Malware Analysis Report

2025-06-16 05:31

Sample ID 240314-hz14asfg28
Target c803b24286b85e84999728e62074f29a
SHA256 caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7
Tags
quasar rat2000 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caeadc9fe15c86a04c0cbc13445cf555b14ad95b5d3a4104d62e72fdd371cdb7

Threat Level: Known bad

The file c803b24286b85e84999728e62074f29a was found to be: Known bad.

Malicious Activity Summary

quasar rat2000 spyware trojan

Quasar RAT

Quasar payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 07:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 07:11

Reported

2024-03-14 07:13

Platform

win7-20231129-en

Max time kernel

148s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2240 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2240 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2240 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 3068 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 3068 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 3068 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 3068 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2828 wrote to memory of 2520 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2520 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2520 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2520 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2828 wrote to memory of 2756 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 2828 wrote to memory of 2924 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2924 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2924 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2924 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

C:\Users\Admin\AppData\Local\Temp\cmd.exe

"C:\Users\Admin\AppData\Local\Temp\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2BTW532LGeSG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 1448

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp

Files

memory/2240-0-0x0000000001250000-0x00000000012D0000-memory.dmp

memory/2240-1-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

memory/2240-2-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2240-3-0x000000001B4E0000-0x000000001B560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmd.exe

MD5 efb08c8abd228dc2c608b4b2ae81f8e5
SHA1 4c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256 bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512 b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962

memory/3068-10-0x0000000000BC0000-0x0000000000C1E000-memory.dmp

memory/3068-11-0x0000000074150000-0x000000007483E000-memory.dmp

memory/3068-12-0x0000000004A10000-0x0000000004A50000-memory.dmp

memory/2828-20-0x0000000074150000-0x000000007483E000-memory.dmp

memory/3068-19-0x0000000074150000-0x000000007483E000-memory.dmp

memory/2828-21-0x0000000000100000-0x000000000015E000-memory.dmp

memory/2828-22-0x0000000004B90000-0x0000000004BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BTW532LGeSG.bat

MD5 80377756ee1e0edbfe89bfd4042f8720
SHA1 cb9272a2c7ba44f736ffa836a3e5315acc1c7dbc
SHA256 17b3800dc79eaac3cdf1616e06b71693d346e8171e256d1a82b5b0cdb7df6571
SHA512 17b1f6516119b02c8483238a9a2553d3e9042fbd0da3a9f40703ef1fe9dcd78f1f86b9c3b269e5fe57fecaca0272e6405088c56d4af5728a752b02739c99efbe

memory/2756-33-0x0000000000CE0000-0x0000000000D3E000-memory.dmp

memory/2756-34-0x0000000074150000-0x000000007483E000-memory.dmp

memory/2756-35-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/2756-41-0x0000000074150000-0x000000007483E000-memory.dmp

memory/2240-42-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

memory/2240-43-0x000000001B4E0000-0x000000001B560000-memory.dmp

memory/2240-44-0x000000001B4E0000-0x000000001B560000-memory.dmp

memory/2828-45-0x0000000074150000-0x000000007483E000-memory.dmp

memory/2828-46-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 07:11

Reported

2024-03-14 07:13

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

Signatures

Quasar RAT

trojan spyware quasar
Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
File created C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 3284 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 3284 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe C:\Users\Admin\AppData\Local\Temp\cmd.exe
PID 440 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 440 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 440 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 4312 wrote to memory of 652 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 652 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 652 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 1892 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 1892 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 1892 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1892 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1892 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1892 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 1892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 1892 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 1732 wrote to memory of 4736 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 4736 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 4736 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3528 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 3528 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 3528 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3528 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3528 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3528 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3528 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3528 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3528 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 3528 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 3528 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 2016 wrote to memory of 2344 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 2344 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 2344 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 4856 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 4856 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 4856 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4856 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4856 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4856 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 4856 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 4856 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\SubDir\Client.exe
PID 1680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 1184 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 3368 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3368 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3368 N/A C:\Windows\SysWOW64\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3368 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3368 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3368 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe

"C:\Users\Admin\AppData\Local\Temp\c803b24286b85e84999728e62074f29a.exe"

C:\Users\Admin\AppData\Local\Temp\cmd.exe

"C:\Users\Admin\AppData\Local\Temp\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\cmd.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BO3QOwEY1Tdr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4312 -ip 4312

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 2236

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1j2WY0OPXMd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1732 -ip 1732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1672

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5mo6YuOtZOn7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7XmnF6OvqVlt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1680 -ip 1680

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2208

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9v0GYHlXtlJP.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4272 -ip 4272

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 2212

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y4eQEqKlVbcz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4816 -ip 4816

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 2192

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lh8l9DHvPT3e.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5044 -ip 5044

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8mmp3VpWbtp.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1892 -ip 1892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 2212

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUOe5HAnpuHc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 520 -ip 520

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\orzVLWpm8EfO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3588 -ip 3588

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 2220

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w7ukbfbCb6Dy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5044 -ip 5044

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 2188

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9uoYQl81HlLN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1680 -ip 1680

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGPPfznza4jA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2288 -ip 2288

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1676

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\SysWOW64\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6JNxMTTgMTDX.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 noelsfreexd.ddns.net udp

Files

memory/3284-0-0x0000000000380000-0x0000000000400000-memory.dmp

memory/3284-1-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

memory/3284-2-0x000000001B100000-0x000000001B110000-memory.dmp

memory/3284-3-0x0000000002550000-0x0000000002551000-memory.dmp

memory/3284-4-0x000000001B100000-0x000000001B110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmd.exe

MD5 efb08c8abd228dc2c608b4b2ae81f8e5
SHA1 4c132ee66fb7ab5e26989f07d72fbc81d4480f41
SHA256 bda07aecc578ff4d3f853070643e8cda8f90c3ecbd73132bc75ee17f70b84863
SHA512 b3f8fa4979321dc1cf0032f36cb37c17a63e396fa2f70bd076eff8d32974c9e1b7a0f3ecc6b8b788c56d3cca131dfd3f5e6b938ceadab0cfa1a3d97e941fd962

memory/440-16-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/440-17-0x00000000008D0000-0x000000000092E000-memory.dmp

memory/440-18-0x00000000059B0000-0x0000000005F54000-memory.dmp

memory/440-19-0x0000000005400000-0x0000000005492000-memory.dmp

memory/440-20-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/440-21-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/440-22-0x00000000053D0000-0x00000000053E2000-memory.dmp

memory/440-23-0x0000000006680000-0x00000000066BC000-memory.dmp

memory/4312-29-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/440-30-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/4312-31-0x00000000059B0000-0x00000000059C0000-memory.dmp

memory/4312-33-0x0000000006F70000-0x0000000006F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BO3QOwEY1Tdr.bat

MD5 c17f67983a58217a6177badd13c1ee68
SHA1 a66c934854ccbf24ba9d3b7402da0497ed68ba2c
SHA256 74ea1ba054330fb0f313c15b8c417d654ea67039ca82bb0d184cd4e1aa0bf83d
SHA512 3d64541f21bfccea4888fa56837111baee2520a4e5f1278fb12f0d24e5c308e54cfe62d399e54c8f97a066bb877fae6c3be187d4d3e4944e680bd0eadde69b78

memory/4312-38-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/3284-39-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

memory/3284-41-0x000000001B100000-0x000000001B110000-memory.dmp

memory/1732-43-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3284-44-0x000000001B100000-0x000000001B110000-memory.dmp

memory/1732-42-0x0000000074DA0000-0x0000000075550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 b388e89afc1667334324015d29c3e4c1
SHA1 9661e8321cdb7871c60fb46cf256d78fcea45519
SHA256 6a8d90f8c026239b3747b8da0d54e0c9579a0602239faa67f2231c88e9a66efd
SHA512 bd5ee2fa993a93b440323fc313a4d9e5f4dc109005da66694e54ff441eadfb20c35448894e7027cb9b6ac99b67dc619792dad3aae2571568fc32949f61c90534

C:\Users\Admin\AppData\Local\Temp\v1j2WY0OPXMd.bat

MD5 6f7f96a99761e65c422b19a82c395295
SHA1 9dd2a7fc8d2ad92294fdd40eda1ddd2630c179b1
SHA256 01f96b5b0af34a2fc11edd3954d77af94cd4bb707b6350771a3fef0356aee0c5
SHA512 3b04ed35ba45a41a8001711a13459fa87a2dae23ef8fd61a89ba9db7f35c935e7f3cdce62b6e2c5418bb868eed42f3ad2041053d2f0a1811643f2e5a43097fcf

memory/1732-51-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/2016-53-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/2016-54-0x0000000004B90000-0x0000000004BA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 90280c4ba2ea450c19659c527add56a1
SHA1 2dfb7fb3b8088403b25525def991db6621da1d4c
SHA256 425681ae2882a23b1b8b791e9e1b68dfafdb84eeabd61c97911b2ae9c2bcf056
SHA512 1c6d8e739cec92b56da89a5e0e3f510e919a91cc85876f25428349f2f2c177cde33b2a7b787aeab4c8e93efcdfd977d160f7f378286d344c8a6ddbc7be32743c

C:\Users\Admin\AppData\Local\Temp\5mo6YuOtZOn7.bat

MD5 eb0d519029f0a22900941ca65db7613f
SHA1 28fbb4c82c534e34b65985fd8582e2e3021b187f
SHA256 a60c6b872927bd3080a8a2068080b788db48dd4df820017c6880f51dac2a55d7
SHA512 e6a3e838aaeec507b77eaaf654992ab7cd038d7afabf8b2aa5be294899339e16ba0187bba73ae9f7fb299906901d481c688f971064e5a39eb8e27dea52f9265d

memory/2016-61-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/1680-63-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/1680-64-0x0000000004A00000-0x0000000004A10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 6deb300b9dcfa517e20e71f0ba37ade4
SHA1 c45b6d45cc51c0363b53431b8127ab2282fcee56
SHA256 0c16d0811bcf02dbf7f0a7fdc042cef1377251615e7c940febb61b8c86fe139b
SHA512 e5bc8763c557c2f1a0f215891565800d0d65def4a768ce93cd74ba1a5d72fed0ae911fa13e2950a7b525445d1b7a1b9543abf4ed62a7bbc1a2d7166b47f28023

C:\Users\Admin\AppData\Local\Temp\7XmnF6OvqVlt.bat

MD5 394c35100161e2842e2dce3e1bbc723e
SHA1 ef635449201674e9929540e176c079383ddca0ee
SHA256 b304ff33d556bb3df250f27f5a67cb44e338da884551d7533d360d9a6c9bd318
SHA512 0911910c7cedca0d8c5b8f3f5ba179c3124ab130db4b683b5d682f69202341cfdaa4158d419429116806471b1234c4518639ed5c30ad500085e314cf99829383

memory/1680-71-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/4272-73-0x0000000074DA0000-0x0000000075550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 00e2485cb482b3eba2c283ffc1e654d6
SHA1 f354529b8a3abc61a336bdd6d0f7d429213c5a14
SHA256 dd0555e90654f9bf3941206d0c215ac2bc9001d353624e38180fd60bdf11af2b
SHA512 799fd3867cfc4815c2b0a5848a2965d1811bfc11fb20172dcd88664a7329ac51f86930fb495ec40eeaeb85dd73f39b4433e7dc91a99ac169e360ce78b591b3d7

C:\Users\Admin\AppData\Local\Temp\9v0GYHlXtlJP.bat

MD5 9dd03fdc4e4dc4b79050b7e943389e66
SHA1 a5a456f70afd0b26595d52edaee592f3071c1659
SHA256 84c2e1cd73bb59aafa990ae235ee70b58af94759d3d5425d24f75e1e0b5af148
SHA512 57016d2d6c13e5fdc4582100a307b49bfb5b5255deae3ce17948aed25ef9d386f2854bdf963b532a1b13cc4dacefe098093c455fabcdcba310e012c3a89b8050

memory/4272-80-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/4816-82-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/4816-83-0x0000000004B90000-0x0000000004BA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 41a37f1913cd8ddd159860114bb45fd9
SHA1 b329f9e3be44306fdeb02aad92d0c900cc112107
SHA256 6801bdef73e502cb20ba99c962bbb99c8a5a20c5cbdb50f3bf3f9b4f0ceebaff
SHA512 9384ccc4eb40f2e1dc406dda56d358528b7343f7377c0009ddd2725d46a967ebc69f0ae16fb5fa6658ba5c1f87f2748024bb7e26975f6cc0dbf87f830dee9401

C:\Users\Admin\AppData\Local\Temp\y4eQEqKlVbcz.bat

MD5 7a5e779fc8dab8b142f1cf3b72bb671c
SHA1 d395da5f0d3c631ec2b99b7ff3df453cbc8c5c37
SHA256 8cbc6bd60ef24c5e4d0d8683451ebbc8fb77761eed51e9d4ef7a873cd1be9f47
SHA512 15a6ba05c50df19729e735d45311580e0ea56fed524ea7e056fdcffbe10f4a184ca26cb920337bfe2e75f605c724c8a9d38598b4d2d19ed35f4d2cbc6db0f0c7

memory/4816-90-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/5044-92-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/5044-93-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 736a18916f58f0089dc81bb42283967b
SHA1 84a440887d3f9636292598174b3f1e6d93c630fd
SHA256 e6aef4e76fb0562fbd0289f925311a6860f633d40478b12b12d3b6ef608dd3bc
SHA512 3697be7b21c30be5fb32ad3201d07a2e3aa99f7258a5d6f97c0467a22c45500338b59b3da374b45839333710db4cc3fb7a4b4570fbbfa7821be61f283e2dda1f

C:\Users\Admin\AppData\Local\Temp\lh8l9DHvPT3e.bat

MD5 376c01a4aa847027fae767fb04cfcd99
SHA1 07c06f9ad00e74e8740a49e9b442fc8ed8adfa61
SHA256 4b48ab5d0f76af4acefcfa7b8d82925577a48a02144c05f5ccf091beaf8f5391
SHA512 c53505489d22743598947a8e04fdfd81111abcbcd56f84dab6e72407f629b219c8465ed0ff59484b714789a5455349d93727b927e3308aa3f16b1838f9a3c84d

memory/5044-100-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/1892-102-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/1892-103-0x0000000005810000-0x0000000005820000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 21c3825698b2a0e93733db03549a8cc7
SHA1 e0aee1f7c9ea5e0a0dc4b6f606eafbc1b518496f
SHA256 6942c6331d135c9d905b7e779a468d42a078a92c0370539ee82f7381cfd1f49e
SHA512 cff02f25f08e9c10acb88c4685265d419ec5d1c90799757044a3b7b0600ee97b2cd9097346c539da1a52f07f9869702d8437862157477f87b6610d50b6c20406

C:\Users\Admin\AppData\Local\Temp\A8mmp3VpWbtp.bat

MD5 09f3ad358be15aecc10cb6ad4926aec3
SHA1 f67a7929c38db423960fcc490a21d7f9d737d62f
SHA256 b692c317639395de38b7f1acb3fc7e77a3d39639aba9ccdf9d418f9bacb4b57d
SHA512 d67d711c817d34a2649e8c3b303be8fa6d510945a0e7cea67ba5037c8bf00851f8b39903f9b389d3e5c4ebae2723f98a54ca4ccc940238383ca73d76d7ff2016

memory/1892-110-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/520-112-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/520-113-0x0000000004AF0000-0x0000000004B00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 ef9c0863a4e3b87629c41501c7539f16
SHA1 252e52d930252bc34afc9ad1cb565af7e0d43fa5
SHA256 e70f82840c2a022ae330a4a6234b5431b156d6a74f4b004ddb759c8942f55bfb
SHA512 a6be537642c4c70b4996ca8b057588f8025bbdcbd0779fcad6a83c69f67dcd0d0fc8475801663836e051d15c83d4c676e62ae6b4017aa36818fe2f14e2f0d608

C:\Users\Admin\AppData\Local\Temp\UUOe5HAnpuHc.bat

MD5 4ea282cf2ec41e7cb451823dd803e1da
SHA1 e662b2f310eda1008b9838750567899c74d809d1
SHA256 77f2b8fb5f7bcfd704fc791627f456b8e59084ecec8bf1300f81892f0dc33812
SHA512 1353ada62522f55573b8b4ff4c01113fe80174dc48c98f094e9cc92bff972b20d8cf9ccf754604a8b82010167788fd30c702a33c27a9f468e0a5d223f836efea

memory/520-120-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/3588-122-0x0000000074DA0000-0x0000000075550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 c42c8e4fe8d8cdd903d45a48f2163405
SHA1 b37fb126cf2ef1da426ec7424ed536ada653b234
SHA256 5b9fe0e9b6a3518351455289c7811d586b3ad6a683e860f4b5bf0696bdc26a6c
SHA512 6003ee64e4b932921ac543f14b90a4445cd90831d6a8a4d739ca58b50b9a18b713ad10fa0e05ad4d7c129bef2f010052102faa9527e82eb8e7070a2f831e133e

C:\Users\Admin\AppData\Local\Temp\orzVLWpm8EfO.bat

MD5 0b43e08466e44c6e184106d6f4e990bf
SHA1 d46cb5ec27e6a1f6e10e67622ff4fded246447bb
SHA256 09c08fd318dda4b45aefb2348b39761c044754e06aabc1021b2ed7729aec09ca
SHA512 6e8b669946f36885dfd8a995713072a3e684f888a8d6862337f58b8c6b0d86f8cb52c029eed3e392679bc9e19c5f9b0125b4047620e2a27454ac7fa464bb2af6

memory/3588-129-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/5044-131-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/5044-132-0x0000000004C80000-0x0000000004C90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 31d60b1910db435a7fbcb1e3ef6cb453
SHA1 c2676b62cad327843b59eecf921fc30478a4483a
SHA256 b78ef2e51afc760a93b9bb294e4d64d07be59a8958ef6df67801849c42bb9c2e
SHA512 37d67aaa248b180159a34eede0b3b8c130a35368e412ec29262e81b0d0e3dd95c00885fcb3a5c1f7a177ccf7f9150e62ada37bbf8aba15dc1bc235324c8b5c9c

C:\Users\Admin\AppData\Local\Temp\w7ukbfbCb6Dy.bat

MD5 5904b2de5264de4a2a59ee5909056c6f
SHA1 3451f8c6f10b4e7b2c65d7bab4b41d2e54762707
SHA256 43f4b02c693b4935730e4fba5f19f3a413d37ff8e13420e548f4ad2b47b30682
SHA512 40bd1210a391d376a94a8bbf3418f01001bd086a091c5f0789ec45e146c0d79bacc766ae35d785fa29700a948e87fd30d8ef36725742042af8f6fc05f760766c

memory/5044-139-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/1680-141-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/1680-142-0x00000000057E0000-0x00000000057F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 cc143f22f58b4c0068d7a7e1122a4651
SHA1 defbeb52998172cccca5628841328e7c3387bf39
SHA256 6c70ae7acf6349b092a595cd5beefea6750fc0f604adfbcf7c7f5e9902e59016
SHA512 41af78cbcd4379068197f6317daa811c539184db62181b053374315beac589f7b555d33efd7d436623364d232f05117a9dc28adbd628305b92d23ed81eaf2488

C:\Users\Admin\AppData\Local\Temp\9uoYQl81HlLN.bat

MD5 d956c978524576935fec9db6a9883a3d
SHA1 33844f97375bf34cd335666372a561e95c4682b0
SHA256 7286bdf3a2d143dd63b9f3448b78227b67843006a2c8ee36e3022468bd6b6787
SHA512 fbb1d93af15db708ad3843d74ffc18bf84e42f5a4672da2582f986ac53d942ed5908b999aaa783c55f42771474e281e9f649b7ad035cbb35501ba77100f03b96

memory/1680-149-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/2288-151-0x0000000074DA0000-0x0000000075550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 c1d2dea6e5ab0986c734a321ceafe94e
SHA1 29c38b6d36bde1cb358e89d7076c0097500e2801
SHA256 804b704e2880d045f5eb34a07b475662320f0a52883283f99cc67fde9776bbce
SHA512 e9d3b5203d7de43ab6221f3b470d137b6f0f7a1903e6f82cde1d5c7432c780c0aa7c05b12a218e0f5093c6addd251d4f818fa8dff772300a9f1960922a85117d

C:\Users\Admin\AppData\Local\Temp\TGPPfznza4jA.bat

MD5 a1297a264f771ded058a0af3baef53c1
SHA1 c8aa7f400301a07a478631e7544ba53817bbaba2
SHA256 27021a490ae6afa1faa45de11e566bc123523ae60e203fb4f3f697d47055db6c
SHA512 dc919d3c2759e61127f32333c38914b492fc40cb962378bf700502bca43a73641193e793664d0b1d1a0ae2c6452e4a538f6faf47ccd3fb069c492d684a6be850

memory/2288-158-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/5020-160-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/5020-161-0x0000000005280000-0x0000000005290000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\03-14-2024

MD5 85bfc09fceaed5278b98b1fc14929439
SHA1 2ffac194c23aa990fe5e66ad1ec0ec158de97419
SHA256 475c59071d022def3a5e560ec87e266a7c9797c4afbcb7bfe27dc4404691ac18
SHA512 bf3ea5bf7ab2ad28702eceec5069e0f3a5056f226ff2bcf1c4c8481bb585501e55569916f4719f2cc279fec7af89502ef7d30815f54aa0e121575b42894c7288

C:\Users\Admin\AppData\Local\Temp\6JNxMTTgMTDX.bat

MD5 b86021ea0005f07f748b5e7dad77c301
SHA1 ac801e2f2203e68d2b1d3c124e1098f808a52e7d
SHA256 e7560e172c975af95740964241e4dee885a20630eda9369936b50298d64c0412
SHA512 b4f85bbcf640108ad9b91dfa0eb032c66c48e6ea408977f2b3f25aa565dbe70ed107ca3ebfe6d5bbad44fa396facf68f53bc25f81c1235933f0ab2453601d704

memory/5020-168-0x0000000074DA0000-0x0000000075550000-memory.dmp