Analysis Overview
SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 09:56
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 09:56
Reported
2024-12-13 09:58
Platform
win7-20240903-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSn760WZH0Uz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MxxAxCinORN2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQvj5PvJlDNZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fsyB5A9GxFv0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKZOsStaHnxh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YHpQVsSxpO1H.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmF1Veg5ErJJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5RdUZjzPLTbX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\moRnlqieH7yY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E2KoZnzKMp4t.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1qgtLArCXLYb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WbEeXeyoxzs3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
Files
memory/2936-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp
memory/2936-1-0x00000000009A0000-0x0000000000CC4000-memory.dmp
memory/2936-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/2936-9-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp
memory/2932-10-0x0000000000920000-0x0000000000C44000-memory.dmp
memory/2932-8-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp
memory/2932-11-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VSn760WZH0Uz.bat
| MD5 | 9c867f88188d47a90580b44df93ef17f |
| SHA1 | fcb280656ac9c6e520b7c76dc6902f00b7fa8967 |
| SHA256 | 18ba331591369b75a3c125b1c9e6adf67703e62bfd5dacbf710adc19308f9845 |
| SHA512 | 817e76fad2325785ac70463ef57a17dd399f44ba981b8b1a432e08443328262813931668c85f9207b050e1018c2a806304b97505f7395e4573413a4a09075a29 |
memory/2932-21-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp
memory/2608-23-0x00000000012B0000-0x00000000015D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MxxAxCinORN2.bat
| MD5 | 61d2f284228a54a6e7e9e7b613d36095 |
| SHA1 | bfd6468efc54901b6d4fd1d3b55816f83fbb2c93 |
| SHA256 | 2599fc898e2f2ea626316bc2dcc2bc1a2047be0eb91de004609a659fc631adbe |
| SHA512 | 5c389c3f8b69f4a24283899bf61793f0b653724f2ec50bca64db2d286f94c3762244908ed79cbd5afbf6796c3d417e87916a2ee3b9cb5d499b6e3b8e7be13d2b |
C:\Users\Admin\AppData\Local\Temp\nQvj5PvJlDNZ.bat
| MD5 | 418dff7a3f8aef3f167ce38fb0c17670 |
| SHA1 | 902ed1e10caf53bd02db9ad6870f510a3218ad0d |
| SHA256 | 58539ef046bb814272f3e20ee4afbf06ebf5d1f7e21306f162d506a395164052 |
| SHA512 | af5286cf6276ab5ba760529545a91d4d2f8960af73694784ad248e64f25af7de7d303501b2ffa735725f66357c1109e9852da2d55a4d3d9aea0f09d36bc0ae08 |
C:\Users\Admin\AppData\Local\Temp\fsyB5A9GxFv0.bat
| MD5 | c6a5021a20cb3670ee1632c3976c82ba |
| SHA1 | 705b5e6af3840ea8afb35990d60b3c5a5748eea3 |
| SHA256 | 9a4e9303a931b423747471a1a7e46dbbce492820086094b862c5b205f6cfc793 |
| SHA512 | 45216fc49f0196daebe57cb102af352d0e8a67161bfe087b5640a3a18b0e51293d3a3a2f5f898fd6328667bf01792b55d71cc46919b073a3ddb8b88345b30847 |
memory/1324-54-0x0000000000060000-0x0000000000384000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NKZOsStaHnxh.bat
| MD5 | 4a293e9aa0526d7dbac00349d64f2860 |
| SHA1 | 71894c0fbddee67784e06c01d543447705e76fa8 |
| SHA256 | 1028e9e01e916c365ad088ddc4fc7a9d597a0fc301ef51249723c2e20d821032 |
| SHA512 | bf8abd42272cd13fb2bb1ffa95b1672d2f51d942f9f742bd9be0eb4eb98d332fc318550063f83619477c5b4fa97dd03f3dcac2ad20f40611e3bdde156fbefa0a |
memory/684-65-0x0000000000BC0000-0x0000000000EE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YHpQVsSxpO1H.bat
| MD5 | 184388fae3cf8ce39bfd5d99af269ac7 |
| SHA1 | f0ee494b5ad6d78c2e92fe21b2ca717268025439 |
| SHA256 | dfd9940d37599512208e1441583d20628eda9d1518c7a4ea16baee5129c8adaf |
| SHA512 | 9d859b6f87126de3b642517388d9c7b82d2ad0bc8e520c81b2a69c96e931442070ab2950791276170300a5a5c092564e8a1cb09e60195f071cd4d22f541d4d6e |
memory/1884-76-0x0000000000E50000-0x0000000001174000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BmF1Veg5ErJJ.bat
| MD5 | 7963d5c8431f11caad3715d40e291c7d |
| SHA1 | cc3078ce097402c5ebbc14a88fa07abec03488b7 |
| SHA256 | 46c387ffeda4969931344ef391c5555bb4dba87ea1c8387f35761acafdb07d85 |
| SHA512 | e50f3af8e5a45f6826dc69d5617cac0d3f063baf2beb44e02fdf644f9824488d66a22ea140de9d98f7cc7de6100f79e9f7c752ee93584b30527e6bf09f87506b |
memory/2804-87-0x00000000003B0000-0x00000000006D4000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\5RdUZjzPLTbX.bat
| MD5 | dfaf153f76f79d490d2cbd4afe5881fc |
| SHA1 | 7728cfd76aeb22ba74a2a9513fe23ef53f6e8c5a |
| SHA256 | 4ed755d367f4f82714bf6873a0d5535cefddf1a2e6cf0602e1ed2f93e1d3ec96 |
| SHA512 | 94146f096376d7f265c02ab52b60e0ca681fcdde6d22c3935dd5dc0c213c3567575b821234780a440d3f14ffedc6f11dd75b6e42f0a8404aeeccdc4d55698828 |
memory/2404-99-0x0000000001270000-0x0000000001594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\moRnlqieH7yY.bat
| MD5 | 899c8b0a278cdd5d98dfb5b490003f62 |
| SHA1 | fd0f9971c9c0745be7c61bcfdfdbcf497b7ee2a6 |
| SHA256 | e0e23bbabc04515e666ee516e0bf2d96ca35e013b633c65767f3bba1b3cf2e64 |
| SHA512 | 9d89ecb916c79d18fd567494b31efcacf824efcc79d534606cc4659147dbb1bbd903421dad415a588eb0cae398e32cfc7cbc38f7d51b4a0808b76efcd55fa3ba |
C:\Users\Admin\AppData\Local\Temp\E2KoZnzKMp4t.bat
| MD5 | d9ff5a36d8bc09990f5445db4d6c2f4c |
| SHA1 | 9dc36d4b45aa5ac83678e3c1770877da00969e8a |
| SHA256 | 0c6d87317ecd4e9813620693b8de63c82df71240ef96964e85243d53d659faf4 |
| SHA512 | 941d988ee73b6221b7665c8db435925f0a3d2e8f66226b87bb301171c5a7f33a93e6ac75ddf5093e9fa33c2a6179a90390c63e496362d6a14853f3182cb90927 |
C:\Users\Admin\AppData\Local\Temp\1qgtLArCXLYb.bat
| MD5 | ebb69ed0407180a01cdac2b35999916d |
| SHA1 | b495effa95d6635dbcc77e717f90e6eea524fbc1 |
| SHA256 | 3fdf076e97b02ed991d5db56754ff33054aff1537b06e48309acfaa6bb28051c |
| SHA512 | e9d421900c71aec086cc1c02806a33d1bcdb438d075521d75274e0cb142a8497ed72c0b58bb834bdb1187203dacfca7b930398d81e1fb95bb0f3c2d759a87ffc |
C:\Users\Admin\AppData\Local\Temp\WbEeXeyoxzs3.bat
| MD5 | 848ff23a0c10d1ec8e1cd2e633ed14de |
| SHA1 | 1b492b849524e38ce7ad6a5e3bd389b6a0e7f3aa |
| SHA256 | 677aa9996e475d89c2e812f2801f17b2a03fe7fe245ac76525e0be1e0711643f |
| SHA512 | 44e02e68c915bc15fbd80e12609d8847a7d0b87d53cce848e2f01509514163338c3d30843c97d603fe93e9d0604662444834534a61de3d78eb5c6f07b7c46832 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 09:56
Reported
2024-12-13 09:58
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFh5jVii67mP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k2UJXDOrX0AM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eScUVmF6gFri.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zi9NUpIWE1fD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWaAzurqEDxr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfVX4gGrtDUy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wL2qfIqxDyl4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PlusibdCCLGe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2TylDycB1Hbb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbxCnKCYmlg6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZO6qNsu0l4M.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W69nOr8uR805.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Li3juIFYobtN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LzYfG30hSPNr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aHbjrxvkRK1t.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
Files
memory/412-0-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp
memory/412-1-0x0000000000B20000-0x0000000000E44000-memory.dmp
memory/412-2-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/412-9-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp
memory/3692-10-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp
memory/3692-11-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp
memory/3692-12-0x000000001BA50000-0x000000001BAA0000-memory.dmp
memory/3692-13-0x000000001C2F0000-0x000000001C3A2000-memory.dmp
memory/3692-18-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fFh5jVii67mP.bat
| MD5 | 76d306b8ad5c6d9e1279f13a2efa7fd7 |
| SHA1 | b3ace7ef1c503750af6de1c153421c332a2e1abb |
| SHA256 | d54bfc50491c5ed7c165629afeb5fed45e3712e9b4e074a1ad3ed47b73d87617 |
| SHA512 | e4c57835247a453468291369d3431f93302fd9792d63d194efe00da67cabc8897d7cd393875057772aad8cabadd5645cf9f93b67b659efcb61e2f285b2c9ce77 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\k2UJXDOrX0AM.bat
| MD5 | 4c068844c8f5e96652586d52e8735f13 |
| SHA1 | ee8d55b140fa254cdf89b322e63c103dc73053ca |
| SHA256 | 2b098e5e81103eefbaa18280120325f1e6ce82974d4b80542c94de4bf67ff669 |
| SHA512 | 7707d17a5799db230811d635c3eddb57b68b9e92385c80ba8bb73b15c68538eddb45883487ae510fca903b061f7f70c55758b414730ec25150abb6961b822f55 |
C:\Users\Admin\AppData\Local\Temp\eScUVmF6gFri.bat
| MD5 | 6dd7e5ae49690e9e6560437e6c7a648d |
| SHA1 | 9b18bf417e0f30d63e2bd123b885ee73ff397cfb |
| SHA256 | 2ec8a707ebe68f3d4d71994e3a4a4ab0bce1977b2e845b8edf052d406479c7cc |
| SHA512 | b7e40c2f597a89e85a2e3bdb57b0001c47edd64c8749077030af8a3e73bc39c8a2cbee351b6e50a68ee302339456c62280f8ab50a59f3a68ba53d18c9243e936 |
C:\Users\Admin\AppData\Local\Temp\zi9NUpIWE1fD.bat
| MD5 | c31ae425d4dbc9a593e91a962fd945ac |
| SHA1 | 964e3404675a72e0a66db128e56db17cb4f1394e |
| SHA256 | 59d7c939f1b172054fa5e82a9714c8ebe6879ce1fcf8f88f5916b5f46e87db0c |
| SHA512 | 7c32c7eb339b36ebce887eb521dd8df5aaef912369e75041228230800b8192043835eb68b2db872f98c9c8255665044238f15f69c32dee5344075c4d43e59145 |
C:\Users\Admin\AppData\Local\Temp\wWaAzurqEDxr.bat
| MD5 | 054f8ac6ecf7281b55f8a1f90c9f8712 |
| SHA1 | 0cc203e0f27fddbbe55297ce5aff94c0b2e26420 |
| SHA256 | 58992f0ce6df598bb3957341675b4b694e9d1aecc6a19ba0b70a1e56b2d6fe64 |
| SHA512 | 57f8896e441d966147de23a748f9643b3b8d4843535c10453246565d883a6d6e0d82e9f8679bcf485c485ed240b2bb84799003668c7590e9105e1b6db633867a |
C:\Users\Admin\AppData\Local\Temp\tfVX4gGrtDUy.bat
| MD5 | adf57f3400fea775759c743cc3a6da78 |
| SHA1 | 9b0b38ffb70585259953cc71102299add61592b3 |
| SHA256 | 531a273f7cf8631c106da8dffa739816831306f0cc8be6b86d3a8ef0c47afe05 |
| SHA512 | 2923ce96590689ccdd5336a816850192eca132debfaccefb62aa667da2a8b7af773f7adaea2f37a3d2ee4ea5599cf3948626059d921ce66983f31aabac16c5bb |
C:\Users\Admin\AppData\Local\Temp\wL2qfIqxDyl4.bat
| MD5 | 102a4c1a55a675e3f0df134301f0a8cf |
| SHA1 | 4339cb35ae13d60dbf0a472f880968ebdce404b9 |
| SHA256 | fd39ba8ea2161a1ff0044cb1fde074f16ae7becd10a79ba192c4ccd7dda9cae0 |
| SHA512 | fffaaee254fc5d68f34355ca6a40fdf5f777fd53449b4814bfbcb60599977a80101654d0ff586b5938dbf24a1dba5ac6db96cdaf8340978824cb2b7071a9ab30 |
C:\Users\Admin\AppData\Local\Temp\PlusibdCCLGe.bat
| MD5 | eaad5864c17eaa5c71afcee81b55dc27 |
| SHA1 | a0ee90b3357ecb7efeb8d627f7a832f0519434c5 |
| SHA256 | 7045669e1f69c663ecab023d28fcff73412d51249250711f1d8c722a40bc1309 |
| SHA512 | 02509a03b86aeb2fdf40b052927c74b1e60d0c4f4bcf996441f23f04d120ec6beffdf31d0124927bfa671cde4a49e978e51a697716dcd4a30dc1eab2dc842f14 |
C:\Users\Admin\AppData\Local\Temp\2TylDycB1Hbb.bat
| MD5 | ac386dd330765a36d868ec8f5cf41ae5 |
| SHA1 | 0dffdc0632ba2921dc9a026cace8e11555780314 |
| SHA256 | c88ec5c28f0c5e89bf3f4a9b0388e78fc4a0f5996daf6f3106b3f445220ba69e |
| SHA512 | 3abda2bd5f4d5228424e5fe4de3749614646d5e6e675afe3a2b6728ca4465b6319ec9b05e364f11a36a2ef6743c15ac861991d0975f35c9fec0cf5088e0ae755 |
C:\Users\Admin\AppData\Local\Temp\fbxCnKCYmlg6.bat
| MD5 | 3b5ff3829b8753d7e04cf129fef32635 |
| SHA1 | 40f79b0004164f64131fef229b1b8dbcbfda368a |
| SHA256 | 7d077013a6e93a3c4430f8a3a8cf3a9e5ce028820a6e850fccc655c7ded03c6c |
| SHA512 | b3fff4b493adfaee973a7da938046cb5481bfa4c1171e9be0c06c2e616e829f8a118774c144c5bfbe4f42f052d30687596d7515bf5f5e03da138f8cdc13509fc |
C:\Users\Admin\AppData\Local\Temp\sZO6qNsu0l4M.bat
| MD5 | 61ffb47f4992305c958f3377b0976d43 |
| SHA1 | 5d15011943d600d270515f6c209424832fa59b54 |
| SHA256 | f8e5dbff504000bc8ee65eebdca04e1a3d658da89cfa75d4313349b9113e8b74 |
| SHA512 | f633d3105e45a4b519c6e6e84b368f5ccaa5ccdd9fa6033fb767b18c122d23f4563bc9233f87f71a2491a7f349a6a93c20a68c0042af5fe75cd8dca8053ca8cf |
C:\Users\Admin\AppData\Local\Temp\W69nOr8uR805.bat
| MD5 | e2fea06854189fb603b9e1ea9803c846 |
| SHA1 | 3c3057d87f4dadfbd1d9d76dfd6f059278392935 |
| SHA256 | 791f3639f81c3420ac385b3a428533afae5576ec8cf10d2bdb05ec8044a80705 |
| SHA512 | 125e793ece5bf1c6737be8792be0dbfa8a47e437888c0fa5bca18ea721c044fe3b6d08f02880bcb7a2015bb16422eeba84bd7530360c7e8b311bef1a00723464 |
C:\Users\Admin\AppData\Local\Temp\LzYfG30hSPNr.bat
| MD5 | 9c0545e11ddcf396a61be3b115b8de9b |
| SHA1 | 3bc31bcd5aec2ce10c26d1c81925cce5ea09d4ee |
| SHA256 | fa4908ab61a3077cf39c65509fe06fce69ee1650d9cf74e3f1b9c2ab72c415b2 |
| SHA512 | 7d56de1867682276f128abd5225213efc8ed96e7f1aeeae448fbe0a61ab8379fe994f46212a9cee8e1543bbf4469e2946f642ee12b8d67175b5e60bf9859666d |
C:\Users\Admin\AppData\Local\Temp\aHbjrxvkRK1t.bat
| MD5 | 83300664108d681e3a82dd913ccfdf6a |
| SHA1 | bd4473c6eddfcec5bbe51901ae22e05d9c280862 |
| SHA256 | 0f7f4337b2364a1b389e09aa4e84c6b5a74b862e2d713c9792546b4053819643 |
| SHA512 | f3d9696476b49a225faeb12b07c64c0c1f5954efcb317e786f19aae33721888f318849f106dd7eb6eb3e3db45a787a3c2976ff987345fc8799f4bec28d3bc57b |