Malware Analysis Report

2024-08-06 11:18

Sample ID 240614-24qynszdpd
Target Client-built.exe
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Tags
school quasar spyware trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

school quasar spyware trojan persistence

Quasar payload

Quasar RAT

Quasar family

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Program crash

Runs ping.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:08

Reported

2024-06-14 23:13

Platform

win10-20240611-en

Max time kernel

297s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4420 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4420 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4420 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2272 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp

Files

memory/4420-0-0x00000000732FE000-0x00000000732FF000-memory.dmp

memory/4420-1-0x0000000000810000-0x000000000087C000-memory.dmp

memory/4420-2-0x0000000005600000-0x0000000005AFE000-memory.dmp

memory/4420-3-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/4420-4-0x00000000732F0000-0x00000000739DE000-memory.dmp

memory/4420-5-0x0000000005100000-0x0000000005166000-memory.dmp

memory/4420-6-0x0000000005220000-0x0000000005232000-memory.dmp

memory/4420-7-0x0000000006430000-0x000000000646E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/2272-14-0x00000000732F0000-0x00000000739DE000-memory.dmp

memory/4420-15-0x00000000732F0000-0x00000000739DE000-memory.dmp

memory/2272-16-0x00000000732F0000-0x00000000739DE000-memory.dmp

memory/2272-18-0x00000000062A0000-0x00000000062AA000-memory.dmp

memory/2272-19-0x00000000732F0000-0x00000000739DE000-memory.dmp

memory/2272-20-0x00000000732F0000-0x00000000739DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:08

Reported

2024-06-14 23:13

Platform

win10v2004-20240508-en

Max time kernel

298s

Max time network

296s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4548 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4548 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3024 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2016 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2016 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2016 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2016 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2016 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2468 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2468 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2468 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2468 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3808 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3808 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3808 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1888 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2784 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2784 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2784 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2784 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2784 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2784 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2784 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2784 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1156 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3636 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3636 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3636 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3636 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3636 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mugHdqp6qLrO.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3024 -ip 3024

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 2084

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOlUfuXxUtmI.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2468 -ip 2468

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 2152

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGKuU6yK0ylt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1888 -ip 1888

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 2160

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyPP8sJnRCpe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1156 -ip 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 2228

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YPbQ7WM5HsqY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2228

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mhOzCRojLlAh.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2952 -ip 2952

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQHDdxIWInvN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4828 -ip 4828

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2228

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\17YzVzTgEEIE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 1120

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebgma5hQyzHn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2552 -ip 2552

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1220

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ArO4M8k06Wn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1728 -ip 1728

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1076

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUZ3GA8AUX0a.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 452 -ip 452

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H0JKvlhXGuOw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 464 -ip 464

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mha5mmrhBKlo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1328 -ip 1328

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcoYDU8boECt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1472 -ip 1472

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/4548-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/4548-1-0x0000000000F40000-0x0000000000FAC000-memory.dmp

memory/4548-2-0x0000000005F50000-0x00000000064F4000-memory.dmp

memory/4548-3-0x0000000005A40000-0x0000000005AD2000-memory.dmp

memory/4548-4-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/4548-5-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/4548-6-0x0000000005F10000-0x0000000005F22000-memory.dmp

memory/4548-7-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/4548-8-0x0000000074A00000-0x00000000751B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/3024-14-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/4548-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3024-17-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3024-19-0x0000000006940000-0x000000000694A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mugHdqp6qLrO.bat

MD5 f49139459166edd22f92ef22ef322c7b
SHA1 72a48c4f0d6206b2a552e1f700e1cf8d70f9304f
SHA256 4e6456e13fbc350d163db4eab57b074b5ee2ad51e16f3595d3f1ea0ff7638629
SHA512 1b90f25c54cd367228ce8440e98e1305a8cb98102d2ef3a0f3179eda798227c297203801b156abf10cc63cfae36952a8a21bd77e5e5635faaa6b42343e720451

memory/3024-24-0x0000000074A00000-0x00000000751B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 9302000a47086ed23a4857ca5fa8c939
SHA1 30df9a03eb52fbfd94b7c13ab1f0df7508c5692f
SHA256 09750f3f87157383bbdbf3b46eaae974ae20ecb360cb8b0e74ed2144bbc88e38
SHA512 11254eea791aaaf7a713fc593848b0f987ba747518b0fca994497b08fb07fc7047e42de25ce14ef33249625d67e2d6cc733107d942868a39e313357980477ace

C:\Users\Admin\AppData\Local\Temp\MOlUfuXxUtmI.bat

MD5 8039578590632107cde652d70155c16e
SHA1 3cb5cb06d98398837917e7bf6d398d9ef2bfce3f
SHA256 84e07b3dda191c73cfba8533ae58464e5c29d6bf4f53ba8883c52874ebd7e7f2
SHA512 08baa31d51bcc926b4b0d335d806ad73bd2750951bee674d0d4ba8e7705a3265a986847d64087fac748691b4cbaa74a71bf0da357fc6aac21d48993b110c3766

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 951e35dfe53cb68fea4475e474240d74
SHA1 5c6f65f662fcd98f43230bdad8d248fe433650f1
SHA256 d1ca32314d577b968c4ce084f49decaa479b2e1e1f02a4e57979d77c67fbdbe4
SHA512 e627ea0fc5ba1a927eedd9afab4f6fb5ca333bd20dae6e4d89f62ced059cd47dc718a6ec48a5c83e11222043eac3af4ce711edd3f5ada86b93e9e92df2575561

C:\Users\Admin\AppData\Local\Temp\lGKuU6yK0ylt.bat

MD5 97eb89f276ff63312aaec641a8880b8e
SHA1 22d92f9c1d908a0d3a68940d4035a76d8cef71ab
SHA256 acc776c543fc6a2c268dca66c243959113132162109fc7092cd7004d2d0487c8
SHA512 7640f29c771b2cdd1543fbd77de6def4ec5ca0c8b5fa1ee29f33a63b9060dd9defd105e439adb8beb55225b8045fe1e6db061f83b53119ae106be0c5ea7cc6e1

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 dfbbbdef724fe89fdf55465c54440b0c
SHA1 93807acfbed6abb59b8a9e0a5b3700b8884fc899
SHA256 56d84da74a252620fd5a0768cb986ecbc43c0b79c376b6793e4909c56f2eb580
SHA512 fa6f1271f5ac6b7089d6cf8ffffecee1d378362016b34f17e8ed21c0c7bf5aa53d9f4d1fab07ed7b5b0d613857bd5d9c7b8fa2eceda1d2542a66143a8ea19a62

C:\Users\Admin\AppData\Local\Temp\tyPP8sJnRCpe.bat

MD5 1cf2a1acd46bb642a6472c557e25c76e
SHA1 95163b4b7df6f3ad9f8eb57fb0b3a3dc3c3bcee9
SHA256 ac069da8b8accf5e30abfe6c47b56c592ac1d577cea3790e4b8d50a07101a08e
SHA512 ef2e99868390119629c2ccc7a1cde5ab7c93f7999fbc58fd582a5e01ec0c98c9d04798783dc67fb1b5b695797cd4c178a501e13dd1af218c7a72092d0deb6918

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 ca406994a3b16b2aaf93de1616283601
SHA1 a7c8545819e20850560ae81a0a576ab0c87f4437
SHA256 37d253749cfd7d0593ce675b0f1eb0d87f941f853e150c61b1865ee3a92d7a35
SHA512 7a3468e16f33c5d643037c1de4c10c48ebe16f11c24ddb4df00b27dec8656bac5506d7dbc0bc2cbc2bb92218f6ea755d6c11c7a9f61128bd019d70283aa50202

C:\Users\Admin\AppData\Local\Temp\YPbQ7WM5HsqY.bat

MD5 2b01ac387213cc8f9ba5479b3a5a4046
SHA1 4b91e158c4b6bc5a34e997911204f5de31f07834
SHA256 0c631746181f18e3024958d877a9cc6c8c871122433aba91c79798cb13ab7abd
SHA512 a8736c62260017e964a4c3aa9be6ae0473e47699b5b55900e18a248837477b31f26e9471228084153c59d068a90ccb1a22883cd3255698f3be98f6fc40ba5938

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 393b6708296ed2fd63d5887f290c9762
SHA1 2ac002e9b4e82b3d88fdefe861c1339f77d664fc
SHA256 59a3c96970d4a2a92e4f86261df897666b8621af27bca1cac1aea87f235416b1
SHA512 16cc9d6e5a4965006ee804900d57e298a1de0107b59bb80660d6d44f67494c914aa9d167cd48afb5a45cd73b31524b567ff8fe9ea52522a6691f84b0062d7496

C:\Users\Admin\AppData\Local\Temp\mhOzCRojLlAh.bat

MD5 e9199cf65640d4a9a1f2695590a4f4d4
SHA1 50f944cfb28eb0b2f7ce3bd73074b7c531c54de9
SHA256 30c704fb285ac7ecaf2cebe4fc05d1b2aab032bdb865039bb9d2a37e43e92f31
SHA512 93e3c27a38440dea5181a96be197d0fd36b3b975e416a5b8c4ad9ae9b75c7a69148b42d088d88b0a8b94eadc57aba21d57c473a7bf0970104649c19b01ef14ea

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 632aa15823ec774d8f7eaff379273b44
SHA1 dbc576f4c77100f6a7533f661d80337a5fba6f71
SHA256 50253a2ce99b36bf5fa254b8144a8079c77b11235f18f8bd29f86729220c34c6
SHA512 eb3c525ba179974d83966df038f761f2703ea1e1136099bc1843b5d5c63bb23e0e5d3d282037e61d383bd462d317f253a7fd0081d2821f4b36a8f62108fdff2f

C:\Users\Admin\AppData\Local\Temp\xQHDdxIWInvN.bat

MD5 ae05e0bd6d591bc46ee2cfb1d83efe6d
SHA1 62e46507436167366c148aaf239e10de862ba036
SHA256 9ecb781bae439aa880f0bb150e29659a48e05533b77c726c86f5062372385854
SHA512 ff9a7a89b71c4611735d269f1dd7c5c99d601a2b65dea631dd875ba3a120944b2d56b5f164d750541686bc713f981fb767c1d4e54a9d6fbdedf378fdefa883fa

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 d0dbf77b7c53b6c0f70d6166538d9e1e
SHA1 a2fe53e6ad8ac9f0ed2627bd220abe32a39824ab
SHA256 8fb2d2f23261fb593011887def84f42038b5816a3236f765543d89dfa3e0e9bf
SHA512 1d8f238a82b33f8c50dd3f6fe5e98f2e44ef65ac44d975ce12ff587cee4c329b1c9e5ea9bfcc5c246b78dd523084e16c58adb55a11091a2357eeda6de5bed714

C:\Users\Admin\AppData\Local\Temp\17YzVzTgEEIE.bat

MD5 8e408b8530b44e87e4204422276cb63a
SHA1 4a32d0d895e098783e2a7a4d7b2451beacbb5c0c
SHA256 19af4ff216c506e388645b83d0687861ec382d8e51860cb52f4a66bb36c21b6f
SHA512 a93d4d2d88ddcd532f24e38b4bb0c90151b68b9c9572e0a427424f84cf80ae646b90fa70fd332fe79577276aa025f91bc1f8190268cdf351708a4cc171fa943b

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 04c04490713f114668c5946f67daeec3
SHA1 adabe1fa6d2244e777d4df617a2d357d4da65620
SHA256 9f7266e5354168997d6cbf3c069411aa42652f451df906e5519cab18c4e8e071
SHA512 8a1f6fbd6c8195c6a844a350d716aa571d06288a25f37cc6d1ea6bbaff4dbfc53824da23f54a9477bf242c8d34950950a11d314002d08cd350de7eb79fa5ce7d

C:\Users\Admin\AppData\Local\Temp\ebgma5hQyzHn.bat

MD5 23ac15137728b22558e161d24871f007
SHA1 7b4150ba85cef650b059b8198d3139ab5afb4bc6
SHA256 8b3f3d73a7e8a3813d14a60d403940430708d6b3bdf8f4866943250c3fd6415d
SHA512 437be47fb38d44f32ab584b708d5f22cd715060d8fe690f1a70f364fb6090450905e471fd23e195463ce762a9ccfce7f3f7cb03a4a8bc1a43ce97e0238460d75

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 949096914a2b725dcec002a75c30c004
SHA1 b0b8bc75434922b4511d56b81daecfd6ea0c14e5
SHA256 52e319a81be32edf2badb8cf0d3cd53140414f2f9e26655e8c61d574bb2ca408
SHA512 5a2f4383b382b0d4198aa3af99d1e4e895b46d57dde3c767081c833d29fa11c03f31628731a4fbe4c2f49ce56883dcbe036ae312c2d0a40ea7cd49775d90360b

C:\Users\Admin\AppData\Local\Temp\9ArO4M8k06Wn.bat

MD5 b9410c6d9aa7be95c5e8a7cec3b234ab
SHA1 d16ff4901d3b029460408bafe266cbbd82b19c6b
SHA256 0f2dbc09412c20f4b6bfd2d0fd263c34a0145d26d8f9c3e2fcd1bda700ce72bd
SHA512 a154bb4d8b2c67534761aa244aee6d42e35f6381cb90c83fd816a2aeb0c9deeeb8359fc411ecd40d42843f67de9d68260b8814b4e25bf47e8923813ab7987178

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 5f3d610b132d56580ffc491e54292cc6
SHA1 e7d3c911bfeff7960f9f85b85998bd92e4c5bb37
SHA256 98971a1bd6d7ec8ba20f29d176efdcbf50abb86f7ab62d61ed125909c0010316
SHA512 9363088c03ed209b9f1ce5168a7cbd2dd4187340d797e0bdaebde8a806cdfc55804a96108e2594d06eb5dec3b760febd59ed14f61ed69426349d7d32dde88d09

C:\Users\Admin\AppData\Local\Temp\YUZ3GA8AUX0a.bat

MD5 e8f196aaac24e5cb3982b95634a2939f
SHA1 783029dbdb5110ab6c4b930189f0d2dd763572e4
SHA256 4053768efdbac78bfe4209bff96a05f2c51f905975965eae09aeb14cd5ad07ec
SHA512 996a8e80fa6725db63bb63f3ac6275b7cd1a37462c7790a6ba47b1eb950d5d9bcde5d53f1c6d1fc98b79de0169ac30ed03631f1a48fe794da082ffbb30d1cab2

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 3e62329980710769bd3f6c8cb6ef0244
SHA1 9c1c90790bb62157e3089d9815c24061d2830cdc
SHA256 1c259086bc974a76c833c30b70c4bc985bbe6873284fedc00c3257aa2f613486
SHA512 76c9b4f6390a50657e18475ba0638b71c8f37e799b2f3d7521fc5737c1023b28f16b1ab9e3f4976bbd333f3cc7441545efd1074449a135f100e96fe28c8c38f8

C:\Users\Admin\AppData\Local\Temp\H0JKvlhXGuOw.bat

MD5 fa3d320822889c9ac7bb0a737f99ed28
SHA1 df9d67cc4ce273404c3321b9ec82244071cb453c
SHA256 35475e0e7198995db7680646e90e4435851de07ba6743eae84ab4940019389db
SHA512 0ea2448ca2cbad269c942da528406437e6025a9cf8416c29768c83c092aeecab44f7b450ee4ad1e5284aead879171d69dd22327e8252d53b87f8415d1d5349b5

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 dbee1800fcd0fb9eddb610861d7e0550
SHA1 2a54b0e9bde771bd237cbe8465418510bae6cb77
SHA256 54cf27c3132921af81b0e4f7b2343476f81821201448fca1bede78aa76313275
SHA512 6221782a4e26def5aec5cad9ad29a051c0fa3f0df37425332683117e25b25c73d7bc183623752001b3bdba4265dd713ef1dce368af82c910d8fa1bcc9172e5bd

C:\Users\Admin\AppData\Local\Temp\Mha5mmrhBKlo.bat

MD5 08cbc5900e4ec94ac0c1b904123302a0
SHA1 6e869ae5032fa28d1f248d6f499de41cf959a809
SHA256 16971741a46d95dfcf2e236fbcf6743b51829dee294ed5867cabe60415647dd1
SHA512 4a768f43620472ffd68afe1d68f9883039b843d16562c07f145f882a0994757316189fa062baddcceed911a429135843d07cd5187287dd77a47503fd4325d181

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 59057c38f68dc2e2d50bd65c94d6ef31
SHA1 581760dfcf7511560a36e6db17b4d0dcd5ddea5d
SHA256 c4db4c4df7f1053042ba2af924bc077f06cd8e6777236c04d933e577ecb56252
SHA512 e2d79781297fb118aee7a5e8f6252c47ded4d9870c2f12d3061dc424db5ac58a50134ac7e942cd3c19713e712feae0e2c2070ebc0685af26534bf79c1ae73868

C:\Users\Admin\AppData\Local\Temp\vcoYDU8boECt.bat

MD5 f60b8359f194d79f4db76bfeb16524dd
SHA1 6faefc320a0d66fa936b192b9182d5fd347177a3
SHA256 307f84d2a1041c3d79923017c6bfac2078684ede7b803f88418330362544dc4c
SHA512 65a8ed7018019f1e48cfa0122fe9753a3ca9ab9a107fc02172b2d4711e7908bc9ff9bddafd0957d0db11d2b43fbbd9665d77dcb32a378388ff7a448d3446cc9f