Malware Analysis Report

2025-01-18 04:12

Sample ID 241029-2zc61s1gjd
Target Client-built.exe
SHA256 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220
Tags
office04 quasar discovery persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery persistence spyware trojan

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 23:00

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 23:00

Reported

2024-10-29 23:03

Platform

win7-20240903-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 2096 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 2096 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 2096 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2096 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2096 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2240 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2240 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2240 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2240 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2512 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2512 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2512 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2512 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2512 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2512 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2512 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2512 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2628 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1768 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1768 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1768 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1768 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1768 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1768 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1768 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1768 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1768 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1676 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1676 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1676 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1676 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1676 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2140 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2140 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2140 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2940 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2940 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2940 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HvwcoJAviRoB.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B8OdMDvi2lbg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwIIODJLu9nN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vXRG91x9ON5f.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Z5gO2JPClkW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TJ03eede15lm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\K30zZncV3M19.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ipwofXrjRYR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rjrB9coWGEXd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ty8r2l16kZlz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gRY3QvHRKyjz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\L5w69ohX9Lv2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

N/A

Files

memory/2096-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp

memory/2096-1-0x0000000000CE0000-0x0000000001004000-memory.dmp

memory/2096-2-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 cd8d41167dc2fae9b0ae6a8648d5070f
SHA1 97a475e752d8bbd6a66bb2231b5ab830f86fdc06
SHA256 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220
SHA512 d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b

memory/2240-8-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

memory/2096-7-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

memory/2240-9-0x0000000001190000-0x00000000014B4000-memory.dmp

memory/2240-10-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HvwcoJAviRoB.bat

MD5 ef27b839d375dd10c65839b3ee64c7d3
SHA1 a262d66f648f716e73ac972d63e2e08d37b9ac72
SHA256 23ec9d9b8c77b322cce98bb177b27d48e5495a7b40cb6e171c1eb194bd0e2aad
SHA512 f6e1714c7f9561625e2ee0c818aaa93842f234ebf4f318f525a59abd1160425901e1e3e73414adde49f96c9693cad2db6d24792b11ab697d4e7cca8706c04635

memory/2240-20-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8OdMDvi2lbg.bat

MD5 da473db3acf0ac71bc153779117495da
SHA1 a54152d387e95de5886c54a8fba9950ada5d8977
SHA256 f3478431e4e093f866ffc77f20408eaf976befcf29548019114639e8e4db4b3f
SHA512 6ddf5632b62264d2f18beb60cb7e4dc3890d9ed783ba89ef656bebc944f95a809e392ab0eb5da411b491f1e30cbe336b36e0e58d22efc4aff7cf70fd000b23ac

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\WwIIODJLu9nN.bat

MD5 9449a4e86cc0f1b7e0aa1d7642358825
SHA1 462083263e4368054e829cbc0d85f5ffe097c0a2
SHA256 6f32a3f4d2fe0283aa5f62173e8c59a8a75e1037389150bab8c026006fc73f74
SHA512 9b9da4d36a781295c8509662567f20168a22521fe343b699bad2db31e975f81eaade54e119b58de9434116bbb9f510fccd4cba98483fb671c8e8168c72b997af

memory/2140-43-0x0000000000240000-0x0000000000564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vXRG91x9ON5f.bat

MD5 ed062ff4525d9190a15a63c1fff7a0b9
SHA1 919e2bc66a4864282eb7f5a25a5b25c2e00881c6
SHA256 07f68f164e9a97c967d19df09f8c1328f393a50229a45b34550d34f1d9ec62ba
SHA512 f6ae648ddc41b74860e4dcfe42893ae7c2b809f4efd21cb17a91668f36bff620d32b750d12a0f0541301f104c67da97209dd927a69216e26b4a00169a6ca064c

memory/2200-54-0x0000000001070000-0x0000000001394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9Z5gO2JPClkW.bat

MD5 99051766eb0ca07a9f882e9edb4f84af
SHA1 7d3d54ba8ceb1faef504a77dffaa2e4b9475534e
SHA256 c1d142ec0ed8d7816ff3bfd1bb8e121073ad78a57e71b9f6aeb46fbba3081f10
SHA512 fce937c6cc4a663624455c274e152872bff32c0d488620c3f1609088351c90a4e44658be62d49955ac37804cfad78baad361f06f6c78973215bfb8c9fff035fc

C:\Users\Admin\AppData\Local\Temp\TJ03eede15lm.bat

MD5 d83a83322b4bf7616d4317de544c43d5
SHA1 1864aba9a437719196fe3fc9621eb4d539cbba06
SHA256 950eb2f30ecb63970e602c57264bf6196c066239a558d1d5e5ce951c03c68aa6
SHA512 1606533dc117f00458905ff70f6b670912897b8e5441ff996366d9dca351c2b9e37586e98d7b1bd803aa99f11b7bec3676cb46109626f084d0a43ad9e1bdfeb5

memory/1688-75-0x00000000003E0000-0x0000000000704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\K30zZncV3M19.bat

MD5 96190234e8c34feea8af2e52c6c816b5
SHA1 ad672dbbc70dd3ba5525a05a9c4af504e26606ce
SHA256 fadfdecefade7154a7a9391f365fb887123e48a7796379b1c4a3bd958f0ea8b4
SHA512 800110acaf7faea29c4345a1a093ec53fae04f00e1d1c5ad00fee5cb8b41f84fa0a0753f54369af6a8d965191c5f957b57c1c4e4fc015045873de7f28749e731

memory/2412-87-0x0000000000120000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ipwofXrjRYR.bat

MD5 cdd6f97289ed5fc3e4b15f04d718ba0f
SHA1 db211b15ecb3bd298bf20384c30c8c755632c641
SHA256 51ce08d888f13bca79d11fa0b69c3b2eb8f37de3a9699fab776f2a4bc8ccdc8b
SHA512 956a5ab1165f17edafafdc0947077bf1221c69c2d43f82c3bfedc5feae9d285dd9c2cbdd6f95a627b865ff2e5579a977a7aabfe76daba4c5bd2e1db0a58a2dcb

memory/2096-98-0x0000000000200000-0x0000000000524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rjrB9coWGEXd.bat

MD5 07081468c0d2c9f92a6d34d3791738aa
SHA1 61cbbf706214da0bd74dd005135edaff1e74634d
SHA256 d21910c77fe0a49b09003bd137d3b799ce7e2cc78ba0ec4ed1b4c389bcdaa72d
SHA512 7ca9ab9c120fbe91d2a38da31f9f7ac4392595e73e95cca6a40f21bdaedde328864b52327addcfe1e188a427562a4965f7cd55f72f4a55aebd29d80b04399df0

memory/624-109-0x0000000000EE0000-0x0000000001204000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ty8r2l16kZlz.bat

MD5 99b60b6eaf5647ec76ce358eb4908ebe
SHA1 06d6a8f43e822f38477a0f2d2f0bccc4b9b370c9
SHA256 a4dc397ca0c6b4029b5d772be3fe46d34a6497129da0d456aaf5f4047716a9fa
SHA512 aac689932ede21770540763de462c42a0bb452861870e6a172a3c88d12c01a2ad583fdb380d39db44d8d6ad0ce196e5fb305561e6546c70a088c68d625467d72

C:\Users\Admin\AppData\Local\Temp\gRY3QvHRKyjz.bat

MD5 cbfe23c09a3e1edc69383d99cd403cd6
SHA1 d299be4af93d10d748b8692011d195e1f02fe41f
SHA256 7fd73af4f5506fcf61308f2158b3a5c4c07ae524713d930b5ea196460337c008
SHA512 a04d33c428c96d1216a055dfc5bd83852fcc79ed2e64af1318363043483fd5b96b44df120d6797ba076fe7bc0801c7cc3fa712759026187fc671b8deb836c0ec

memory/3028-130-0x0000000000E70000-0x0000000001194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\L5w69ohX9Lv2.bat

MD5 570880823c49532b8adfe33960b217ff
SHA1 bfb8909ac6b25ffc87e623c101cbdba045166051
SHA256 a3f415d96c9e75b586d38b0b5821ffa4d84cf1dbfbec188443cb3ed25cba6f41
SHA512 0512b9d7964bab8004b46e9ff69d031fc2512a24473324016b1a682bc866661740327ed9aab54ede1ec0dda30e6fef866f2a1adcc73960fc74fa381ebaabf637

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0a7cba9342d7bcdbd9eb985a1907b5cd
SHA1 a28214f8b9e7a78994d02908f4c956ed8c5ac01b
SHA256 48d9916bda8338bfefc64bd0296b4dd4be00ae0690cb03931ba27640d0388898
SHA512 41459191eb81db3ab5911089eda144c7dcbbcc85eec57ae4323295cfaf837d231449825f23456022f33f7049d18ab2db25648b26ea5e4da1c9b812c3c85c7006

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 23:00

Reported

2024-10-29 23:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1052 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1052 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1052 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1860 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1860 wrote to memory of 232 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 232 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 232 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 232 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 232 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 232 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 232 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4440 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4440 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4440 wrote to memory of 388 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 388 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 388 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 388 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 388 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 388 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 388 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 388 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1796 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1796 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1796 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1796 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4212 wrote to memory of 3732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4212 wrote to memory of 3732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4212 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4212 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4212 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4212 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4208 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4208 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4208 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4208 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1512 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1512 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1512 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1512 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1512 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4948 wrote to memory of 60 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 60 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 60 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 60 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 60 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 60 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 60 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2088 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2088 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2088 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3288 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3288 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3288 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3288 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3288 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkjSuq06FxLV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3hC18WW9WCvT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaY7zj6Y5B4g.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wLVSCrRm3b0b.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qyvATvVnCRn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ps5ibXO0XaA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baxOfMTeC36y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bt0tKfNxeDpa.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TA7OlsVphrbk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSU89qRZd35G.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TebG2cn9bPEN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCOY1KI2oo4e.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59I1gFU7czO1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1XFAnwjsu9bA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

memory/1052-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

memory/1052-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp

memory/1052-2-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 cd8d41167dc2fae9b0ae6a8648d5070f
SHA1 97a475e752d8bbd6a66bb2231b5ab830f86fdc06
SHA256 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220
SHA512 d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b

memory/1860-8-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

memory/1052-9-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

memory/1860-10-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

memory/1860-11-0x00000000031B0000-0x0000000003200000-memory.dmp

memory/1860-12-0x000000001C350000-0x000000001C402000-memory.dmp

memory/1860-17-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gkjSuq06FxLV.bat

MD5 fd5be971eefbd7ec9c94c6f2af289381
SHA1 79394287d00320402787fc6ae5f0ced6d22b159f
SHA256 427b2df17151f83a87b0f05a0c8c90d79f97515ec6f12bb182c9dd56e0e8feb0
SHA512 9d09abc3d89b3d1f0dd28548ec1337f9450623c511d95cb81370dd276847e9ef8c4eac2aceb99588e4cd749d35888f0a591a42c813099603b980b86c667d8a9d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\3hC18WW9WCvT.bat

MD5 581ad13978c4f2d063d8b575e254a151
SHA1 b04db8b3f9afed2461734c8ddaebcc0f24b1dfa3
SHA256 bdb2a72bcd7028a7095e735fbdbcb476aad4e1396530ff39d7bd6c08df011806
SHA512 605a9203fd9790a219ca7e5dbac32cf222bf37041cb13d144ef683ffbabda56a76d009784cb1478ea428d7cf8036aedd7d082f8b90b3e68c935784887d5629c0

C:\Users\Admin\AppData\Local\Temp\FaY7zj6Y5B4g.bat

MD5 bfdfea9b1b8c3d1dd8e7b527c358e6fe
SHA1 36084e844f8b2a86160e845a8c9a86a3a69998b6
SHA256 187e93d936de7668f711752280065926e80aaebb619746653be6f3cefe391168
SHA512 68a8901f11784bba0c8f462cb8f4735ccfc516dac6c1b2001db1bdc273bb790ed80fd35b9cf5ee04f90b720cd5c61c28ed63e8f76732e094eb3f95f6f0146022

C:\Users\Admin\AppData\Local\Temp\wLVSCrRm3b0b.bat

MD5 c026636222ba27ebb2e3642645ac4d04
SHA1 290e46214c185bb6b72be3d1659690004c31122e
SHA256 5c25f73a610b701f63a7957fc73d3b8393348823bf2b33f0878f3cf38bed54a0
SHA512 bf938209668eea5d03ddc459eea40fecdb3a86b738dd8d6b9aedd005c814469a36d505340e7a9a1fc6b691d659562c71d9cf9342964cc9ae5a672d4a2724295b

C:\Users\Admin\AppData\Local\Temp\8qyvATvVnCRn.bat

MD5 a723a49440c4e67da632ba0bfcef0ea3
SHA1 30feabd5a92246908cfc569f6bb0bd6d56405e1e
SHA256 4dbc523742f4ac1f1b37440623aade437462f5dc6e96bd57ddf478acdb3a7fda
SHA512 a723044f1b8249d6603f14a4ad739e37e4be0c6900df93ff11e95bf9dce35db98cc9430decd7488cbb96d498930718810c344e62ca5a77dec0c33383beba692f

C:\Users\Admin\AppData\Local\Temp\2ps5ibXO0XaA.bat

MD5 1a3c7edaa4976cfd20c270a6272e83e2
SHA1 188f7253b4d93a6cacce15c10b3ef461369ef068
SHA256 830233d65b78edef92aadd4cf096fd5d21e6184c6fcf23f1956e72be545248d4
SHA512 ce6b45066f102eba6afac5cab5ddae63ea3d59078ecf0e557e1b6e55beac89ea5abb7c78db641125c082653108bd147f3f41cac462437a2a177c846223575ced

C:\Users\Admin\AppData\Local\Temp\baxOfMTeC36y.bat

MD5 d49087af4e2aa84e7a14f35b9b6aa0d4
SHA1 aabebf38da629654894cbb64c3b8c6a6423a1b5f
SHA256 b657361f8d47bad911e229f34784fe5dc7269c435ce63381020b7d0cc48d3bdd
SHA512 7b8d1eb196b8ce8142c9fc75bd3be6d473f64c3e7c03efaf03faeea0a752b0b3d5f2d197baf305ed3658c0c5d822755cd717512ddc8b830f5a5539aecf55b4b6

C:\Users\Admin\AppData\Local\Temp\bt0tKfNxeDpa.bat

MD5 a208cef53201e21f8c705b246f9ff53c
SHA1 b5cac5cfab520ecd0c6cbf747948576cb7888083
SHA256 2c05fe8f85c427dcf5d24eb982b916a5f59082238f00750a1180b815427be304
SHA512 b2a10e5b5da86b5c00c7e6000c57bfe05f760ccfa2941e6b6098a783487a63c2712cd15914d3e5ccd39389c1a0008656e0133e9260b16623e56e08b703d1fa23

C:\Users\Admin\AppData\Local\Temp\TA7OlsVphrbk.bat

MD5 4b0570b31a18aae65fe90dd8c4cb76ff
SHA1 d9c8dcd1cfb838df045bfde06b6e33579d5abab5
SHA256 d8969505eaf98ee40c118e813c979d1c027a8e010bad7e34911841da7d915bb2
SHA512 941a232c76a799f6ee97ca7cc30115d788f7891cf6cfc7849896e8874359a2a50e2c54abb6eaf33f5554dd4592b25ae9c9ba9f0c1dac3717ada0777ce4ff8b41

C:\Users\Admin\AppData\Local\Temp\eSU89qRZd35G.bat

MD5 81d7d5326d718a4fe3d7852199ff230e
SHA1 2a8357cd742fbb9bb3e5f59846e4bc0beeddddd2
SHA256 2160159ed9e00a64cb505ae6fd6309ee3449dd5871e56e888053ee5b8961386f
SHA512 cc518238a9dc7e1d80eb4b6690c62235c92d8eb3241cd58c27630d40f0cdd2bc57dce517191493bf9eb51a337c5d173c9605cc13ee5dd5b19b4800165dfa75ba

C:\Users\Admin\AppData\Local\Temp\TebG2cn9bPEN.bat

MD5 e2313dddf756f98db9a01021112d48e6
SHA1 3bde279840268527660f43412df2690c012da310
SHA256 64602250401c4cb41eaf6392f20343a3554c0a86576bba7bdfa3d8c1fd4dceae
SHA512 0e8da7b04e86d6023656a9d61332b3c2237e07aa54fe35714efa38d4c1712948f66d88f97fd8edb6419839d9ee2af3f74995a5bd2a273f50eff4e3f6da966d65

C:\Users\Admin\AppData\Local\Temp\NCOY1KI2oo4e.bat

MD5 cb9a80992c7f67e9d358fe4910670c23
SHA1 bb9a17578ed3d29ad7bb65bbb66d9e6a2334265f
SHA256 f4ddb0f19dbc0718b026b156048b7f0bb9cc3878223ec36f27208f52db10209b
SHA512 7f2648e58d9d4f6da488b37a4e4d71fff09d47d0dc09f2d1913dac51059a89d35bdaeeaa15505608a217934f944fea2d5a51cf0fd31c0fb4db683b112bd6ac09

C:\Users\Admin\AppData\Local\Temp\59I1gFU7czO1.bat

MD5 3732a1e779536acf4796c37024759fe9
SHA1 75836b87a801344efe96ff384ec29b9004a43037
SHA256 61482c4bf405afe58661e50a556f9bd8c8eb90133d0c8807780486626a2303d0
SHA512 fb5770b4422c5219998581b59f75abdf23f57c39c0750d24fd32bf20ad1954860011836f5011b312500f209f495e1842509986e87e6a6775ea8f743e8f9279f8

C:\Users\Admin\AppData\Local\Temp\1XFAnwjsu9bA.bat

MD5 c0f111949ecc62bf455634760b9c4c95
SHA1 7d976d3b5282d99960e6d8f6a082e6a1d05295fb
SHA256 426a10c87b730cb78642d23fcd5a32ee1d9ff695ae90a5d02bc18c0a34c7645a
SHA512 eb0db23c5b0f033862e5514fb786b33e2ada35f4c618fa21f36bcf475db65bff3509a7cc7155d8d440e4e737a5f0d5743a76385d3d1052460f4ee330aa313861