kjaw31GnX6K.bat
| MD5 | 1871a8320768851e9186fc98004489dd |
| SHA1 | 3a6ca8603755cab4fb589ae0609c835be19b31b1 |
| SHA256 | 61d7d79eebdae12beb3b7c5be2eec1502ba30bfcab8b44a4bc6a570959bade1f |
| SHA512 | 7c8844ca47f20c66f9fdfd12fe1a58ded3e939d07d43dd896e9235a1f247acd312d35709a6bc3eef4c46b39b3910100aaa700a0694ebd7d36e5911e6fa84f0bc |
memory/1744-36-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/2468-38-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp
memory/2468-39-0x000000001B450000-0x000000001B4D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hikiA94lON3j.bat
| MD5 | f2ffde0bf1b48118b2359bcc6ae06d57 |
| SHA1 | 7798bbdc58b2442680ca35189d621d7e3acd7e68 |
| SHA256 | 7c587adb90c9aea10cbfeb14093054439fe2f4515416f3e60266c78d717c2cf8 |
| SHA512 | 2f8550adf712faf0ff126d6acd51f7f1f6c9a10f3f405f8139af5270bc4a26fb86ffa7056db033ba05493b82e7ce1e405ad18e2c40bf69063464c99eb6c9a501 |
C:\Users\Admin\AppData\Local\Temp\hikiA94lON3j.bat
| MD5 | f2ffde0bf1b48118b2359bcc6ae06d57 |
| SHA1 | 7798bbdc58b2442680ca35189d621d7e3acd7e68 |
| SHA256 | 7c587adb90c9aea10cbfeb14093054439fe2f4515416f3e60266c78d717c2cf8 |
| SHA512 | 2f8550adf712faf0ff126d6acd51f7f1f6c9a10f3f405f8139af5270bc4a26fb86ffa7056db033ba05493b82e7ce1e405ad18e2c40bf69063464c99eb6c9a501 |
memory/2468-49-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/2184-51-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/2184-52-0x000000001B030000-0x000000001B0B0000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\sngyeydey1je.bat
| MD5 | f9ef5154c5a662fef5e198e8e6e67fc4 |
| SHA1 | 5c46023401b067dc222212feb5403d4d11e0d77b |
| SHA256 | 162be2717b979ffd02a590156b5118697b69fd0b703c6148f596f5c39b189869 |
| SHA512 | 0f7c82b3dc6eb8070fa21a41eca3f647103237385a75757432107ed8cff828985cf48671eb85233d39f71ae8b8d729016ad5e1c483f0e972cc18d87e0f7e1f3f |
memory/2184-63-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sngyeydey1je.bat
| MD5 | f9ef5154c5a662fef5e198e8e6e67fc4 |
| SHA1 | 5c46023401b067dc222212feb5403d4d11e0d77b |
| SHA256 | 162be2717b979ffd02a590156b5118697b69fd0b703c6148f596f5c39b189869 |
| SHA512 | 0f7c82b3dc6eb8070fa21a41eca3f647103237385a75757432107ed8cff828985cf48671eb85233d39f71ae8b8d729016ad5e1c483f0e972cc18d87e0f7e1f3f |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/1768-65-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp
memory/1768-66-0x000000001AF60000-0x000000001AFE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yK5RFjpXTs8H.bat
| MD5 | 21fd7ddf5c05234a989191434e7abef9 |
| SHA1 | d9b7afdf6ed18e9619c1f19e2e6ff522354866dd |
| SHA256 | 33901698c1fc9e7447dfbe279b4829f761699ee8de301ebd705506bfe5747454 |
| SHA512 | 576f3495e2e77461ea1838937f9996dba0f8ec50eb9f5cd1420f2d67864771788ac1a3b9855c7a8ca476842f2473550db95b2d9e6102eee1c504c000aa34a30f |
C:\Users\Admin\AppData\Local\Temp\yK5RFjpXTs8H.bat
| MD5 | 21fd7ddf5c05234a989191434e7abef9 |
| SHA1 | d9b7afdf6ed18e9619c1f19e2e6ff522354866dd |
| SHA256 | 33901698c1fc9e7447dfbe279b4829f761699ee8de301ebd705506bfe5747454 |
| SHA512 | 576f3495e2e77461ea1838937f9996dba0f8ec50eb9f5cd1420f2d67864771788ac1a3b9855c7a8ca476842f2473550db95b2d9e6102eee1c504c000aa34a30f |
memory/1768-76-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/2236-78-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8vBqg7QGZtF4.bat
| MD5 | 8434437cc32b1f56d394b60aa0c47cce |
| SHA1 | 97232301991b661bd04fa038e95e2395e69cc4de |
| SHA256 | 3f0b53016128e1d9562b16e68d13785898cace386fdbee5252b8543f22683fd1 |
| SHA512 | b0c864d02149f84329bafeb58780fc0d39e434e8baec93fc60148c6b8bb70994749988d6721b37e58c804d25a2707bd64a6eb91a3e0a4ebfaadf64c23c0a6127 |
memory/2236-87-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8vBqg7QGZtF4.bat
| MD5 | 8434437cc32b1f56d394b60aa0c47cce |
| SHA1 | 97232301991b661bd04fa038e95e2395e69cc4de |
| SHA256 | 3f0b53016128e1d9562b16e68d13785898cace386fdbee5252b8543f22683fd1 |
| SHA512 | b0c864d02149f84329bafeb58780fc0d39e434e8baec93fc60148c6b8bb70994749988d6721b37e58c804d25a2707bd64a6eb91a3e0a4ebfaadf64c23c0a6127 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/732-90-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp
memory/732-91-0x000000001A930000-0x000000001A9B0000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\ezULDGz348vO.bat
| MD5 | ab4a5d4514ee91bc77f4a4f4da01c75a |
| SHA1 | 622e8dcaddf7aafee6e27283301d706625004f36 |
| SHA256 | 24afe8e97776feee77d8e99cdd17e526cb85a6bac2cdb1d982897d8b8804f8e9 |
| SHA512 | 03921ece9d6bc7614e62b10d1567b67fd272c4cfb707aa1467df918b59db366e11c4112b85ec4ad04c98aa09e9f5eab01d4d1521c9c0904d64eb599d071f5a7c |
C:\Users\Admin\AppData\Local\Temp\ezULDGz348vO.bat
| MD5 | ab4a5d4514ee91bc77f4a4f4da01c75a |
| SHA1 | 622e8dcaddf7aafee6e27283301d706625004f36 |
| SHA256 | 24afe8e97776feee77d8e99cdd17e526cb85a6bac2cdb1d982897d8b8804f8e9 |
| SHA512 | 03921ece9d6bc7614e62b10d1567b67fd272c4cfb707aa1467df918b59db366e11c4112b85ec4ad04c98aa09e9f5eab01d4d1521c9c0904d64eb599d071f5a7c |
memory/732-102-0x000007FEF4AB0000-0x000007FEF549C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-12-04 09:00
Reported
2023-12-04 09:03
Platform
win10v2004-20231130-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VslMXHUFP8MW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUbZr62u4fH8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95DwxjQWzS6q.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASx26qw3YFNg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OitPqrQhFpMK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RrBrvqLsSyD1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3f0T6kqnoMvV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
| US | 8.8.8.8:53 | smirkdns.ddns.net | udp |
Files
memory/4272-0-0x0000000000480000-0x00000000007A4000-memory.dmp
memory/4272-1-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/4272-2-0x000000001B360000-0x000000001B370000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/4272-9-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/2392-10-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/2392-11-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/2392-12-0x000000001C480000-0x000000001C4D0000-memory.dmp
memory/2392-13-0x000000001C590000-0x000000001C642000-memory.dmp
memory/2392-18-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VslMXHUFP8MW.bat
| MD5 | 373a71ac3eb4d183a9cf55209df4972e |
| SHA1 | 4629cddbddf39236f9c1d3c84e44f72cc78d75db |
| SHA256 | a999556e9ee454cbd6893f86f99d02f77266fb9d874187df5ff0e3ee7994f6b2 |
| SHA512 | e9e5213e044b305a931731c5b5359f2830f79e5891ea410c84338cc6aa20d6b95bd2dd65557cf9b76471eeff16064a377a1ff4a29ed38f3cceee1f1d67c27cab |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/3628-22-0x00007FF86A360000-0x00007FF86AE21000-memory.dmp
memory/3628-23-0x000000001BD90000-0x000000001BDA0000-memory.dmp
memory/3628-27-0x00007FF86A360000-0x00007FF86AE21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EUbZr62u4fH8.bat
| MD5 | da315cfd7b6dda98000aaaf06b85b37d |
| SHA1 | 8b181aba949be8d5ea62c1e53a892c62e824b129 |
| SHA256 | 5f84929f55ce11edb4583f1a9de3ab4f44feaf43344bc5b5fec102592775e02a |
| SHA512 | 8702c92357f3368a3c95676fb5da6415fafbf7f5a56380b728aea728c9b81d727a24bf1937692599142d277b33bcaca23b0205cd748797a1f2fda0e5d9f463b2 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/2176-30-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/2176-31-0x0000000001620000-0x0000000001630000-memory.dmp
memory/2176-35-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\95DwxjQWzS6q.bat
| MD5 | 95b07f5fbf1e1ae8cadac796da712432 |
| SHA1 | 0995664a15117df4b65397dd3b549802a26d0d7c |
| SHA256 | dd0375528450e7f74e9b59d7d38a96ad4f4ded5b0d4818c709918a83ef67459c |
| SHA512 | 215917246780cbbdf48cc946e4f3962ff1a65e724e84bd7cb4899874fc7f23ccca924bb20bd9bc975d29d1a2dc9202cf4b86727e488e9a17b46f9e50918d3d65 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/4780-38-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/4780-39-0x0000000000EF0000-0x0000000000F00000-memory.dmp
memory/4780-44-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ASx26qw3YFNg.bat
| MD5 | 0df84c4484bfb7ed859ecd548fdf2a37 |
| SHA1 | c9a3a7c8098a65bac5164fecee61b350b94672c4 |
| SHA256 | 4af39f934da9b54cbc077db29b736295fd1e936491e91dbcad48ecd2da4506c2 |
| SHA512 | b59967431a5b5cb8d998f981840d44e5aec54c690b76e9b5b845cca2606836273e9c4887469d7f8b9e79bc0bfe03811cc95ec6cba704a6be279f43021f420374 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/3856-46-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/3856-47-0x000000001B9F0000-0x000000001BA00000-memory.dmp
memory/3856-51-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OitPqrQhFpMK.bat
| MD5 | 0b1a4d8b04d511216c5ea2e9c72a0e7d |
| SHA1 | 741fa51a0e066a053d3e540a5f3a230cf77e6c3f |
| SHA256 | 803654c3a4fa3de2207737ecf610d0153d7f069f8f37de0d046bdc537a85a33e |
| SHA512 | 11462002d9881b0de5262a409333bcdb9c8e7c27b9faa9867a9f9f4591344846e470caeadb450ee68899ad70ed012d00ade15bc9503ffd152f2da4934f5b7262 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/1072-55-0x00000000018F0000-0x0000000001900000-memory.dmp
memory/1072-54-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
memory/1072-59-0x00007FF86A690000-0x00007FF86B151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RrBrvqLsSyD1.bat
| MD5 | dcab9d1b117db7ea162f0a5c4f7e8dcf |
| SHA1 | e19504546b6696e74933c70f1df8f4fc2a370ec9 |
| SHA256 | 49b0707b145c6ea652026092613e59e5dacf7e333414c2ab81bb97833e41fc37 |
| SHA512 | 937fc316dd7ba08c28bfbf2dbe70b5fa133cc3a98a0ca1ec0591a8ad35e552c9156c96d5051909a3d3ef93d0fc0bf3954a328023f62d9e22a9f1854c4d7d175f |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/1580-62-0x00007FF86A850000-0x00007FF86B311000-memory.dmp
memory/1580-63-0x000000001B820000-0x000000001B830000-memory.dmp
memory/1580-67-0x00007FF86A850000-0x00007FF86B311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3f0T6kqnoMvV.bat
| MD5 | 4a3d96d1f424657969e3f606b8f3c7ab |
| SHA1 | 2b7f6bc7b313025fa7568e3903f5329edd74e4f9 |
| SHA256 | 9ce5f5c5c9d724cdd06f05342705bbc4ba4ffca832d4ac6702c52074e42479f6 |
| SHA512 | cc5bf92eed12fef5d89074210f71ae75e25c85f0780d346d4fe09fd50324bce510d62deb9a31c88b4d057914048d81be833e5bc050dabada9b570c6966f9cb08 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 6798986718c9d923ae747ff1bed1a16f |
| SHA1 | dbf6ebb0b412286ec6007409f15d20c90038528b |
| SHA256 | aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9 |
| SHA512 | 07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7 |
memory/3908-70-0x00007FF86A850000-0x00007FF86B311000-memory.dmp
memory/3908-71-0x0000000003160000-0x0000000003170000-memory.dmp