Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21-04-2024 08:28

General

  • Target

    0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

  • Size

    3.1MB

  • MD5

    24e7acb706dffb37b3e682424719f5ab

  • SHA1

    5d4864f3acb3076ee4005990114a4a1f2520d456

  • SHA256

    0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d

  • SHA512

    3d4b62d8a2c725f288277a0021c5dc46600e71b20fcdc660fdb00e0d37ff0a0114b7571d331fd85f989da74ef2dbf57add61b90085ff94cf53f5d07fea215c50

  • SSDEEP

    49152:HvilL26AaNeWgPhlmVqvMQ7XSKE6kjn+DixoGgBoTHHB72eh2NT:HvaL26AaNeWgPhlmVqkQ7XSKExn+DS

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Kneegrowless-33547.portmap.host:33547

Mutex

10674f25-f575-4b14-92cf-06a7073df875

Attributes
  • encryption_key

    E5427EE2BE27EB8DFAE76384CABC8A5EBB33EB00

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
    "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2628
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:2536
        • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
          "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2372
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2520
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:2880
              • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:852
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2708
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:864
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:1544
                    • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                      "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                      7⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1912
                      • C:\Windows\system32\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2740
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:2108
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • Runs ping.exe
                            PID:1564
                          • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                            "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                            9⤵
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2744
                            • C:\Windows\system32\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat" "
                              10⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2004
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                11⤵
                                  PID:2324
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  11⤵
                                  • Runs ping.exe
                                  PID:1932
                                • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                  "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                  11⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:684
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat" "
                                    12⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1680
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:1100
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • Runs ping.exe
                                        PID:1092
                                      • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                        "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                        13⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1224
                                        • C:\Windows\system32\cmd.exe
                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat" "
                                          14⤵
                                            PID:1692
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              15⤵
                                                PID:984
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                15⤵
                                                • Runs ping.exe
                                                PID:2316
                                              • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                15⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:856
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat" "
                                                  16⤵
                                                    PID:1432
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      17⤵
                                                        PID:1896
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 10 localhost
                                                        17⤵
                                                        • Runs ping.exe
                                                        PID:624
                                                      • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                        17⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2784
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat" "
                                                          18⤵
                                                            PID:2788
                                                            • C:\Windows\system32\chcp.com
                                                              chcp 65001
                                                              19⤵
                                                                PID:2360
                                                              • C:\Windows\system32\PING.EXE
                                                                ping -n 10 localhost
                                                                19⤵
                                                                • Runs ping.exe
                                                                PID:2468
                                                              • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                19⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2476
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat" "
                                                                  20⤵
                                                                    PID:2416
                                                                    • C:\Windows\system32\chcp.com
                                                                      chcp 65001
                                                                      21⤵
                                                                        PID:2736
                                                                      • C:\Windows\system32\PING.EXE
                                                                        ping -n 10 localhost
                                                                        21⤵
                                                                        • Runs ping.exe
                                                                        PID:2668
                                                                      • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                        21⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1120
                                                                        • C:\Windows\system32\cmd.exe
                                                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat" "
                                                                          22⤵
                                                                            PID:2604
                                                                            • C:\Windows\system32\chcp.com
                                                                              chcp 65001
                                                                              23⤵
                                                                                PID:2340
                                                                              • C:\Windows\system32\PING.EXE
                                                                                ping -n 10 localhost
                                                                                23⤵
                                                                                • Runs ping.exe
                                                                                PID:2420
                                                                              • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                                23⤵
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:996
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat" "
                                                                                  24⤵
                                                                                    PID:1204
                                                                                    • C:\Windows\system32\chcp.com
                                                                                      chcp 65001
                                                                                      25⤵
                                                                                        PID:2108
                                                                                      • C:\Windows\system32\PING.EXE
                                                                                        ping -n 10 localhost
                                                                                        25⤵
                                                                                        • Runs ping.exe
                                                                                        PID:1012
                                                                                      • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                                        25⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2036
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat" "
                                                                                          26⤵
                                                                                            PID:2324
                                                                                            • C:\Windows\system32\chcp.com
                                                                                              chcp 65001
                                                                                              27⤵
                                                                                                PID:2760
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                ping -n 10 localhost
                                                                                                27⤵
                                                                                                • Runs ping.exe
                                                                                                PID:2772
                                                                                              • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                                                27⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1932
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat" "
                                                                                                  28⤵
                                                                                                    PID:1808
                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                      chcp 65001
                                                                                                      29⤵
                                                                                                        PID:608
                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                        ping -n 10 localhost
                                                                                                        29⤵
                                                                                                        • Runs ping.exe
                                                                                                        PID:684
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                                                        29⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:956
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat" "
                                                                                                          30⤵
                                                                                                            PID:472
                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                              chcp 65001
                                                                                                              31⤵
                                                                                                                PID:1676
                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                ping -n 10 localhost
                                                                                                                31⤵
                                                                                                                • Runs ping.exe
                                                                                                                PID:952
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
                                                                                                                31⤵
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:2144

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    ad6ae24774af0c07ef852cf64742d3ac

                                                    SHA1

                                                    fcb65db282a3ba8b4c5ced241e02cfcc28bd8919

                                                    SHA256

                                                    4f9f9d1626531ff4f5f446f3d31098802e78c5b57ede3e972c7803c0e536c827

                                                    SHA512

                                                    71bbc927b9ad0fc5af1913b211620256bca22370f56abd0a466595ea790aad4232eee8aa75fa9b35ebcde6077713a0ee3cb9638baaa61e10e7ddc3b36752ac2f

                                                  • C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    64bc6daee30bf47baef1ef673a6396c2

                                                    SHA1

                                                    27cd70cd5c5805cad0dd17d78e2752bd8aaa4741

                                                    SHA256

                                                    20ef3daf40b27f9f234583397bbd2c6c5e93a00a4040344a60ee6584017d38f5

                                                    SHA512

                                                    eaea7fbc5a477ac47a5950f9fc5e416838bcabd96e824c604fd27fd2ff4d9eebad7b613b90a2322951f4b85fd75c73071d7c581920d1e179ef595712b054aa0c

                                                  • C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    af4e86ae3f7040fab91462faebdd1d38

                                                    SHA1

                                                    431c9ed4ffd4fe92a9a009a6ab3d0d42ecd1387b

                                                    SHA256

                                                    9be261d0e1ff707160dd2fd71b9d2a2a07c63928497d865d3030ce363e90e923

                                                    SHA512

                                                    eb57bbecb878bce0b9b9a9190dff396d518441ae26b516526201fa4d6569a4c520247e38dc010da0b776bfab092554f0b181ddae08d8536fcf7569eead0bdb16

                                                  • C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    6b6b0f39413373c6f2470c925ee0b2d4

                                                    SHA1

                                                    6f0410f48611941a57de13f8c584e8f377a21ee2

                                                    SHA256

                                                    7cbeb3c04e6392bbebd34539400f857681c9c8fe55374420886b37062d6d3d14

                                                    SHA512

                                                    e2a57564e9c3694ba7745a5e31ac07722874c09a84d2e38b1d8ab24a98495071a80e8b155ede670850b3afb57bce5fd4f97c4bc3045a90ed3c0aa98da7abe7db

                                                  • C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    af1ab3dc342fc192ead81650a0ee2a9a

                                                    SHA1

                                                    0bdbe6906273db0a83045af9acae8dda0d81dd7a

                                                    SHA256

                                                    cdf10af883e8df8ac1a438bf104a569cf351c44ac9b6e73243161c354756aa12

                                                    SHA512

                                                    d515e371217c05cb6672da8eb75cd56bfb553394866dbb055a2fb3b761a5c34ad78b80c3b9cf54c4f9036ab4ad6be98a3d6fb0a8df53cd92e902778bd5f89c13

                                                  • C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    75d6dd20e4ec2e7ad0e012e154b0132a

                                                    SHA1

                                                    ace943c9b38fd7f564099e73300b15fc28ee4db7

                                                    SHA256

                                                    ee7a73627b3dc1b07a0d25b69ee8578fa26e7a5e20714f69d704540b87b80e67

                                                    SHA512

                                                    def49f172eee71f135ccebcd6e8caccb2c37f889665bbd1dc9437027498c7d91a7f10b748342205a1e8902bd0488d294bfad6a4f651d1255ab623d64bb033885

                                                  • C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    de72f9efaed0cbb2c59b96a9033d2e18

                                                    SHA1

                                                    1973454e80fb72908289b03e437402095391c311

                                                    SHA256

                                                    52f9f883adaa89a4c24ec067d8da422378d530a02d3024a7a7d8fd93cf5e4091

                                                    SHA512

                                                    5c503358ab917f5cccfb322a0177ef5f926a7861101760da2560b242e77753312058e32957d228d0d3b1120b3e3fbe3d6e7636cf68c99249f8c5675fb20ce14d

                                                  • C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    8ca1e6e5cc7549cc131a1a08ebc30d35

                                                    SHA1

                                                    ed890a3b1099d5f27eb4485894429e13c848789c

                                                    SHA256

                                                    aed77d52c4e4557fc4e19b41eb153091bc6efa31bfba48ea8004673d96baa11c

                                                    SHA512

                                                    df28d694b66da089796c455cbeb9a64a09234e803426db3a1b645cc61315144bb52fc9107985d07d42b75ba56c3d7def8f606a418f5943fe0496615e5cb93edb

                                                  • C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    f6a07864e27a16d2ace7af0e9da382ec

                                                    SHA1

                                                    584d8a508ccd906957aadb7b925e3886cf51a3fb

                                                    SHA256

                                                    f2af395fc87030c6c2e61369da2b632aac86814999365a625e2a9da5100f19d3

                                                    SHA512

                                                    af7da8cf1601e47df455d565bbc1c29450a4de041197e780bfa3dbc0ac2ca12da01c2ed56c8aedd973b7adea0cd9cb525d6d888b58012063d3215e9d30c48cf4

                                                  • C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    4ee7f1dfc35e471fe6b11cb141ba0235

                                                    SHA1

                                                    c6eef3555be9e9a21e0b30f0950776872df0550f

                                                    SHA256

                                                    4d1d8dda32a499484fe6fce3fb67e51018aa3fd21d6cee1d5e42cbeb0cbea2b4

                                                    SHA512

                                                    ea6fd8151ec9c64e652ff574e4bb87a364729c7d6272d3254c97ddbc8af4b74c77ae8f258d618f7f698eadabd0760a32f203a06ce9588e0504dde815a1fc0971

                                                  • C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    a38ca59fcb858ced5afb007501195b2e

                                                    SHA1

                                                    4f2632fd59291ccebc64ec730e099a541f8ae441

                                                    SHA256

                                                    f3d0dfe20aa0ab78594fe8b9927d826d4e29ebf991c2eefaec4157d41cee60f0

                                                    SHA512

                                                    6eb294f93f9d6e7da4653b61393f325c8a19235863d2c6faf6990436c46f34e7c5a794e3fc0a62a48e78a32b7c5bfeb64fcf4c9f0b3ec670b035f2bb77714bb0

                                                  • C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    b7db03e65e3be8e5b82769ab3e42cc90

                                                    SHA1

                                                    1feb7de0f7ef4e4fd80b28c8d1ae47662461b3c5

                                                    SHA256

                                                    ff4de53d3edacf189fa9bd34e0458b72838ed3d165e3911c0f0499c05e44ded3

                                                    SHA512

                                                    c53cc79380245fa9365f97399edfb16261d72cd4f09a14eda00bbeca2825d3bf317d8ea72d522a6e6820d3964ab61376daae8be98103187c4fe63fea10a3cdcc

                                                  • C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    54fee6e97ef24dcef302ce92971641c6

                                                    SHA1

                                                    f4fc612c9dfbad280bf56f60faa2b8b840bc0064

                                                    SHA256

                                                    1feca84d142ff923312d3f1fb2f4ca634bcd5a03677c48b01ea9086e2b952acd

                                                    SHA512

                                                    7ad978c4040baa3ba0cde78d6ec6716acb19f838a5fa5e57370c7c352be756b7603c9c64b5098cd35038da072ac188c6c6cbfe52d4630d32cba23e772841851f

                                                  • C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    8e16dc3d02da6d855a07a19813bbe279

                                                    SHA1

                                                    d61456dca73465210ba1444652b7c97a1e1e5e76

                                                    SHA256

                                                    8d9137a843dabd538c41f597bde2281941c782b7ec81be39d79a2464314e819c

                                                    SHA512

                                                    0ddeb5a3ff30367e62b461e2977d01c9d1e9e9f499053111f2b4290ba7c58fc2acbf6489503ec898058a477cb94b570ced50fa9a01bb80ca2bbe3a898eab365a

                                                  • C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat

                                                    Filesize

                                                    261B

                                                    MD5

                                                    cb4c618c05794d9e3649f5d676409a56

                                                    SHA1

                                                    2ba14b87670e3f6bb79d46a16956bb270854e5c9

                                                    SHA256

                                                    85269ceae894cfe05d513cf2e6c5f9f42c5028d3390a9e426e59dbf28d247610

                                                    SHA512

                                                    ff30cac47c4b3fee49d1065cb73d75c62a19897fe0838265743f9433ecf0fc3d97b9064aa693583f9dd6612032625edbef90d6cd481ca597bb436b0ecaba1a23

                                                  • \??\PIPE\lsarpc

                                                    MD5

                                                    d41d8cd98f00b204e9800998ecf8427e

                                                    SHA1

                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                    SHA256

                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                    SHA512

                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                  • memory/684-64-0x00000000003C0000-0x00000000006E4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/684-76-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/684-66-0x000000001B1F0000-0x000000001B270000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/684-65-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/852-27-0x000000001B5A0000-0x000000001B620000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/852-38-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/852-26-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/856-101-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/856-92-0x000000001B310000-0x000000001B390000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/856-91-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/856-90-0x00000000003D0000-0x00000000006F4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/956-182-0x000000001B140000-0x000000001B1C0000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/956-181-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/956-192-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/956-180-0x0000000000330000-0x0000000000654000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/996-142-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/996-143-0x000000001B300000-0x000000001B380000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/996-141-0x0000000000D00000-0x0000000001024000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/996-153-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1120-129-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1120-130-0x000000001B2D0000-0x000000001B350000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/1120-139-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1224-77-0x0000000000030000-0x0000000000354000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/1224-88-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1224-78-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1224-79-0x0000000002310000-0x0000000002390000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/1912-39-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1912-50-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1912-40-0x000000001B2F0000-0x000000001B370000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/1932-168-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1932-179-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/1932-169-0x0000000001270000-0x00000000012F0000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/1932-167-0x0000000001330000-0x0000000001654000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/2036-155-0x000000001B2F0000-0x000000001B370000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2036-166-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2036-154-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2144-194-0x000000001B470000-0x000000001B4F0000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2144-193-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2476-128-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2476-117-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2476-116-0x0000000000A60000-0x0000000000D84000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/2476-118-0x000000001B190000-0x000000001B210000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2640-15-0x000000001B0D0000-0x000000001B150000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2640-25-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2640-13-0x00000000013B0000-0x00000000016D4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/2640-14-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2744-51-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2744-52-0x000000001B200000-0x000000001B280000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2744-63-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2784-105-0x000000001B240000-0x000000001B2C0000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2784-103-0x0000000000150000-0x0000000000474000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/2784-104-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2784-115-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2908-0-0x0000000001390000-0x00000000016B4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/2908-12-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                  • memory/2908-2-0x000000001B390000-0x000000001B410000-memory.dmp

                                                    Filesize

                                                    512KB

                                                  • memory/2908-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                                                    Filesize

                                                    9.9MB