Analysis Overview
SHA256
caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7
Threat Level: Known bad
The file c803b24286b85e84999728e62074f29a was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Drops file in System32 directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 07:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 07:11
Reported
2024-03-14 07:13
Platform
win7-20231129-en
Max time kernel
148s
Max time network
119s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\SubDir\Client.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe
"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2BTW532LGeSG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 1448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
Files
memory/2240-0-0x0000000001250000-0x00000000012D0000-memory.dmp
memory/2240-1-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp
memory/2240-2-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2240-3-0x000000001B4E0000-0x000000001B560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
| MD5 | efb08c8abd228dc2c608b4b2ae81f8e5 |
| SHA1 | 4c132ee66fb7ab5e26989f07d72fbc81d4480f41 |
| SHA256 | bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863 |
| SHA512 | b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962 |
memory/3068-10-0x0000000000BC0000-0x0000000000C1E000-memory.dmp
memory/3068-11-0x0000000074150000-0x000000007483E000-memory.dmp
memory/3068-12-0x0000000004A10000-0x0000000004A50000-memory.dmp
memory/2828-20-0x0000000074150000-0x000000007483E000-memory.dmp
memory/3068-19-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2828-21-0x0000000000100000-0x000000000015E000-memory.dmp
memory/2828-22-0x0000000004B90000-0x0000000004BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2BTW532LGeSG.bat
| MD5 | 80377756ee1e0edbfe89bfd4042f8720 |
| SHA1 | cb9272a2c7ba44f736ffa836a3e5315acc1c7dbc |
| SHA256 | 17b3800dc79eaac3cdf1616e06b71693d346e8171e256d1a82b5b0cdb7df6571 |
| SHA512 | 17b1f6516119b02c8483238a9a2553d3e9042fbd0da3a9f40703ef1fe9dcd78f1f86b9c3b269e5fe57fecaca0272e6405088c56d4af5728a752b02739c99efbe |
memory/2756-33-0x0000000000CE0000-0x0000000000D3E000-memory.dmp
memory/2756-34-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2756-35-0x0000000004B70000-0x0000000004BB0000-memory.dmp
memory/2756-41-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2240-42-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp
memory/2240-43-0x000000001B4E0000-0x000000001B560000-memory.dmp
memory/2240-44-0x000000001B4E0000-0x000000001B560000-memory.dmp
memory/2828-45-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2828-46-0x0000000004B90000-0x0000000004BD0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 07:11
Reported
2024-03-14 07:13
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\cmd.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe
"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"
C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BO3QOwEY1Tdr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4312 -ip 4312
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 2236
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1j2WY0OPXMd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1732 -ip 1732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5mo6YuOtZOn7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2016 -ip 2016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7XmnF6OvqVlt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1680 -ip 1680
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9v0GYHlXtlJP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4272 -ip 4272
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 2212
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y4eQEqKlVbcz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4816 -ip 4816
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 2192
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lh8l9DHvPT3e.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5044 -ip 5044
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8mmp3VpWbtp.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1892 -ip 1892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 2212
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUOe5HAnpuHc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 520 -ip 520
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\orzVLWpm8EfO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3588 -ip 3588
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 2220
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w7ukbfbCb6Dy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5044 -ip 5044
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 2188
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9uoYQl81HlLN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1680 -ip 1680
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGPPfznza4jA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2288 -ip 2288
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1676
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SubDir\Client.exe
"C:\Windows\SysWOW64\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6JNxMTTgMTDX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | noelsfreexd.ddns.net | udp |
Files
memory/3284-0-0x0000000000380000-0x0000000000400000-memory.dmp
memory/3284-1-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp
memory/3284-2-0x000000001B100000-0x000000001B110000-memory.dmp
memory/3284-3-0x0000000002550000-0x0000000002551000-memory.dmp
memory/3284-4-0x000000001B100000-0x000000001B110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cmd.exe
| MD5 | efb08c8abd228dc2c608b4b2ae81f8e5 |
| SHA1 | 4c132ee66fb7ab5e26989f07d72fbc81d4480f41 |
| SHA256 | bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863 |
| SHA512 | b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962 |
memory/440-16-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/440-17-0x00000000008D0000-0x000000000092E000-memory.dmp
memory/440-18-0x00000000059B0000-0x0000000005F54000-memory.dmp
memory/440-19-0x0000000005400000-0x0000000005492000-memory.dmp
memory/440-20-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/440-21-0x0000000005360000-0x00000000053C6000-memory.dmp
memory/440-22-0x00000000053D0000-0x00000000053E2000-memory.dmp
memory/440-23-0x0000000006680000-0x00000000066BC000-memory.dmp
memory/4312-29-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/440-30-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4312-31-0x00000000059B0000-0x00000000059C0000-memory.dmp
memory/4312-33-0x0000000006F70000-0x0000000006F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BO3QOwEY1Tdr.bat
| MD5 | c17f67983a58217a6177badd13c1ee68 |
| SHA1 | a66c934854ccbf24ba9d3b7402da0497ed68ba2c |
| SHA256 | 74ea1ba054330fb0f313c15b8c417d654ea67039ca82bb0d184cd4e1aa0bf83d |
| SHA512 | 3d64541f21bfccea4888fa56837111baee2520a4e5f1278fb12f0d24e5c308e54cfe62d399e54c8f97a066bb877fae6c3be187d4d3e4944e680bd0eadde69b78 |
memory/4312-38-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/3284-39-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp
memory/3284-41-0x000000001B100000-0x000000001B110000-memory.dmp
memory/1732-43-0x0000000002DB0000-0x0000000002DC0000-memory.dmp
memory/3284-44-0x000000001B100000-0x000000001B110000-memory.dmp
memory/1732-42-0x0000000074DA0000-0x0000000075550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | b388e89afc1667334324015d29c3e4c1 |
| SHA1 | 9661e8321cdb7871c60fb46cf256d78fcea45519 |
| SHA256 | 6a8d90f8c026239b3747b8da0d54e0c9579a0602239faa67f2231c88e9a66efd |
| SHA512 | bd5ee2fa993a93b440323fc313a4d9e5f4dc109005da66694e54ff441eadfb20c35448894e7027cb9b6ac99b67dc619792dad3aae2571568fc32949f61c90534 |
C:\Users\Admin\AppData\Local\Temp\v1j2WY0OPXMd.bat
| MD5 | 6f7f96a99761e65c422b19a82c395295 |
| SHA1 | 9dd2a7fc8d2ad92294fdd40eda1ddd2630c179b1 |
| SHA256 | 01f96b5b0af34a2fc11edd3954d77af94cd4bb707b6350771a3fef0356aee0c5 |
| SHA512 | 3b04ed35ba45a41a8001711a13459fa87a2dae23ef8fd61a89ba9db7f35c935e7f3cdce62b6e2c5418bb868eed42f3ad2041053d2f0a1811643f2e5a43097fcf |
memory/1732-51-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2016-53-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2016-54-0x0000000004B90000-0x0000000004BA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 90280c4ba2ea450c19659c527add56a1 |
| SHA1 | 2dfb7fb3b8088403b25525def991db6621da1d4c |
| SHA256 | 425681ae2882a23b1b8b791e9e1b68dfafdb84eeabd61c97911b2ae9c2bcf056 |
| SHA512 | 1c6d8e739cec92b56da89a5e0e3f510e919a91cc85876f25428349f2f2c177cde33b2a7b787aeab4c8e93efcdfd977d160f7f378286d344c8a6ddbc7be32743c |
C:\Users\Admin\AppData\Local\Temp\5mo6YuOtZOn7.bat
| MD5 | eb0d519029f0a22900941ca65db7613f |
| SHA1 | 28fbb4c82c534e34b65985fd8582e2e3021b187f |
| SHA256 | a60c6b872927bd3080a8a2068080b788db48dd4df820017c6880f51dac2a55d7 |
| SHA512 | e6a3e838aaeec507b77eaaf654992ab7cd038d7afabf8b2aa5be294899339e16ba0187bba73ae9f7fb299906901d481c688f971064e5a39eb8e27dea52f9265d |
memory/2016-61-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1680-63-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1680-64-0x0000000004A00000-0x0000000004A10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 6deb300b9dcfa517e20e71f0ba37ade4 |
| SHA1 | c45b6d45cc51c0363b53431b8127ab2282fcee56 |
| SHA256 | 0c16d0811bcf02dbf7f0a7fdc042cef1377251615e7c940febb61b8c86fe139b |
| SHA512 | e5bc8763c557c2f1a0f215891565800d0d65def4a768ce93cd74ba1a5d72fed0ae911fa13e2950a7b525445d1b7a1b9543abf4ed62a7bbc1a2d7166b47f28023 |
C:\Users\Admin\AppData\Local\Temp\7XmnF6OvqVlt.bat
| MD5 | 394c35100161e2842e2dce3e1bbc723e |
| SHA1 | ef635449201674e9929540e176c079383ddca0ee |
| SHA256 | b304ff33d556bb3df250f27f5a67cb44e338da884551d7533d360d9a6c9bd318 |
| SHA512 | 0911910c7cedca0d8c5b8f3f5ba179c3124ab130db4b683b5d682f69202341cfdaa4158d419429116806471b1234c4518639ed5c30ad500085e314cf99829383 |
memory/1680-71-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4272-73-0x0000000074DA0000-0x0000000075550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 00e2485cb482b3eba2c283ffc1e654d6 |
| SHA1 | f354529b8a3abc61a336bdd6d0f7d429213c5a14 |
| SHA256 | dd0555e90654f9bf3941206d0c215ac2bc9001d353624e38180fd60bdf11af2b |
| SHA512 | 799fd3867cfc4815c2b0a5848a2965d1811bfc11fb20172dcd88664a7329ac51f86930fb495ec40eeaeb85dd73f39b4433e7dc91a99ac169e360ce78b591b3d7 |
C:\Users\Admin\AppData\Local\Temp\9v0GYHlXtlJP.bat
| MD5 | 9dd03fdc4e4dc4b79050b7e943389e66 |
| SHA1 | a5a456f70afd0b26595d52edaee592f3071c1659 |
| SHA256 | 84c2e1cd73bb59aafa990ae235ee70b58af94759d3d5425d24f75e1e0b5af148 |
| SHA512 | 57016d2d6c13e5fdc4582100a307b49bfb5b5255deae3ce17948aed25ef9d386f2854bdf963b532a1b13cc4dacefe098093c455fabcdcba310e012c3a89b8050 |
memory/4272-80-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4816-82-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4816-83-0x0000000004B90000-0x0000000004BA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 41a37f1913cd8ddd159860114bb45fd9 |
| SHA1 | b329f9e3be44306fdeb02aad92d0c900cc112107 |
| SHA256 | 6801bdef73e502cb20ba99c962bbb99c8a5a20c5cbdb50f3bf3f9b4f0ceebaff |
| SHA512 | 9384ccc4eb40f2e1dc406dda56d358528b7343f7377c0009ddd2725d46a967ebc69f0ae16fb5fa6658ba5c1f87f2748024bb7e26975f6cc0dbf87f830dee9401 |
C:\Users\Admin\AppData\Local\Temp\y4eQEqKlVbcz.bat
| MD5 | 7a5e779fc8dab8b142f1cf3b72bb671c |
| SHA1 | d395da5f0d3c631ec2b99b7ff3df453cbc8c5c37 |
| SHA256 | 8cbc6bd60ef24c5e4d0d8683451ebbc8fb77761eed51e9d4ef7a873cd1be9f47 |
| SHA512 | 15a6ba05c50df19729e735d45311580e0ea56fed524ea7e056fdcffbe10f4a184ca26cb920337bfe2e75f605c724c8a9d38598b4d2d19ed35f4d2cbc6db0f0c7 |
memory/4816-90-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/5044-92-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/5044-93-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 736a18916f58f0089dc81bb42283967b |
| SHA1 | 84a440887d3f9636292598174b3f1e6d93c630fd |
| SHA256 | e6aef4e76fb0562fbd0289f925311a6860f633d40478b12b12d3b6ef608dd3bc |
| SHA512 | 3697be7b21c30be5fb32ad3201d07a2e3aa99f7258a5d6f97c0467a22c45500338b59b3da374b45839333710db4cc3fb7a4b4570fbbfa7821be61f283e2dda1f |
C:\Users\Admin\AppData\Local\Temp\lh8l9DHvPT3e.bat
| MD5 | 376c01a4aa847027fae767fb04cfcd99 |
| SHA1 | 07c06f9ad00e74e8740a49e9b442fc8ed8adfa61 |
| SHA256 | 4b48ab5d0f76af4acefcfa7b8d82925577a48a02144c05f5ccf091beaf8f5391 |
| SHA512 | c53505489d22743598947a8e04fdfd81111abcbcd56f84dab6e72407f629b219c8465ed0ff59484b714789a5455349d93727b927e3308aa3f16b1838f9a3c84d |
memory/5044-100-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1892-102-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1892-103-0x0000000005810000-0x0000000005820000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 21c3825698b2a0e93733db03549a8cc7 |
| SHA1 | e0aee1f7c9ea5e0a0dc4b6f606eafbc1b518496f |
| SHA256 | 6942c6331d135c9d905b7e779a468d42a078a92c0370539ee82f7381cfd1f49e |
| SHA512 | cff02f25f08e9c10acb88c4685265d419ec5d1c90799757044a3b7b0600ee97b2cd9097346c539da1a52f07f9869702d8437862157477f87b6610d50b6c20406 |
C:\Users\Admin\AppData\Local\Temp\A8mmp3VpWbtp.bat
| MD5 | 09f3ad358be15aecc10cb6ad4926aec3 |
| SHA1 | f67a7929c38db423960fcc490a21d7f9d737d62f |
| SHA256 | b692c317639395de38b7f1acb3fc7e77a3d39639aba9ccdf9d418f9bacb4b57d |
| SHA512 | d67d711c817d34a2649e8c3b303be8fa6d510945a0e7cea67ba5037c8bf00851f8b39903f9b389d3e5c4ebae2723f98a54ca4ccc940238383ca73d76d7ff2016 |
memory/1892-110-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/520-112-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/520-113-0x0000000004AF0000-0x0000000004B00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | ef9c0863a4e3b87629c41501c7539f16 |
| SHA1 | 252e52d930252bc34afc9ad1cb565af7e0d43fa5 |
| SHA256 | e70f82840c2a022ae330a4a6234b5431b156d6a74f4b004ddb759c8942f55bfb |
| SHA512 | a6be537642c4c70b4996ca8b057588f8025bbdcbd0779fcad6a83c69f67dcd0d0fc8475801663836e051d15c83d4c676e62ae6b4017aa36818fe2f14e2f0d608 |
C:\Users\Admin\AppData\Local\Temp\UUOe5HAnpuHc.bat
| MD5 | 4ea282cf2ec41e7cb451823dd803e1da |
| SHA1 | e662b2f310eda1008b9838750567899c74d809d1 |
| SHA256 | 77f2b8fb5f7bcfd704fc791627f456b8e59084ecec8bf1300f81892f0dc33812 |
| SHA512 | 1353ada62522f55573b8b4ff4c01113fe80174dc48c98f094e9cc92bff972b20d8cf9ccf754604a8b82010167788fd30c702a33c27a9f468e0a5d223f836efea |
memory/520-120-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/3588-122-0x0000000074DA0000-0x0000000075550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | c42c8e4fe8d8cdd903d45a48f2163405 |
| SHA1 | b37fb126cf2ef1da426ec7424ed536ada653b234 |
| SHA256 | 5b9fe0e9b6a3518351455289c7811d586b3ad6a683e860f4b5bf0696bdc26a6c |
| SHA512 | 6003ee64e4b932921ac543f14b90a4445cd90831d6a8a4d739ca58b50b9a18b713ad10fa0e05ad4d7c129bef2f010052102faa9527e82eb8e7070a2f831e133e |
C:\Users\Admin\AppData\Local\Temp\orzVLWpm8EfO.bat
| MD5 | 0b43e08466e44c6e184106d6f4e990bf |
| SHA1 | d46cb5ec27e6a1f6e10e67622ff4fded246447bb |
| SHA256 | 09c08fd318dda4b45aefb2348b39761c044754e06aabc1021b2ed7729aec09ca |
| SHA512 | 6e8b669946f36885dfd8a995713072a3e684f888a8d6862337f58b8c6b0d86f8cb52c029eed3e392679bc9e19c5f9b0125b4047620e2a27454ac7fa464bb2af6 |
memory/3588-129-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/5044-131-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/5044-132-0x0000000004C80000-0x0000000004C90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 31d60b1910db435a7fbcb1e3ef6cb453 |
| SHA1 | c2676b62cad327843b59eecf921fc30478a4483a |
| SHA256 | b78ef2e51afc760a93b9bb294e4d64d07be59a8958ef6df67801849c42bb9c2e |
| SHA512 | 37d67aaa248b180159a34eede0b3b8c130a35368e412ec29262e81b0d0e3dd95c00885fcb3a5c1f7a177ccf7f9150e62ada37bbf8aba15dc1bc235324c8b5c9c |
C:\Users\Admin\AppData\Local\Temp\w7ukbfbCb6Dy.bat
| MD5 | 5904b2de5264de4a2a59ee5909056c6f |
| SHA1 | 3451f8c6f10b4e7b2c65d7bab4b41d2e54762707 |
| SHA256 | 43f4b02c693b4935730e4fba5f19f3a413d37ff8e13420e548f4ad2b47b30682 |
| SHA512 | 40bd1210a391d376a94a8bbf3418f01001bd086a091c5f0789ec45e146c0d79bacc766ae35d785fa29700a948e87fd30d8ef36725742042af8f6fc05f760766c |
memory/5044-139-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1680-141-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1680-142-0x00000000057E0000-0x00000000057F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | cc143f22f58b4c0068d7a7e1122a4651 |
| SHA1 | defbeb52998172cccca5628841328e7c3387bf39 |
| SHA256 | 6c70ae7acf6349b092a595cd5beefea6750fc0f604adfbcf7c7f5e9902e59016 |
| SHA512 | 41af78cbcd4379068197f6317daa811c539184db62181b053374315beac589f7b555d33efd7d436623364d232f05117a9dc28adbd628305b92d23ed81eaf2488 |
C:\Users\Admin\AppData\Local\Temp\9uoYQl81HlLN.bat
| MD5 | d956c978524576935fec9db6a9883a3d |
| SHA1 | 33844f97375bf34cd335666372a561e95c4682b0 |
| SHA256 | 7286bdf3a2d143dd63b9f3448b78227b67843006a2c8ee36e3022468bd6b6787 |
| SHA512 | fbb1d93af15db708ad3843d74ffc18bf84e42f5a4672da2582f986ac53d942ed5908b999aaa783c55f42771474e281e9f649b7ad035cbb35501ba77100f03b96 |
memory/1680-149-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2288-151-0x0000000074DA0000-0x0000000075550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | c1d2dea6e5ab0986c734a321ceafe94e |
| SHA1 | 29c38b6d36bde1cb358e89d7076c0097500e2801 |
| SHA256 | 804b704e2880d045f5eb34a07b475662320f0a52883283f99cc67fde9776bbce |
| SHA512 | e9d3b5203d7de43ab6221f3b470d137b6f0f7a1903e6f82cde1d5c7432c780c0aa7c05b12a218e0f5093c6addd251d4f818fa8dff772300a9f1960922a85117d |
C:\Users\Admin\AppData\Local\Temp\TGPPfznza4jA.bat
| MD5 | a1297a264f771ded058a0af3baef53c1 |
| SHA1 | c8aa7f400301a07a478631e7544ba53817bbaba2 |
| SHA256 | 27021a490ae6afa1faa45de11e566bc123523ae60e203fb4f3f697d47055db6c |
| SHA512 | dc919d3c2759e61127f32333c38914b492fc40cb962378bf700502bca43a73641193e793664d0b1d1a0ae2c6452e4a538f6faf47ccd3fb069c492d684a6be850 |
memory/2288-158-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/5020-160-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/5020-161-0x0000000005280000-0x0000000005290000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\03-14-2024
| MD5 | 85bfc09fceaed5278b98b1fc14929439 |
| SHA1 | 2ffac194c23aa990fe5e66ad1ec0ec158de97419 |
| SHA256 | 475c59071d022def3a5e560ec87e266a7c9797c4afbcb7bfe27dc4404691ac18 |
| SHA512 | bf3ea5bf7ab2ad28702eceec5069e0f3a5056f226ff2bcf1c4c8481bb585501e55569916f4719f2cc279fec7af89502ef7d30815f54aa0e121575b42894c7288 |
C:\Users\Admin\AppData\Local\Temp\6JNxMTTgMTDX.bat
| MD5 | b86021ea0005f07f748b5e7dad77c301 |
| SHA1 | ac801e2f2203e68d2b1d3c124e1098f808a52e7d |
| SHA256 | e7560e172c975af95740964241e4dee885a20630eda9369936b50298d64c0412 |
| SHA512 | b4f85bbcf640108ad9b91dfa0eb032c66c48e6ea408977f2b3f25aa565dbe70ed107ca3ebfe6d5bbad44fa396facf68f53bc25f81c1235933f0ab2453601d704 |
memory/5020-168-0x0000000074DA0000-0x0000000075550000-memory.dmp