Analysis Overview
SHA256
285e04c2bb8bd46ab0ba229bb888f386c8fba38be6ab038e8f80929ff207206a
Threat Level: Known bad
The file 24e7acb706dffb37b3e682424719f5ab.bin was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-22 01:08
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-22 01:08
Reported
2024-04-22 01:11
Platform
win7-20240215-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uzrBa006fule.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Ybc4omaofo1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bqc819dEdlQi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\90DJKwPZojDS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dZBGtzhEetCS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYnIKErDxrG6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RT5hZ6b3rRXH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mhRf9Y5wpgP7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oB3g7KxpaIL8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UcRTnjJsJBrD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWcoZHR84A51.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuEkEbkkAxHQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ax4vSBMK3wcQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UBSQy542EXep.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9YKoC1ZGdjxH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSrJDZQLrhR0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
Files
memory/2816-0-0x0000000001100000-0x0000000001424000-memory.dmp
memory/2816-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2816-2-0x000000001B160000-0x000000001B1E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uzrBa006fule.bat
| MD5 | 2a2ddbe04a877e4a623591b77783c8c6 |
| SHA1 | 6280c6e071a19acf708a288a61768e1977069796 |
| SHA256 | 8aacac3b8aaf806d3efb75a6da340fa8d691ebfc38dc88dad0f70bddc5e5d886 |
| SHA512 | e39decbe8e9d5c3a3f3eb305dc2441917401ec4296bc41d37f3301c59799e8ba14d17e3eacc999eb262877b78c965ebc12ed57c812f30ce82fa24f0cbc655e20 |
memory/2816-11-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2636-13-0x0000000000190000-0x00000000004B4000-memory.dmp
memory/2636-14-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/2636-15-0x000000001B350000-0x000000001B3D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8Ybc4omaofo1.bat
| MD5 | 6e5d129976f0f0001b8a9ccc97c5145f |
| SHA1 | f4cfe37f4e1be734b348cb877472b7ccce9ff51f |
| SHA256 | b91ec6f6d0bc6ed2c8e21a169418c6d218deb52554d7e4e7e02d2314e31d4402 |
| SHA512 | 8ade9749e6583511bbf437218d91614d99495c6286fa3f4768b3ea94b4671843fb32d3fa6602de5a19385d14aabeb7df0d59bef02fb87176f741db20172a4b1b |
memory/2636-24-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/2440-26-0x0000000001300000-0x0000000001624000-memory.dmp
memory/2440-27-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2440-28-0x000000001AAA0000-0x000000001AB20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Bqc819dEdlQi.bat
| MD5 | 4cb7d942e92f1067cc47f84d989605b1 |
| SHA1 | 141c9cc395f766e626f004a720bfbe5a131c8081 |
| SHA256 | fe3978cc871f8b556ced2b4132ec09215b0b3462d1a1c8d4513917c2d3f30628 |
| SHA512 | ae3a593cfa1b07fb73ad0d0f29f9faf085708124ae9121cc3fde116a38b6a01bcf5d4e7fdc92475ef7db613999c2bc1e2d3946736b248382f85261cc11f28cdc |
memory/2440-38-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2028-39-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/2028-40-0x000000001B310000-0x000000001B390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\90DJKwPZojDS.bat
| MD5 | df8590143061feeea47a062208a28cdd |
| SHA1 | 77e2d074539e3acc099a974075057d69d9ead4bf |
| SHA256 | 147aec2ed6a1b650285d82cd9485cfe04e8a32bc4fab7d9bb3e74c234bba8ec2 |
| SHA512 | bfb2a6eb5a000cfbad13ab1a22ad353f05a89e774533c9c6b577862dda84f8bb29079a57d4c0ed3d130e221756f891b89a19c88607a5416c10573cfabee7583c |
memory/2028-50-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/1372-51-0x0000000000110000-0x0000000000434000-memory.dmp
memory/1372-52-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/1372-53-0x000000001B260000-0x000000001B2E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dZBGtzhEetCS.bat
| MD5 | 9c2f97292fc0b46e4b449ebd7d2cbb7b |
| SHA1 | 923d3a90c415276309ce1df9e15bed7bc95fe6f2 |
| SHA256 | a975fb985ad997cd64f6dc91370e3595914d93c038b60b6b7acece5c04c070bf |
| SHA512 | e558e8e8878fabff45ff9d5c5c70d74d603de128ab5b38e4dec874725a2d988066919668f1ea558e80f8356dc2cf30c849f2a13d25afa62d23e9645c32554b8f |
memory/1372-63-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/652-64-0x0000000000DB0000-0x00000000010D4000-memory.dmp
memory/652-65-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/652-66-0x000000001ADF0000-0x000000001AE70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uYnIKErDxrG6.bat
| MD5 | 9afd2f09f9a17793ac94174c2a1f1030 |
| SHA1 | 5006842b40a683b53c0dcfb249e42c8e65256eca |
| SHA256 | c37beb70a4b6ffb61c1aeb80a10c08d98101e30bca4bd51ad09329131dad7363 |
| SHA512 | 2068088879a40a0f6bc59fed78b863de0b7226cb32eaf30e82108e63785801e9801cb248b2b85abe0fb35f27f048b60c8f505fd1bd9716bc1c5492f8d6a4387d |
memory/652-76-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/1312-77-0x0000000000130000-0x0000000000454000-memory.dmp
memory/1312-78-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/1312-79-0x000000001AED0000-0x000000001AF50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RT5hZ6b3rRXH.bat
| MD5 | 6229c8908f91eb3056b48d0bdf3e7d5d |
| SHA1 | 088d1cb17331f3eeb12dd6ac0bbd2e4cd0e2b652 |
| SHA256 | a2e558e569e8fa2e3e3536acc901ad23801936889d7dca7024485f56c288d8ff |
| SHA512 | 0a6fe6bdcc55018b54a979de44a03a55872f7af6e17cc0c654cb13c650563fc59b6777405926d62ec9da571bfb164b724b89052a74a8d961d52ae8ffb102945c |
memory/1312-89-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/360-90-0x0000000001270000-0x0000000001594000-memory.dmp
memory/360-91-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/360-92-0x000000001B3E0000-0x000000001B460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mhRf9Y5wpgP7.bat
| MD5 | ef5dc5cbc4400e7f97c9123e3e277223 |
| SHA1 | 659523aa8dc05eb36b0cbd168381c3653acfc00e |
| SHA256 | 98744ae6f59b69d171523d546fd3a09cbb9597c82c726f45db18d9e807f98847 |
| SHA512 | 6d3395d3e324c53562bd9999ce57ac7c1223c7bd3a80a585c85e6b1d9313806ba0f3b547097ec0b449135d3078c823a6741212830f8a98bc034272ebd6c504fb |
memory/360-102-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/2204-103-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2204-104-0x000000001B0C0000-0x000000001B140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oB3g7KxpaIL8.bat
| MD5 | 29c0e0ac4163e556d2bcecfaf85be20d |
| SHA1 | 20d793a217f1855dbd78c0a71ce3abc57f84288e |
| SHA256 | aa6d5c60103d406d947173651cb642800de865f62e67c03f2060561b7d7626ba |
| SHA512 | 1b1fa157e2eaf73409d83c05e916c351e2726e9097c2d280393c5e34026028f14acf16c14c43f4fcd46ab9fff0483d4fea24d5a7f4358d3b1951bb4ddec6d166 |
memory/2204-114-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2564-115-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UcRTnjJsJBrD.bat
| MD5 | 3638c6c648426d5cf21248a5c0df9aaa |
| SHA1 | 8110740832bcea2e26c77bde73a3d797c60ee19d |
| SHA256 | c447a4c0078bbd4ef095fb35cec422d63552d918dabde4258a82a24e211264ba |
| SHA512 | b2d744115f7c8029d2d6fa38b0e94ab339067feebf011e8422ea6166282e85264eed9e3f2facc66211257d21a3956fe6dac3d3d8f55736ef656c2cf7bc94e78a |
memory/2564-125-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/2660-126-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2660-127-0x0000000001180000-0x0000000001200000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\jWcoZHR84A51.bat
| MD5 | 02757ab55efe0453aa303988dcc2a98a |
| SHA1 | 8b2ac63dc9a5d167b2be6164c339738b4091d3e8 |
| SHA256 | 0d546b2de99123e898446e188fc10dcf16eb4482ee199fa9133e172a056d9af3 |
| SHA512 | de6ad71e514f82d43ebda91ac8310b3751e6b7be84c808d89647032ef9d41ddb1411f61cf098315b07fb4eaf095378964a0d4ad4e4cc72bcc0e71d5abaff1bcb |
memory/2660-138-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/1832-139-0x0000000000040000-0x0000000000364000-memory.dmp
memory/1832-140-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/1832-141-0x000000001B530000-0x000000001B5B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuEkEbkkAxHQ.bat
| MD5 | 4a5e30c0fb2f4e55c421ce3fc90d96c8 |
| SHA1 | d56b26f17dc0f75b8096d1895df084198a529da4 |
| SHA256 | 06c920b9d8309ddbc598ba869fd56e0ba57bf2ec36f99d6ec7066a46a9830b33 |
| SHA512 | 86f92b63af8c0c5820da89fb7febf571cfd7db46450f498415c5b9eec7435fbfd84a165c51444356023e0677044d1d5e619c8e790772850a9406f4c6b4c33e94 |
memory/1832-151-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/1572-152-0x0000000001140000-0x0000000001464000-memory.dmp
memory/1572-153-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/1572-154-0x000000001AE40000-0x000000001AEC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ax4vSBMK3wcQ.bat
| MD5 | dc11a957bb5b61208087c6f8476d52ec |
| SHA1 | 9586859f2c9c7006c55a9c0be22590ff435f8bed |
| SHA256 | 5364599056959c8e3438b53108fdace2686bee4fb0ff8f3e62cb82b0bfa39126 |
| SHA512 | 27041379fa1625ab6832b7028a945b21ec99961c8fa8d4366a9ca57c7bc0688e5fd94f1ccb0e38604649aca7ff9ab18cf3cf73b1f0e4e36e081685c32f6972e3 |
memory/1572-164-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/1532-166-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/1532-165-0x0000000000350000-0x0000000000674000-memory.dmp
memory/1532-167-0x000000001B0F0000-0x000000001B170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UBSQy542EXep.bat
| MD5 | f8949f6f8b1091974d659fe9d560b498 |
| SHA1 | 00f986fea73427c76a367287edb8f47c8a5c8fad |
| SHA256 | 3773293d121fd4c870ee09618270568ab5617542c0df42b6928576c6e7a8e40b |
| SHA512 | 2783ed7bd26759d207e239b6ab363b45cbe2a328863f870e74b3df518a059aea2fc0f460ec6ab5781ae9ba67bb69dfa56bce9ef6ef895465f696e6f703c8e543 |
memory/1532-177-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/1052-178-0x0000000000F80000-0x00000000012A4000-memory.dmp
memory/1052-179-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/1052-180-0x000000001B260000-0x000000001B2E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9YKoC1ZGdjxH.bat
| MD5 | 7485e02a9bab2a9a47805fb7936bec79 |
| SHA1 | 52502f262d463e071f945e01afeefe86f62026ae |
| SHA256 | ca9efe640d2c97d258e126768bf31d924dceb0954f6e95bd5cc070872a0330d9 |
| SHA512 | 15d2ec8cfc6b1f7f6462def5349933bb2f071d86bdebd8e5f163564a640ec898d6517b08b14b510362685ec8d71d14c1b280bf68d8802749d3afb811b7af4d7a |
memory/1052-190-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp
memory/2236-191-0x00000000000D0000-0x00000000003F4000-memory.dmp
memory/2236-192-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
memory/2236-193-0x000000001B3D0000-0x000000001B450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JSrJDZQLrhR0.bat
| MD5 | 6d13f91e40d5e7306ce769973cadc020 |
| SHA1 | ef423471df3dba6572b67940b7ee21b36e78331a |
| SHA256 | f16b6cb2e08c39a8edcf23ed249ba52f5bb52062265be68b2a287e8a97b55ddf |
| SHA512 | 71eef0eedf9e9860998ff4db0770b5f7aa634a2683c7bd4c240a2e4b5e6419292c60fa08d9a6c3c4d2065adb093cabb1ca6598c42c2acb3a4a1d2fe165c6f519 |
memory/2236-203-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-22 01:08
Reported
2024-04-22 01:11
Platform
win10v2004-20240412-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZxhL8XxZI7DC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SS4PQujQyOxd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujWzwWWjMyMd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilmcCVHJxEqJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhPLqedx5Woe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meUnP5wWZn2Y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4B9SDuTH3dC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gw5gkKXU1DyV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1WttLNFQVACq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOkdQsqFpLRZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H1bMgaGJO1sy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0agnF48wud31.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U5RAxoiKq1Vy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1t2iyHgQuYX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCk0rgR8Is4b.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
| US | 8.8.8.8:53 | Kneegrowless-33547.portmap.host | udp |
Files
memory/2440-0-0x0000000000810000-0x0000000000B34000-memory.dmp
memory/2440-1-0x00007FFE22E80000-0x00007FFE23941000-memory.dmp
memory/2440-2-0x000000001B7C0000-0x000000001B7D0000-memory.dmp
memory/2440-3-0x000000001BB10000-0x000000001BB60000-memory.dmp
memory/2440-4-0x000000001BC20000-0x000000001BCD2000-memory.dmp
memory/2440-9-0x00007FFE22E80000-0x00007FFE23941000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZxhL8XxZI7DC.bat
| MD5 | deee4de2b361d6677ed095649cf42dcc |
| SHA1 | b4195f569604b90c03203341e3f68d88fccab7d8 |
| SHA256 | 210ac4b15f9b1f4a69b3ca51f98f6942276116f30bf7f35dc5f32996b1640421 |
| SHA512 | 1e49417778d57100e121cfac25e2ef207e2f5a1568a47e67ecec423642ebf38703c740c5823cfcda3b747ace728966ccc4b49a728313b4c151b5545843bb4cde |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/4200-12-0x00007FFE21DB0000-0x00007FFE22871000-memory.dmp
memory/4200-13-0x000000001B5B0000-0x000000001B5C0000-memory.dmp
memory/4200-17-0x00007FFE21DB0000-0x00007FFE22871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SS4PQujQyOxd.bat
| MD5 | 53eefa787cace21dfe06b3a4cf38fde4 |
| SHA1 | 071a53ac3399cf49be990a59c23a31e250a310bb |
| SHA256 | 06d3ab7bbc862c10255c09f74bb2efee3eda91a09ccb976459173c39ec0db28c |
| SHA512 | 2692055687e20f6018f0c45a2ec95aed4dfb38d8be13b43ce1a709bbcb177169d02a070d128e4e47a738439d2640b8fa9d8259838e9312f84afc453d8443a7f3 |
memory/3600-19-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
memory/3600-20-0x000000001B470000-0x000000001B480000-memory.dmp
memory/3600-24-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ujWzwWWjMyMd.bat
| MD5 | 5a5aa673d2af5cd2434c37b9cc5b97fa |
| SHA1 | eb0899d3b2dbe0270319d87da903c7b96c47da46 |
| SHA256 | 6159b3dc262ceee84a11b53ed888fa982958f574bf39671b9e165555b43462a5 |
| SHA512 | bd259fea2de62e1f9be40e9c07b37a4e52e646c2484102e99392dcd1a63af769d57b97e082d0ba537e3dd292f7815879043ca710b7b166af7a848a70b9a83ea5 |
memory/3232-26-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
memory/3232-30-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ilmcCVHJxEqJ.bat
| MD5 | cedf91aef7d92a75a532e95f11746cfe |
| SHA1 | 6f0af95c143368a9ee2d4ab781ddb56c44a31b1d |
| SHA256 | 9d0a407c20a6de81073464cc15bb93fd3798fb75362131e16a32fbb2ac70cea4 |
| SHA512 | b8156256c821c2b34066b6ed3835db414f66e172a99084328ae596f61380aa41b2733a1ae635b0d10673a083842d4b93016a1d43d55e761b74f90a21048e3eb8 |
memory/1604-32-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fhPLqedx5Woe.bat
| MD5 | 5d133e5a40cbd7e77dffdb92942224d8 |
| SHA1 | 18e43e4bc079ca91c90b721e737cda2ec8dfc738 |
| SHA256 | fbc7f9656b7d3347cbc856818720126d552990d8b1b7418ab2d8bb04ff6a327b |
| SHA512 | d5509053bb32db017b93bfc1e058d7cdaac3fd672183f1936701576bc1cfa613698691a547bdea80b547e182c8b2f53c652564c93ff9a0ecf722297502dfaca9 |
memory/1604-36-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
memory/1480-38-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
memory/1480-42-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\meUnP5wWZn2Y.bat
| MD5 | efbd784d104f77abfc681c15b45288df |
| SHA1 | 212d598b6c0406cf5e0ea0704dfa5bf63d02fa96 |
| SHA256 | 22a7f5275e02555a4fadd3a6a9f84637c40902b87801a8e28b7e1787c56946b7 |
| SHA512 | cdf3efcfee043ea3c57339270949031b499fa061987010998617428ed13e9f9be6dadda5ca66a57dfbec7c90eb2355039466783e696640f4a94d9a6ece83bc2b |
memory/344-44-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
memory/344-48-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B4B9SDuTH3dC.bat
| MD5 | 53b6ad4c470486aa8544cf7d91afae4a |
| SHA1 | 826b49471159bef41e0722a60046ea82122675b3 |
| SHA256 | 07c5dc09bcf65838cdf386184b3c840c5e0e5dfe6faaf51040d069d7161a9f5b |
| SHA512 | 56d14c7f0da9768b284f668309c80bd1e2680552d50532e740bebc11675756ad4711b29f8e4a89cdb279448995b2eb41f4c48901845bc7aeda9cc43ee52154a2 |
memory/3720-50-0x00007FFE21BE0000-0x00007FFE226A1000-memory.dmp
memory/3720-54-0x00007FFE21BE0000-0x00007FFE226A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gw5gkKXU1DyV.bat
| MD5 | 592a782b8dab9ee0d830518ffc507076 |
| SHA1 | 1836d8f4af3f4b6a92ee5597b22077147ec43a51 |
| SHA256 | dec46edb42debbeecde945b74ea94f91571bb7b9daf606284f96464ecf81f138 |
| SHA512 | cc97d6d4631270eda1bf805866af10280225508def18b63e7a0b6f3793c8c82db7d38bbb38ef2604d9224d09e2dde5f02701b617e4b4920214900d5c8ef00039 |
memory/3632-56-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
memory/3632-60-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1WttLNFQVACq.bat
| MD5 | 36713f9270419e27dc38c791999d980e |
| SHA1 | 3dc114f10e3f9103af7b6d29abe3cd6089a6f192 |
| SHA256 | e13cd3bf18e4bf1c3e4eedff6d455dfd8430e698970ee1f9ba52aa983ca2605d |
| SHA512 | a51e3354a2e2fc0cc200cbfc9a604de9c43506f2540d28e281c931b0145b2ab0d3e22da0e80cee0d82bd50b8966faa4f1b8f93af99b05afa607bf8fc120d29bc |
memory/3088-62-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
memory/3088-66-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gOkdQsqFpLRZ.bat
| MD5 | 697a6c0c57d3f185b5779f86ec32e79b |
| SHA1 | 198edde59011469630829f5f8de94d0428f9ffc6 |
| SHA256 | 17b5b8773072a60033831906241fc5551b7a924fa476d0f1fce2132ce35842d5 |
| SHA512 | 0a578f462311f0c98b8ff97031f731f73013b6ac2660ec693e1cad2d54a6cb4afa3adb276bbe1b8d84315b2dc765f25c45cbeb4fcfc4cfc587588aa3aba33631 |
memory/1436-68-0x00007FFE21840000-0x00007FFE22301000-memory.dmp
memory/1436-72-0x00007FFE21840000-0x00007FFE22301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\H1bMgaGJO1sy.bat
| MD5 | 4c7556d01b6723fc166e54da3cdf3080 |
| SHA1 | 3e2bc9cc4006c1b2719914a461cb1a9aba5d7dbe |
| SHA256 | 66e4bbfcb8e441182243201842eba9012d07bcb269b6a102a5200bacff0ea493 |
| SHA512 | db4324e94b3f06a885fa3c7abd4f54771480d7e4078b8fb182d1bc436a2cf258866f070fd6a0bac3cb230e708dfc3d4cfcc7f0befcb165f9de06b390eacc2c31 |
memory/3360-74-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
memory/3360-78-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0agnF48wud31.bat
| MD5 | abef8f136208d60e3edc2ada7559ea23 |
| SHA1 | 8faa843d692d29c0fba3975c30ed3e6cd18cea51 |
| SHA256 | 1ce8ab144b78ea12140a467272ba2c07d60744803780e773f1c292164ae8efaa |
| SHA512 | acf4148d05b78f56670353ee5b1b071dceb8bd5a01a8e1bdc02b8a9f2602b83f5b7e0bc47f85c9b08a7d711a16a53e3837c02f60a81daff1d2b89300267d459a |
memory/3160-80-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
memory/3160-84-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U5RAxoiKq1Vy.bat
| MD5 | 5674126ea427a461ad8770563c605f0b |
| SHA1 | 4c21e691e7caa87066dd04e19151794b435462de |
| SHA256 | e665eb2c7fe3c21417a22498797d0bce39843e73bdc45c28efd098d98c9028cd |
| SHA512 | 60312c55f46d048975290bee1f43ca20132957c019f424ff6a5477562408e5d32cb34ca3c6a55b81e7d427f553498ecf56187e09ffa21458baeb3d0be56e0528 |
memory/964-86-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
memory/964-90-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R1t2iyHgQuYX.bat
| MD5 | 5659a0d36613b4cc5efdf58bbb1b7641 |
| SHA1 | df189b6716d226432e74a36744a0de9297e720a9 |
| SHA256 | a4ff5ae8ab471c9daf46cd7639b526b8177d89f24138c7a1faa5db2af7d59258 |
| SHA512 | 29447338f46696392f6faa5e1f66432dc2c26bb843bb3eb5243f7e4abf6e8e1065fb35e992cb531828ae4cd30ff89e9b397e6cce35e2bd42b9b7f2fb1dc8813e |
memory/2016-92-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
memory/2016-96-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZCk0rgR8Is4b.bat
| MD5 | 979f8b8211e76d2297a489f41ecbe79d |
| SHA1 | c19f7c332469bd9fdba0a7159f54161404dfe858 |
| SHA256 | dc039ff270910ab5f0336a29e72062a61c850909795f8c3793bcbf2c7fd7b31c |
| SHA512 | 7e0495e14e816ad91e6ecc8ee1b8b66e3ddd354f4d0f55576c30dc9323d026451251e7d7c7013c9d4b68fc548aca83893bcc345fb6302790aa6c1c6475c19ebb |