Analysis Overview
SHA256
0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
Threat Level: Known bad
The file 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 08:28
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 08:28
Reported
2024-04-21 08:30
Platform
win7-20240220-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
Files
memory/2908-0-0x0000000001390000-0x00000000016B4000-memory.dmp
memory/2908-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/2908-2-0x000000001B390000-0x000000001B410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat
| MD5 | cb4c618c05794d9e3649f5d676409a56 |
| SHA1 | 2ba14b87670e3f6bb79d46a16956bb270854e5c9 |
| SHA256 | 85269ceae894cfe05d513cf2e6c5f9f42c5028d3390a9e426e59dbf28d247610 |
| SHA512 | ff30cac47c4b3fee49d1065cb73d75c62a19897fe0838265743f9433ecf0fc3d97b9064aa693583f9dd6612032625edbef90d6cd481ca597bb436b0ecaba1a23 |
memory/2908-12-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/2640-13-0x00000000013B0000-0x00000000016D4000-memory.dmp
memory/2640-14-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2640-15-0x000000001B0D0000-0x000000001B150000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat
| MD5 | af1ab3dc342fc192ead81650a0ee2a9a |
| SHA1 | 0bdbe6906273db0a83045af9acae8dda0d81dd7a |
| SHA256 | cdf10af883e8df8ac1a438bf104a569cf351c44ac9b6e73243161c354756aa12 |
| SHA512 | d515e371217c05cb6672da8eb75cd56bfb553394866dbb055a2fb3b761a5c34ad78b80c3b9cf54c4f9036ab4ad6be98a3d6fb0a8df53cd92e902778bd5f89c13 |
memory/2640-25-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/852-26-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/852-27-0x000000001B5A0000-0x000000001B620000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat
| MD5 | ad6ae24774af0c07ef852cf64742d3ac |
| SHA1 | fcb65db282a3ba8b4c5ced241e02cfcc28bd8919 |
| SHA256 | 4f9f9d1626531ff4f5f446f3d31098802e78c5b57ede3e972c7803c0e536c827 |
| SHA512 | 71bbc927b9ad0fc5af1913b211620256bca22370f56abd0a466595ea790aad4232eee8aa75fa9b35ebcde6077713a0ee3cb9638baaa61e10e7ddc3b36752ac2f |
memory/852-38-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1912-39-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/1912-40-0x000000001B2F0000-0x000000001B370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat
| MD5 | 8ca1e6e5cc7549cc131a1a08ebc30d35 |
| SHA1 | ed890a3b1099d5f27eb4485894429e13c848789c |
| SHA256 | aed77d52c4e4557fc4e19b41eb153091bc6efa31bfba48ea8004673d96baa11c |
| SHA512 | df28d694b66da089796c455cbeb9a64a09234e803426db3a1b645cc61315144bb52fc9107985d07d42b75ba56c3d7def8f606a418f5943fe0496615e5cb93edb |
memory/1912-50-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2744-52-0x000000001B200000-0x000000001B280000-memory.dmp
memory/2744-51-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat
| MD5 | b7db03e65e3be8e5b82769ab3e42cc90 |
| SHA1 | 1feb7de0f7ef4e4fd80b28c8d1ae47662461b3c5 |
| SHA256 | ff4de53d3edacf189fa9bd34e0458b72838ed3d165e3911c0f0499c05e44ded3 |
| SHA512 | c53cc79380245fa9365f97399edfb16261d72cd4f09a14eda00bbeca2825d3bf317d8ea72d522a6e6820d3964ab61376daae8be98103187c4fe63fea10a3cdcc |
memory/2744-63-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/684-64-0x00000000003C0000-0x00000000006E4000-memory.dmp
memory/684-65-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/684-66-0x000000001B1F0000-0x000000001B270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat
| MD5 | 75d6dd20e4ec2e7ad0e012e154b0132a |
| SHA1 | ace943c9b38fd7f564099e73300b15fc28ee4db7 |
| SHA256 | ee7a73627b3dc1b07a0d25b69ee8578fa26e7a5e20714f69d704540b87b80e67 |
| SHA512 | def49f172eee71f135ccebcd6e8caccb2c37f889665bbd1dc9437027498c7d91a7f10b748342205a1e8902bd0488d294bfad6a4f651d1255ab623d64bb033885 |
memory/684-76-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/1224-77-0x0000000000030000-0x0000000000354000-memory.dmp
memory/1224-78-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1224-79-0x0000000002310000-0x0000000002390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat
| MD5 | 8e16dc3d02da6d855a07a19813bbe279 |
| SHA1 | d61456dca73465210ba1444652b7c97a1e1e5e76 |
| SHA256 | 8d9137a843dabd538c41f597bde2281941c782b7ec81be39d79a2464314e819c |
| SHA512 | 0ddeb5a3ff30367e62b461e2977d01c9d1e9e9f499053111f2b4290ba7c58fc2acbf6489503ec898058a477cb94b570ced50fa9a01bb80ca2bbe3a898eab365a |
memory/1224-88-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/856-90-0x00000000003D0000-0x00000000006F4000-memory.dmp
memory/856-91-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/856-92-0x000000001B310000-0x000000001B390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat
| MD5 | 54fee6e97ef24dcef302ce92971641c6 |
| SHA1 | f4fc612c9dfbad280bf56f60faa2b8b840bc0064 |
| SHA256 | 1feca84d142ff923312d3f1fb2f4ca634bcd5a03677c48b01ea9086e2b952acd |
| SHA512 | 7ad978c4040baa3ba0cde78d6ec6716acb19f838a5fa5e57370c7c352be756b7603c9c64b5098cd35038da072ac188c6c6cbfe52d4630d32cba23e772841851f |
memory/856-101-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2784-104-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/2784-103-0x0000000000150000-0x0000000000474000-memory.dmp
memory/2784-105-0x000000001B240000-0x000000001B2C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat
| MD5 | de72f9efaed0cbb2c59b96a9033d2e18 |
| SHA1 | 1973454e80fb72908289b03e437402095391c311 |
| SHA256 | 52f9f883adaa89a4c24ec067d8da422378d530a02d3024a7a7d8fd93cf5e4091 |
| SHA512 | 5c503358ab917f5cccfb322a0177ef5f926a7861101760da2560b242e77753312058e32957d228d0d3b1120b3e3fbe3d6e7636cf68c99249f8c5675fb20ce14d |
memory/2784-115-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/2476-116-0x0000000000A60000-0x0000000000D84000-memory.dmp
memory/2476-117-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2476-118-0x000000001B190000-0x000000001B210000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat
| MD5 | af4e86ae3f7040fab91462faebdd1d38 |
| SHA1 | 431c9ed4ffd4fe92a9a009a6ab3d0d42ecd1387b |
| SHA256 | 9be261d0e1ff707160dd2fd71b9d2a2a07c63928497d865d3030ce363e90e923 |
| SHA512 | eb57bbecb878bce0b9b9a9190dff396d518441ae26b516526201fa4d6569a4c520247e38dc010da0b776bfab092554f0b181ddae08d8536fcf7569eead0bdb16 |
memory/2476-128-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/1120-129-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1120-130-0x000000001B2D0000-0x000000001B350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat
| MD5 | f6a07864e27a16d2ace7af0e9da382ec |
| SHA1 | 584d8a508ccd906957aadb7b925e3886cf51a3fb |
| SHA256 | f2af395fc87030c6c2e61369da2b632aac86814999365a625e2a9da5100f19d3 |
| SHA512 | af7da8cf1601e47df455d565bbc1c29450a4de041197e780bfa3dbc0ac2ca12da01c2ed56c8aedd973b7adea0cd9cb525d6d888b58012063d3215e9d30c48cf4 |
memory/1120-139-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/996-141-0x0000000000D00000-0x0000000001024000-memory.dmp
memory/996-142-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/996-143-0x000000001B300000-0x000000001B380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat
| MD5 | 64bc6daee30bf47baef1ef673a6396c2 |
| SHA1 | 27cd70cd5c5805cad0dd17d78e2752bd8aaa4741 |
| SHA256 | 20ef3daf40b27f9f234583397bbd2c6c5e93a00a4040344a60ee6584017d38f5 |
| SHA512 | eaea7fbc5a477ac47a5950f9fc5e416838bcabd96e824c604fd27fd2ff4d9eebad7b613b90a2322951f4b85fd75c73071d7c581920d1e179ef595712b054aa0c |
memory/996-153-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2036-154-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/2036-155-0x000000001B2F0000-0x000000001B370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat
| MD5 | 6b6b0f39413373c6f2470c925ee0b2d4 |
| SHA1 | 6f0410f48611941a57de13f8c584e8f377a21ee2 |
| SHA256 | 7cbeb3c04e6392bbebd34539400f857681c9c8fe55374420886b37062d6d3d14 |
| SHA512 | e2a57564e9c3694ba7745a5e31ac07722874c09a84d2e38b1d8ab24a98495071a80e8b155ede670850b3afb57bce5fd4f97c4bc3045a90ed3c0aa98da7abe7db |
memory/2036-166-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1932-167-0x0000000001330000-0x0000000001654000-memory.dmp
memory/1932-168-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/1932-169-0x0000000001270000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat
| MD5 | a38ca59fcb858ced5afb007501195b2e |
| SHA1 | 4f2632fd59291ccebc64ec730e099a541f8ae441 |
| SHA256 | f3d0dfe20aa0ab78594fe8b9927d826d4e29ebf991c2eefaec4157d41cee60f0 |
| SHA512 | 6eb294f93f9d6e7da4653b61393f325c8a19235863d2c6faf6990436c46f34e7c5a794e3fc0a62a48e78a32b7c5bfeb64fcf4c9f0b3ec670b035f2bb77714bb0 |
memory/1932-179-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/956-180-0x0000000000330000-0x0000000000654000-memory.dmp
memory/956-181-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/956-182-0x000000001B140000-0x000000001B1C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat
| MD5 | 4ee7f1dfc35e471fe6b11cb141ba0235 |
| SHA1 | c6eef3555be9e9a21e0b30f0950776872df0550f |
| SHA256 | 4d1d8dda32a499484fe6fce3fb67e51018aa3fd21d6cee1d5e42cbeb0cbea2b4 |
| SHA512 | ea6fd8151ec9c64e652ff574e4bb87a364729c7d6272d3254c97ddbc8af4b74c77ae8f258d618f7f698eadabd0760a32f203a06ce9588e0504dde815a1fc0971 |
memory/956-192-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/2144-193-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/2144-194-0x000000001B470000-0x000000001B4F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 08:28
Reported
2024-04-21 08:30
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3KQk3tmpXwm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcAlz1FrFZia.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUgQD8fR0YvW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auDM4HqLAjRF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUBwOXrOcha.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmBHU99RhLni.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\drDaaP3uiAO4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fNADFXAmWs8s.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YzPQMnl5pjh4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\me4vO7g5QPse.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5LbzD7dp01xA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FN8zHBs0afkA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSFbXLsBohmm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v21sVDRmH4OA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6LXbjoqgH6c8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| NL | 23.62.61.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| BE | 2.17.197.240:80 | tcp |
Files
memory/3588-0-0x0000000000D60000-0x0000000001084000-memory.dmp
memory/3588-1-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp
memory/3588-2-0x0000000001930000-0x0000000001940000-memory.dmp
memory/3588-4-0x000000001C100000-0x000000001C1B2000-memory.dmp
memory/3588-3-0x000000001BFF0000-0x000000001C040000-memory.dmp
memory/3588-9-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h3KQk3tmpXwm.bat
| MD5 | 309c155aa3118f88dba9c37dea7c3347 |
| SHA1 | f16248043245eac6045857a40250570bded17123 |
| SHA256 | be2c1bc79a66390f03c17ae2b44d5879fd71a94dea926e909f3f416482ea59f7 |
| SHA512 | 21dc857213cd4188d202439a921643804dbd303a6b8ddd31ae668594dfbfb85d346502a2bb59ca34bd2c116fb506fdcde7cf1569b2392469c1469b4b2e96472c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/4752-12-0x00007FFCDA1D0000-0x00007FFCDAC91000-memory.dmp
memory/4752-13-0x000000001B640000-0x000000001B650000-memory.dmp
memory/4752-17-0x00007FFCDA1D0000-0x00007FFCDAC91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pcAlz1FrFZia.bat
| MD5 | 20a908ad6915eb284f377c7bfd67900f |
| SHA1 | 48b34666995f3fa4decbb68656f745595e4cf88e |
| SHA256 | 4f980d4bb45f4abad4ef6b378b37f01106740a6aa2a193bba3bed9b81765fa6d |
| SHA512 | c303444360242c2b8c7ca892b70ebb77a7826aa389864e5f5a8bc51f39b68b66830146a1ebbd9589d3ddbb4f9563df0029122d15b30ea27e36b0fca8e4ab6fec |
memory/4260-19-0x00007FFCD9990000-0x00007FFCDA451000-memory.dmp
memory/4260-23-0x00007FFCD9990000-0x00007FFCDA451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HUgQD8fR0YvW.bat
| MD5 | 9ce3bbdfb904dde5b71a23a944151596 |
| SHA1 | f2d6c088a3a8c8832593cd4e90b52309bd64472b |
| SHA256 | f4b7511c568b9aad659ad049557cad133382de6bbce1914524a2a8fcb0e9c8ff |
| SHA512 | 51f51d3b8cb739dfcdd6c3da432a331253c489eb43da7ba5abbf4cf2b1f8c80dc3209f476c3c4aecc4b27254d0ed70d67a89d7e4981d31e1125a723769758fcf |
memory/4564-25-0x00007FFCD9940000-0x00007FFCDA401000-memory.dmp
memory/4564-29-0x00007FFCD9940000-0x00007FFCDA401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\auDM4HqLAjRF.bat
| MD5 | 6245a85655979483d03e83afe72e9d94 |
| SHA1 | 04824ed4b2c699756db8f0fe65f26d7a98b5429d |
| SHA256 | 6261b7a15fa6b23353da9160f9c9c23403f977c1bf612ee9d4d2ab3ec0b9f240 |
| SHA512 | b0d62b2ee99af8bd1317f405432b228288493be1bb3918a68d5825ee38d60290ff7d035ed31f101b0dba0422a16ddb7dc297915696485057584b73966610df06 |
memory/4632-31-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
memory/4632-35-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HAUBwOXrOcha.bat
| MD5 | 1b47ee3a07eac0c65b606bebc2894098 |
| SHA1 | 21cf856d7ece442620cee37406f1cb1e168728b2 |
| SHA256 | 195d30503fc702b870bf91aa303777842319c8c34a17f2cc916e7ed0df516edd |
| SHA512 | 2f0cf117d8e59dfb0f03d7bb027860034ffdc29a183dc33e736cc2ca91e6729006c2fae58684538ed7dfa0b32c44922431d406087b54d042ff0e17dc8a3dc5ef |
memory/4060-37-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
memory/4060-41-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmBHU99RhLni.bat
| MD5 | edbb0f9f0f7c3a683af3ff8118ba15dd |
| SHA1 | 4cf1d27b63ae433f3779e7063a337ce432ebfbf5 |
| SHA256 | 6c3bd81d5c3e712f6174f94de56cfc24d73cef7d9b76544aa46b71dafb867f67 |
| SHA512 | c910cf3c14ea3a2f6e8937f37909465f3f33c192680bf68e2299e0ed649f6fe5e06edf3630c8c4ba9b0e36755323e1cf715e80be70e18805d5cd7058109afdae |
memory/3908-43-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
memory/3908-47-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\drDaaP3uiAO4.bat
| MD5 | cabe5979daf5138f88a7938cf9fae9c9 |
| SHA1 | 6d6e5fb1dd2eb3b20f2ec0d486188aee22327bf0 |
| SHA256 | 256dbe03803a7166e2a8a73c2525658bd7929cd0a57d6601d9b253a265f2bac0 |
| SHA512 | 5e0011dbaae8ec7ccefce42d53cc79fe4d3f9d4fe9e56e63018585c70a639313f810052d970ac0cd49ba024ee96b334c46a3997d34a2304a53ef014cd16b0d52 |
memory/2748-49-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
memory/2748-53-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fNADFXAmWs8s.bat
| MD5 | 92a6075d5b7e432a11b8fa99345c1c67 |
| SHA1 | 6f90a94817ec42a9cb1ffa59f158ec5d8aad1226 |
| SHA256 | e9623096ea4438e35a84719039c2b2dab4de3d1f901c17e7db164841e55f1f09 |
| SHA512 | 3a8cc06ee84ac3418bc7e1f294491b0085e8478e8b2da9e68ee0b45185c14bc8b45100977f8b8ec320eb0d4eae747dd33e774071416191b2c548181d20552fb9 |
memory/2376-55-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
memory/2376-59-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YzPQMnl5pjh4.bat
| MD5 | 9927c04f3a0274f4857ec9c6ac39e385 |
| SHA1 | 3671b3327904e3b3245ab343ba052556871c8912 |
| SHA256 | 0c2c78c03f6b82c3cc4c84268cfc3d558ab8e914ae8516508458890a163e66da |
| SHA512 | dd86f5f94bd8a39c2c2e0ee137ea0b89d75025c534ebb15c1d09d32a5802bcbc64a7aa86fafce6d61c026f7b3cb2c6eaf03afb83081908c92d91e92d7ee6b418 |
memory/3724-61-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
memory/3724-65-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\me4vO7g5QPse.bat
| MD5 | 2bdc01b553462bf9dfa842a6903a2dc5 |
| SHA1 | efcda5c7a432376c5a9cc5e374032dde9f4f2b5d |
| SHA256 | 9ed413ef0669ff13db9344c3585cb7a1e910b176898fc9c37813bae1c23b17e3 |
| SHA512 | ce1989c50f647cb8ce974026806c7699ea64ffdd893c80ed4c671329a75deac762c40450977eae48c5718a9f35d3c893837c81584c67213bae47226627198403 |
memory/4472-67-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp
memory/4472-71-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5LbzD7dp01xA.bat
| MD5 | fc7f21f016c12cc477c705287cc6fe43 |
| SHA1 | 33f0dae29457932a4a2b6784625560565209f424 |
| SHA256 | 85793ad1977f93da9a2f6af16a7f17ddbfc3e1f94eabf94220994fcabd50c6eb |
| SHA512 | c3f31aa0fb194644d26bc9dce4b23e03791367fea1680e037792bef2e390dcc2f967fffd5c0574e53b98621302f988a2a664fd18387bfffbf678cc8bb9492872 |
memory/4424-73-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp
memory/4424-77-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FN8zHBs0afkA.bat
| MD5 | f33ec1172e16d4af403b20051ad7d34f |
| SHA1 | 415d1f5fa64a5ff36262a439fd92d61d0ef74f75 |
| SHA256 | efbaaca56bad4a859387043c9e96a8a2555d6e9d473e94c2a04d4aeec8912d94 |
| SHA512 | 83f1bdc136cc007eb7fdbb024021f596101120fdf01bca380168f84568b4d677bd78c95ac97cb5abc014c1c5e14e29783e64dad6793b9eddd7109841c83f3a6a |
memory/3852-79-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp
memory/3852-83-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XSFbXLsBohmm.bat
| MD5 | bbb4081b0aa65aa30e60547d0addf02e |
| SHA1 | 9929006fe4cac0ffde932d51cc931ad097aa1d8a |
| SHA256 | 33022b05c96a7e3ef3516fdf54047521dbe764d6f825f13b160997995f00bcdc |
| SHA512 | 16f5b13043491c08ff5db54b449040bf0a515e373534fa78b47bd729f6265064af63365dee4fd1daff9dd3934409b4bb1bcff0bebbefcd8a866edab1788e27b2 |
memory/2944-85-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp
memory/2944-89-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v21sVDRmH4OA.bat
| MD5 | 400839890e6dfa8e6c3b50f848b412f7 |
| SHA1 | 75fded159706d796d97d0a721472cffe5169aedc |
| SHA256 | 3a8d5dee07b6955fe48cc7820c0434306015a6bb9c96e599a8efe78b5d885388 |
| SHA512 | 8b7a792e6455d0b1f1832174233bf296d74f59e0d7b868b583e793a6c3d04ed63e5fa9a87f39a466e0a62161c4a1eef26a2b1c75654cf92ec12fff4e475fc8d3 |
memory/3724-91-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp
memory/3724-95-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6LXbjoqgH6c8.bat
| MD5 | d9240491f65ed7937d17fff8d3243099 |
| SHA1 | 3093ca8fd107d0daa8f0c672b5980b0714bae1dc |
| SHA256 | 75b03a65fe71394cb71680db1417650836ee48dbec7a7146359a0f7014ea7d81 |
| SHA512 | f1360c9324a134339eab6685226a13275e5bd10b79aab2bbea2eee437df061a66b671f8bba49860f852e5769a2063ceb44203a801bedcdc81c19ce03a1486774 |