Analysis Overview
SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Threat Level: Known bad
The file 563F7_Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 10:13
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 10:13
Reported
2024-12-13 10:16
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5TJGcKVTeUNj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\c8vwK2UPntr3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LO3t9lGksHUo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xYtx37YbsTMv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOvHvcUgN9tJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q0M6L0UJvkz6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aS8qonnPYnNV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kdzx4nxs0ZKU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\67GJp2xPP3ih.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9wzmFnUZUocY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xh2OsVRzfHFp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rNr5rHrmqLb2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
Files
memory/2892-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp
memory/2892-1-0x00000000002A0000-0x00000000005C4000-memory.dmp
memory/2892-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/2656-8-0x0000000000200000-0x0000000000524000-memory.dmp
memory/2656-9-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2892-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2656-11-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5TJGcKVTeUNj.bat
| MD5 | 1268422f71b0285c97f5561d7e20015e |
| SHA1 | 29860f5226d4e8c4f47f4c47078ee6b123a1c356 |
| SHA256 | 77a204900b947d8b7bc2236cf6769b64e6b3523ed96e82028168ba2881862a95 |
| SHA512 | f5702ca0d6c1f04bf567d3182be43c412d2c076311f81becc7cd7c6954a7e1a79afa1f003abed75fcbf543551ac07c8afc52540cde703881bd941f55ffc015a1 |
memory/2656-20-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2920-23-0x0000000000890000-0x0000000000BB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c8vwK2UPntr3.bat
| MD5 | c08653ccff5ce73b4eaeb2293dedc6a8 |
| SHA1 | eaf7453efcd9b800807123e4bebdbbd6fa951a50 |
| SHA256 | 3bd4457d47946e2ee7dadc34173a13af230a3445d3e4054749a42b645b137277 |
| SHA512 | 1a5b188a592a25bc68c5250307302aa28ba78389f4f70fd25e22f5976b69efbf194da43cb1858d5b34932f9c4b0ab15b399c792d41260611304edb0b83b84be1 |
memory/2976-34-0x0000000000AE0000-0x0000000000E04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LO3t9lGksHUo.bat
| MD5 | f56fcd1b95b1093235ec899018457205 |
| SHA1 | 6cf99e9b63495aa1048556a9c2c314da10c9c048 |
| SHA256 | aae4fdb7f2beb28c9e74f331fbbbed2b3a16ff145f30b004acbb94a0d9535195 |
| SHA512 | a6427b519026f16bcb5ac4289e04bbd73266195cc63e9851eae0a8c0ff93cce22ab3c5e00af8ab007b5c8ad58e903272bfa2b0ae77398bda6b0b4ec49827f6d4 |
C:\Users\Admin\AppData\Local\Temp\xYtx37YbsTMv.bat
| MD5 | 2677900c75c891f4b50917f9463a37e6 |
| SHA1 | f9f5bcd66f7516c98637d0d8335c3c5c0d0d0ba7 |
| SHA256 | 6c66f83efeac06aa4ce0762c74099555fc0eb2cc9a6ebfeb24fa68d57824c348 |
| SHA512 | 7914a01d4aa0b6e1cf796a79b5062a7bb36faeac0e18f776ad0108812445f8addc78b4e2d4e256b2f53f0ef5fbacf4868d306be3f5ebcbcb4a35f43ae305c811 |
memory/1044-55-0x0000000000F40000-0x0000000001264000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gOvHvcUgN9tJ.bat
| MD5 | 2dcbd8255bbd5948ffafd59a499a989c |
| SHA1 | fdd461dbcde8d6aae5fa469177f159be250ef0a7 |
| SHA256 | 9b17fef4e805a77acd8fb709d32711da6a7e1b25aea87b2f2770697ccdc6a968 |
| SHA512 | 568e9c383c1c1a5969adca94708ffd4c5e7d0914aea450d611966ef0008b23dbf01404faf48531b039d93adedfc9cb53503b41e442fa14e0490405e81ffeefb0 |
C:\Users\Admin\AppData\Local\Temp\Q0M6L0UJvkz6.bat
| MD5 | a8140d804789365848d9901e3bd15c7b |
| SHA1 | 3d59cee0a64d190c7fc5968a5127924b80b5b32e |
| SHA256 | 172f6d0a8c0baeed36cdfbd1d2601a22f31df68588cdc4a2207c98d40e5e39f1 |
| SHA512 | a1fca1524515db29230c22396c892e8efb7caefe0e923fa7fbe7034d7ed48559cf0cddf200041a22b407ee7657d76658384365f891a48a3a378707ee6859da2d |
memory/1612-76-0x00000000003F0000-0x0000000000714000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aS8qonnPYnNV.bat
| MD5 | 8be077034dda2949b6bd80a639993dfa |
| SHA1 | b4d429b2c2cfe3cd56511300d916937b8cff8098 |
| SHA256 | 92aa798f48c678c4ce3fd884443504f4f5d1cff4d0087e6e9a22d57d3a7c0d96 |
| SHA512 | 30e0fcbac61056f0182d7d44db2ace7e10513df07aab541cf94daa9fd7f46bb115cf0101047008fce2f0aeafc51a9d2374a7c475a565e676eba2016fb7743393 |
memory/2196-87-0x0000000000300000-0x0000000000624000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kdzx4nxs0ZKU.bat
| MD5 | 023712e9ed6707eabfb57a4251e0ed55 |
| SHA1 | fba77b934ed799dfdde306e0eb07fbe11c748856 |
| SHA256 | 0d543fbe86d430eae93cc2df3bcdad12777a1c6c2a743b533d83f66bc26de277 |
| SHA512 | 69a9176a968e5b9533893063d6a63a713128d31832a5891c1436e7dcea0ff4855490e64ce9f7335bbbd132cb42f9fb2a0baed817910d77100dd8b14f711ca070 |
memory/860-98-0x0000000000D70000-0x0000000001094000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\67GJp2xPP3ih.bat
| MD5 | 3fcc4c7b97a7e8636933d33d18c427f6 |
| SHA1 | fd9a1a59beebbec0152ae92d043747f8bbe759fc |
| SHA256 | e136ea4a9f9bcddfdd9c1e3cbd0ccbb61996091af64312cbe9cd2408fc648a10 |
| SHA512 | deef925b93a0605f5f6e956e799060b5c2968a0ea52f56adaf981bf53704f206376da470f1cbfa534dfeb6d17f25f0684a1403c5d9a8e2fff161fd0a68041011 |
C:\Users\Admin\AppData\Local\Temp\9wzmFnUZUocY.bat
| MD5 | 901363ed00eee4d98fa458b28bba7fd1 |
| SHA1 | 7b179ac262728ba6fcf7075637ad7c00dbedc651 |
| SHA256 | 045f908912e84c716b96a386115f65da5e9de0e21e6a82e2a1f5a1fc5a0c7255 |
| SHA512 | 042de58fde6e2a0d3e0bda0440930fc4ad45464196ef81964d20dd2d54f08aca4be11133b074298044136e3f42a5e6f2e301bedd7fa69cc104c8685b38515d18 |
C:\Users\Admin\AppData\Local\Temp\xh2OsVRzfHFp.bat
| MD5 | 8325889681de641980d32a7df4120150 |
| SHA1 | 5d4fe08c3dbbbeb29c00f5cce3936d08b1ea5d62 |
| SHA256 | 448b187cceb8da1f643091bede885084a2f933fee5d905950517f822338774c1 |
| SHA512 | ae192c5852c34e24bc9075e952855094ed5df769e4ef8da1da19c47bf46a350aa1b6d13a37380b2fbe66d825831eb665760dc33b2f4d402c46b1548a95ef87fe |
memory/1568-129-0x0000000000E00000-0x0000000001124000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rNr5rHrmqLb2.bat
| MD5 | 63eca2793cb6c38adec88dd511600f31 |
| SHA1 | 57b985b67e1daff211b99f1c511a36b10aa47bab |
| SHA256 | e094722ccddef7f61fdb0917c8d7addea727f67f03b9f312b6b52eeb0b96f09f |
| SHA512 | 848e5ad5dced853293c578d361b84d668d57f4895a917575a398ecab01b39ec24e8d881b30b59452c8bd783882c07c6311bf8523195a873c6f2a1e72b35d16fd |
memory/316-140-0x0000000000160000-0x0000000000484000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 10:13
Reported
2024-12-13 10:16
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKD3xYCyxjig.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQoDyU07Mu7I.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1PZcVgwt7lR0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ijyRXBjdKXC9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAlc2QtJKO2t.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XFfLm4LcwFhr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHoWaGjqGxbh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krkFiWqtJPMd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hZhZ2K2WVe7P.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjDBMJKp6PrI.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GpxCCm1OSf4B.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9dpySN8UUPTb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEWqDdssBYYJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yODjpPXoCPNz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQ6p621r2v5F.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
Files
memory/3628-0-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp
memory/3628-1-0x0000000000410000-0x0000000000734000-memory.dmp
memory/3628-2-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/4752-9-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp
memory/3628-10-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp
memory/4752-11-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp
memory/4752-12-0x000000001BA20000-0x000000001BA70000-memory.dmp
memory/4752-13-0x000000001BB30000-0x000000001BBE2000-memory.dmp
memory/4752-18-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gKD3xYCyxjig.bat
| MD5 | b45c6542f7956be7029ff4369db525ce |
| SHA1 | a370d631cd2817725c14efbd10bea84d90d1b220 |
| SHA256 | 6031020effb37bd27d64029b7a94c3756e2726a46a5c2575370a498602c5c69e |
| SHA512 | 2bf0ead4dc6a5391dac88fda0ac845a169f5067030b9a11693e7c67c510959f1cf18a08df4da9b1e041c2206adb1881224bdd3c257ae8a72b8e14934a3968cc8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\iQoDyU07Mu7I.bat
| MD5 | e4305293840e4de706c2a00c9d228f60 |
| SHA1 | 5b7ce655d678127481e714f023080744359fd39d |
| SHA256 | 5ef3aa33cfbc433360147f607b4067629cd7e08838eca4c5859e0983fdfcf5e8 |
| SHA512 | f164fa9baee5b52febfd2d047f392d99fdf614c089c79ad8233682dede47a3c5df2d625d4fac2862dc79ab65be75a4323576bbf4f417cac06cb0233e4dec7fb4 |
C:\Users\Admin\AppData\Local\Temp\1PZcVgwt7lR0.bat
| MD5 | c1c659c956e113b8eaebfcbb2955679a |
| SHA1 | b6dfc79c32cb06df78ed01d8ddd4f33602287c2e |
| SHA256 | 293485257a4e26a403e4a88b9a466e78f94dc2e32c69410240fd1a49671d16a9 |
| SHA512 | cdf1b897ac3a3ffff6de194a7a87a4962cf69e9b65f76d12292f2bfc1656da45eb90d8e2d9f23a6cbb53491c1abacb9082629306ef975e0cfb11f5282e314b47 |
C:\Users\Admin\AppData\Local\Temp\ijyRXBjdKXC9.bat
| MD5 | b0cbdc06b2cd34df0f71a1cbc544a172 |
| SHA1 | 1200ca821cf9cff0b0f737bb3249160e285bf4b0 |
| SHA256 | def49c50ccd7be01575dfe810eef6ffe29641e3f81b0f71171e4245f08bf5c8d |
| SHA512 | 2e8f31ef5f2b674da231f116ffa9e7aebe9cdff1d5cebf9e6e96fd3963ce1010acd6477ce236634b47cd471d69ccb939982327aaef564eb21b82c861a716b10c |
C:\Users\Admin\AppData\Local\Temp\ZAlc2QtJKO2t.bat
| MD5 | 6efb4a6a4391668128d362cd9e8002ff |
| SHA1 | 714c64247400880d97df22f55c640b42c8be0b61 |
| SHA256 | 90218fa074ac2012772dbc2b6027ba6e24ae24293688686b17906fc2754d3d41 |
| SHA512 | 930b8c0a42666f60e722452b23a8bb2796e02034a7310fbe638f8c304edf8b282d321b22f4412124bb7ad9d45a1b2c89fc6d81dfd3ca0a0c7ee83ed747cab15a |
C:\Users\Admin\AppData\Local\Temp\XFfLm4LcwFhr.bat
| MD5 | 01ba09981995f814678cd9d1ae6a67b0 |
| SHA1 | b9e67c1a56d9fceec1e64630aa9f3cf7023c2183 |
| SHA256 | 1fe672b5d71b9b258071ccad2bdfb141e05280b0ca83324a049eb7dbb3400a28 |
| SHA512 | 224d8939126719f06af779dae68074a104a134af87de72022a9968393724b20cebd23b04b973e6e36346b65f1c376084c3768e5d85e3624033ec124230dc10bf |
C:\Users\Admin\AppData\Local\Temp\rHoWaGjqGxbh.bat
| MD5 | 6f2c978d70e1d3938705c4e9a473036a |
| SHA1 | c0e9c1dff81496aba1a4a80cb5771c4811e51166 |
| SHA256 | 2f58226a5e498c63a6eb47e0a63f46626c51fff0d92a92d070c16be5373bbdf2 |
| SHA512 | 0eb623436180eeb0b16c8886525926a4324c89a72618e37610cca3bb163083b358bb20650716225744af10d2d878b7718e27cebfe27e192de4e4cb473db09d34 |
C:\Users\Admin\AppData\Local\Temp\krkFiWqtJPMd.bat
| MD5 | c8f8a20f2ddf8ba2777585e645bd7c16 |
| SHA1 | 7f4e9044e6c3cae154ce8b221cae6a1381b1e922 |
| SHA256 | d0449e59052c19ca61b62f287d51f79781444ec92478755ba81045643592d0f4 |
| SHA512 | a1d1b3af007372d83e3c64063afaf31a04af8ad527ea420867952c3970a264348dc0619099e56c562851f2bfbef6121b2d84d6e20c63f6104eecc73b2ccef456 |
C:\Users\Admin\AppData\Local\Temp\hZhZ2K2WVe7P.bat
| MD5 | 1570d4670645736672a09840037b6f6e |
| SHA1 | cf6c3d5ce9f0f0dba8b99d296b0dfdc077bb0f25 |
| SHA256 | e3a1b8077f5174705517a3944df986f8d4a37cb2d5aaf6d76f3bc85db5d87c43 |
| SHA512 | 876f8b4615b310ec56186ec379db1d98a1f0d81f63f3a108e2aac77d663a5c64a314b0ce51aca3d51cac79493611745e5d8fbcf95cbee6b60b1832aeff43a594 |
C:\Users\Admin\AppData\Local\Temp\XjDBMJKp6PrI.bat
| MD5 | 1e92ae51b85a36eeb6391f730fa9de1e |
| SHA1 | e365499d36683a12973d1575203758dc643b2268 |
| SHA256 | 4ecc4f230d0f09e5e476561fd47a7b99cb3c82b1a1b961d9766bdbe3030713e1 |
| SHA512 | 77f6c21879d74cb019768dbf65821004ef9f6f2aba06282c8a23f1caa2332d9654ca96e572276b0682fdbe5fd9ade76f778697eef9103586f242b379192c58bb |
C:\Users\Admin\AppData\Local\Temp\GpxCCm1OSf4B.bat
| MD5 | d985c57c8bab51cb125f4447288fe77d |
| SHA1 | 11d35bd955635aefb4a0a12b4ed49e5e28cb7788 |
| SHA256 | 68b113ce2ffbd29f41ed2d7d4759c23efbbf7b99401ec80b5a6dcc100660c239 |
| SHA512 | 3147226b8cf30d16ab0a92b23182538ef6a8774d6ff8d54b6eed123b54ad055104ea639f2f10fc0437f144d753dc80c4f758e4a8f1309e2a5b83664b5721a752 |
C:\Users\Admin\AppData\Local\Temp\9dpySN8UUPTb.bat
| MD5 | 29f9836ab3257a5ec0f57835335464f0 |
| SHA1 | 87b66ec917d8fce9cafdbf7c440e4f6a9061ff11 |
| SHA256 | 714613cb2ae8ec6e4c2b283b56b1a712f920f470fd44f2001ec7cc302aecbcc4 |
| SHA512 | 840d52a6221105ffeb13d18421442e6e1b4caca2ffb5fad6af5646bad5cacb073b20e5a1c31100abed1cb206f1622cb3669e8504d4d76cac4842ca3a6d1f82f0 |
C:\Users\Admin\AppData\Local\Temp\FEWqDdssBYYJ.bat
| MD5 | 545a94b3193964ef5240e3938bd87180 |
| SHA1 | 5c933ae87276ebff103a56effa5606f225bcad27 |
| SHA256 | 972b1c38d1ad4f84691bca134e628e615dfd6e11c0558ba2b9f6debcb4fb9a05 |
| SHA512 | d63305c14ecde4b33972972d1fc8232f9cf7ce0d0ba48c1677cc350c0abd1a0fb5987ff1d38d49744daf932e40cd1cfcda623553244a0a622577a591a91d795b |
C:\Users\Admin\AppData\Local\Temp\yODjpPXoCPNz.bat
| MD5 | ae98f4d79eef9493bd8f7d60d24a164a |
| SHA1 | 5574bc418dac50e79a100dbca0e4212d8c193718 |
| SHA256 | 0bbeeb723c47cbd5d2e09c8e711de389551365631cbf47021ba90f9617ff4a25 |
| SHA512 | e7a75cb55093d2c3ea8b439037526dc28034d65591d08e0d5a2495854f019ddbd025b051dd23c8e4b1feb880e2335a4f8ce12a22d04514acb51144a4b088e58a |
C:\Users\Admin\AppData\Local\Temp\FQ6p621r2v5F.bat
| MD5 | 5eafe89f46ae1b52e84d23c9dd574cae |
| SHA1 | 1d08492bcd786823b787d28ca7289cde6153cc7a |
| SHA256 | 7c5298ce3267b49e9103cabd9b6f340cb6e91c59d835b0d6254f069752235a4d |
| SHA512 | de94a6cc628ccafa3fcc61eb4196bc8e4d78a724145e5df71562159cb2cd7975b249fdb309744870b0c8e46c3b5387012675693d427f2546d095a721381a95de |