Analysis Overview
SHA256
5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Threat Level: Known bad
The file 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Checks computer location settings
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-14 03:57
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 03:57
Reported
2024-12-14 04:00
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9p6jfvOMXfDH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIRJQaP5ihBA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\m26rPSQxAsbt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hBK6TgfDc3GA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zI0hxVDy7G7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiSr8Q7ztQVD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\91PDUPvQLDBJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiebMAUTyzAc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TvB5I58rOK3W.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1NRFjWojImMI.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FfPTit17hTX2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FZZ3kIN1kCXM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
Files
memory/1920-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp
memory/1920-1-0x0000000001220000-0x0000000001544000-memory.dmp
memory/1920-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/3024-8-0x00000000002E0000-0x0000000000604000-memory.dmp
memory/1920-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/3024-11-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/3024-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9p6jfvOMXfDH.bat
| MD5 | 825b80a29cfb8e44199221877ff4dc5c |
| SHA1 | 9c0b8825caede309204350c1400a8c0b1f2558d6 |
| SHA256 | 5be94294b929119f6ad2b9f82c9eda9178a1e155ba9b76bdecdabf109c9d8d7a |
| SHA512 | 9b86dfe8321b174c43270bc21b50dbd50b99ff7422d570e869c615ee07bded18bcb4742d2af18620b71233a3e0bd4217da7960af1575ace0a201050aab34ce65 |
memory/3024-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/1992-23-0x0000000000D80000-0x00000000010A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CIRJQaP5ihBA.bat
| MD5 | cb88e3144dfa2ebbb8ecec4e7225a896 |
| SHA1 | 0d3e34a670e751d2734b16eac509fdcbf5322bc3 |
| SHA256 | 09b7c9d520239400481d149fe3dbfa161f7e5f153591019adfae6c5fe03b8c8e |
| SHA512 | 746f988d2a74900ed8af768a59cc40a03ac6d645a49a4d844343c9e917c6196d17c62bc97dabda7ac815c9a9be7da979136dc72ac504063538a4f46d4a67ad93 |
C:\Users\Admin\AppData\Local\Temp\m26rPSQxAsbt.bat
| MD5 | f8d60dd83cf9493e22241c94fd7a5456 |
| SHA1 | 25817067ca48e1f5f31bf777d73f3d0f6c76d3f0 |
| SHA256 | 8c571a06a9af29ade00f32bb8091622296ce60cbb60c67c9353333c04931a06d |
| SHA512 | 8bfb9376229618a40860f616e3f8f1a92dde91431e42f4164c059036f1e4db6c983074f002334b7dea41ad531f7cf2ac3805ac6a66dcfb45582da1c82e40baff |
C:\Users\Admin\AppData\Local\Temp\hBK6TgfDc3GA.bat
| MD5 | ae4abafc05bcfa53a95a3f22408be2ed |
| SHA1 | 24308680a9c0d0379cc40293b9707054d498542b |
| SHA256 | 35f42f48a39cb580671e5d7a99d74fcd4c7be0dabcccb307c8b6f8c0548b9684 |
| SHA512 | 0a16d847d4e938310efb3c7641be906a8c5317c16e71738e4a60d93c69425d80ca118830c26dcd4b6c62938aab7218436a26e2e4e4b5cf429a9c16222bdadb27 |
C:\Users\Admin\AppData\Local\Temp\7zI0hxVDy7G7.bat
| MD5 | e2794245a796bfd648fe482bc9922e4a |
| SHA1 | 9ffae589448c4431bef780504d2a9ec90a46454e |
| SHA256 | e18aa937e913ea7dfed4834d787d8e6314957817dd108fcdb22ae518beb33233 |
| SHA512 | ce55987ed93facf5b15a4ae48862d0ebb5c9f8e723e8ab3198f0130bba3555ee56d503f04cd9217724f115487f419997eec2391decf5ac3682b9fac743529a47 |
memory/2452-64-0x0000000000220000-0x0000000000544000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UiSr8Q7ztQVD.bat
| MD5 | 9747add7cdec457494a6426ec7edcdb3 |
| SHA1 | 923a39b9603fdcd01d28a792fa0ece93710353e8 |
| SHA256 | e04f7694db9ae871e747634525570c9e6cb60f5ac36ade15204d3cd34044c1fe |
| SHA512 | 8788bc02cf555013e874f9c0e4ede38381612dd30494d8a4ce97bcfae7bef5e37945064b508ffa7f987ba9003df6fda2ca2f33860f128849d3c1e3f52856e8a7 |
memory/1980-75-0x00000000003D0000-0x00000000006F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91PDUPvQLDBJ.bat
| MD5 | 72e4decdd25f3b2e5d30f4c9b2c4cdbb |
| SHA1 | 4ce9d814c019bbcf6ccd21c5e348477c7c003a95 |
| SHA256 | 1251f3574ad810be0e5c445a24e309bb61b42ace6a9dbab7743eab182e3666ec |
| SHA512 | c6263c064ce8916f63d1eb85d885a0bfd1cfcb39ad19bef285d3a0390b826a27bf887a2738f81c3d589765528d5fbce2a53981b2b4cd93da5fa7f110b9f1cfb2 |
memory/2240-86-0x0000000000C70000-0x0000000000F94000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\yiebMAUTyzAc.bat
| MD5 | ce386a9e7d5456f383423fd6b61c04f2 |
| SHA1 | c9f34c8222301150551786812f84368e986b3669 |
| SHA256 | d57c8dbf83892e8147943db76d06840e29ed15bad87186afb613a08ad4ab4cb3 |
| SHA512 | 2fe4b055f466b845688000318d33c586a618aa28dfd042c3ac9ebd8faab5ac195bcbd33a57b821ad20a5c411a5aae1f20f95b0cc53eb48b2c7444696fa26dea8 |
memory/2612-98-0x0000000000E50000-0x0000000001174000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TvB5I58rOK3W.bat
| MD5 | 5159bdea8a3793d8f6cd463e933af60e |
| SHA1 | bf3defe61f52bc9f8bcb8c26882745e4d163018c |
| SHA256 | cd1c5c379abd77a8332ea002c456e8e9e6ad83cde2474f77c4b6fbc44a60c6dd |
| SHA512 | 4a0101f6e94d3bc55803fabc8515c5b69f5772b4243ee2a78ee084fbc439468a19b868fe4c3cb6bbea1e93a49c0c074d8f1f3df6cc0462d01b58604929d817c7 |
C:\Users\Admin\AppData\Local\Temp\1NRFjWojImMI.bat
| MD5 | 869f08e32031f75121ef5bea1a5f47dc |
| SHA1 | 2daa72bf42a33706ad782c3e7c02a2967f12e812 |
| SHA256 | 97f87e86dfc6da3373b9380f4d84a74efe5037113e4dad38d2d0f0260a438a5d |
| SHA512 | 376b8004da677e4823c64626298a6f4f0650aca183c212b5e83703b9a93c441c282d62dadd5e2c6228b0ad3ce56ac1de46889b9cfa70363b2dd3f30c346ce87d |
C:\Users\Admin\AppData\Local\Temp\FfPTit17hTX2.bat
| MD5 | ea0858f74f48f04b9a8e8cc1d7afa492 |
| SHA1 | c0754bbca0349025057f6115d95965289d175791 |
| SHA256 | 7e84ce70544e5891fc41205f1c1738da4e315a4f56a0496724ec48d2cc6079a5 |
| SHA512 | f78f15cf62fd10d0389357e1a5e9523305f389915fd7f5b25014b070cf1462e99999a167a4fa94649161dd11252e7ee8de23f77b546f7add8bf3731aabd8efe8 |
C:\Users\Admin\AppData\Local\Temp\FZZ3kIN1kCXM.bat
| MD5 | 7bc14e4e18e53ddf8c09c2d5473da45c |
| SHA1 | 8fd6a964c4e870ecba0d367ae61440ee6e464572 |
| SHA256 | a7954291fe7ecf6f4cc6d19770a96f2b8afa1c6ad9c9ec8d09244d603871de29 |
| SHA512 | c35ab1b4d41e31386d3d6a101698d46cfc0cfd171e611a8bdc2f5a4dcaae4bc6d44697036c0c024de24425c7931181cc72b5c733cf347b8209245db6a4154321 |
memory/2232-139-0x0000000000E90000-0x00000000011B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-14 03:57
Reported
2024-12-14 04:00
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvDUpwVFBb3a.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSFz0Ffm8PGn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7G7plnZIsHkC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBhbkTo92kz5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\robz33hTKw8V.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcTQS7K3g8ZX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ny6Fx6Z6EXIA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYlKbv9laYl7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ucgs6qO25FaU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyag6MPSb6RE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVkhqUCYv2T5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2F9tE2C143ZX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Va136ZCIJrkC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njbtU04eM45g.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
| US | 8.8.8.8:53 | havocc.ddns.net | udp |
Files
memory/3196-0-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp
memory/3196-1-0x00000000003C0000-0x00000000006E4000-memory.dmp
memory/3196-2-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | fa5f99ff110280efe85f4663cfb3d6b8 |
| SHA1 | ad2d6d8006aee090a4ad5f08ec3425c6353c07d1 |
| SHA256 | 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d |
| SHA512 | a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e |
memory/3196-9-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/4532-10-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/4532-11-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/4532-12-0x000000001D5A0000-0x000000001D5F0000-memory.dmp
memory/4532-13-0x000000001D6B0000-0x000000001D762000-memory.dmp
memory/4532-18-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FvDUpwVFBb3a.bat
| MD5 | b906dbc84570e73337746ac8f7bcaee3 |
| SHA1 | f900509d11115b340a6d787371982808d1ce641f |
| SHA256 | 97b2b2618da0d3f265a66621ff18e1950a020e890d29044d0779bd56a1b87155 |
| SHA512 | caf995d8de81d49a09eaf2d35a049400c9bb42e9ef19dcf929c2eb0d538f4e1404bf331e7f6ed09ff2f799ed486c409d1fea9293e9fac765ba7d2c816af76242 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\aSFz0Ffm8PGn.bat
| MD5 | c6c1a39b692edbd324fccd5a9e9c43c5 |
| SHA1 | 7ce04961bcc6f194616ca8e64b455b0567f86925 |
| SHA256 | f0975fe3aad93e571390c09b713f9d46f633b325537289542b846ceb79dec6f5 |
| SHA512 | 2656f7eab7b9845f06f6e5e92d4bc2a5a10241951101501fd447cf53fadca89153af36b8d348704c759fd0b4731f372c840cb7ef642ccdbc71803728f4cac04a |
C:\Users\Admin\AppData\Local\Temp\7G7plnZIsHkC.bat
| MD5 | 9cc0d941b596afed1f5c6b7e739ce3ee |
| SHA1 | 33d6f783866b9783bdd551b77ddc3c7a3329c0dd |
| SHA256 | 7721b13e47de0fb9548f55e3551dfe500f473bd7a8a32bc0baa3dd398a60bea1 |
| SHA512 | b389460556aac3b70a28216d7b0379b0ed898de9cb1f4bb6fd797452bea38402d1429aa68c0d1dde23a7d2604e30be02c5a2c22f866f84e2abef2a152605ef18 |
C:\Users\Admin\AppData\Local\Temp\fBhbkTo92kz5.bat
| MD5 | 944e3f55b77218ab1cc5baa3dfdae67e |
| SHA1 | 758e1e95636cffe6423fc7193ed865ffc5661609 |
| SHA256 | 7a7491a4b934a8fdcda295a301b4140df1ee2efbae7aae5ced6b55a869cb712b |
| SHA512 | 51221a7b48169ca63cbaac774e72952b0fdc53ac3e3aec659e3764195ce524107bd71fd04244ce2fc90eddba36659f9f91bfa562547c63df3a254a8fe9d10ef1 |
C:\Users\Admin\AppData\Local\Temp\robz33hTKw8V.bat
| MD5 | 370874cdd7450758e2c85e49bd42298d |
| SHA1 | e2659476c72c2595eb8b13ef8d9ed19204414a45 |
| SHA256 | f2a098f1a169527798e4cfc463f359bf7704f138467929e0dc4566626b26e3ea |
| SHA512 | 3bce54b15c9523b7ea2f82e413503b3cf0deb0c6c55187f557b713e0fc373f3c43d2c617ae928a0dab85d4bdd48cc6cbb883695038e27accb23387805446b730 |
C:\Users\Admin\AppData\Local\Temp\FcTQS7K3g8ZX.bat
| MD5 | 3805cca89884987ee135d533fc2f97aa |
| SHA1 | 8bf5b5ae7935bd0b97b708f04afb2544c9427f45 |
| SHA256 | 194a6749e4b9ba8bfb57db695cb5709e85e24d1fa7a6ab01e4485083fbf21f3a |
| SHA512 | 355487dae6ae70c34ea92b3a65175839f8c81927d22f2fa5bc882548f56294b22be81b6655c767ddcc06d4f03e11c166283998003195eaf0021588f13c4237cb |
C:\Users\Admin\AppData\Local\Temp\Ny6Fx6Z6EXIA.bat
| MD5 | a5f807224d4a9f5c12281818d0772a04 |
| SHA1 | 62e9be343e7c434efa71c1d2f159f68acdb06401 |
| SHA256 | 98860e1179cd581e4499df1b4434b578bb6661e0da1bea01867723af649bb60c |
| SHA512 | 219ce28c188052c3234b4c97f266826882f6c020b1db76c28621993e5b1b36400994e2eecbf06d1dd8e125f2dbf75bbe9d62302dbf5d884db4322869d0e8f809 |
C:\Users\Admin\AppData\Local\Temp\RYlKbv9laYl7.bat
| MD5 | 8b4fa3ed132dc225b1b2ccf2e63f5ef1 |
| SHA1 | 1262fcb41b1dc124ae5e22b5d87464dc5a720d79 |
| SHA256 | 84b5d44e7b29805c74b8f582607c72b5af953612986fe69c0af283cb7281fb90 |
| SHA512 | 4a0797862ee464b2f028736666091ffbd126ce80572e894d4f3bc21bdfd91f235681090028a26885df43e25d40cd594b1b652c915d5c5d5575a608b4ab2d252d |
C:\Users\Admin\AppData\Local\Temp\Ucgs6qO25FaU.bat
| MD5 | 1427dbe19f9dcd5eae60cc7b3c4a2ff3 |
| SHA1 | 5dea284ad210f33993c50ab2ef30dedf3bba7359 |
| SHA256 | 17646bfbaaeee7e7a836cd21804488f86270d4f9686cd69ce7a6bcd96d766681 |
| SHA512 | dfda3bf3d72ff32c142da73ec3f61ed51b5c4067e93826390ae25f236d03d7058e0c01c17eb818f34229fffecf1115448b24717dc1420c67a498b3ac17a17c19 |
C:\Users\Admin\AppData\Local\Temp\pyag6MPSb6RE.bat
| MD5 | f26b96353835b800992581edb6a6711d |
| SHA1 | 9f72544006041150307c8bd7ad2e0793efafce1b |
| SHA256 | 34c549bffb9facbdb2fb97cb62dde39f43acd04edfdf1f595f432853dfbdddef |
| SHA512 | a44ee7a1a88f0a22ea6a1af7e7ca4e3f25c37d4932205b3cccf355a2de96cbddfdfe6557958ddb7c1b6e2b054042e11cbc3fdfd5571f250cc7eafda5de90e1db |
C:\Users\Admin\AppData\Local\Temp\JVkhqUCYv2T5.bat
| MD5 | 2fe18d90b07816ace656f79cdf20394b |
| SHA1 | d8d55fc84c8b26efeab20cd872e1595366a90231 |
| SHA256 | cd5820ce7dc6a5341cab1b4581f32e61fe93ebe6e37b86a94c4e8eb4899237d0 |
| SHA512 | 34c41f7c1c624497cd36c0955f382943b2bd1331a18589e765cbf750fb83cca874351c8ea73ff6d5788f33d7a60cc40d49ccd64ff8b7833268b4568a1a83099b |
C:\Users\Admin\AppData\Local\Temp\2F9tE2C143ZX.bat
| MD5 | 8a193172c5c0b9969b7af8989b6118a8 |
| SHA1 | 0490846b8d5b58a2fa393de9985df4a87dd57d7b |
| SHA256 | 9fb4a03acdad4fc249aa6bf90f03bd99446fc1011c5858792f9618f2a07253a6 |
| SHA512 | f709096ac9ceaa6f11d7c278f323b02d085578d2fa4befdaa183f2f95c6dcd046a3fab267c97f71c549625dc903c6076d2136ee57ea7a5a40df20cf1cdc86832 |
C:\Users\Admin\AppData\Local\Temp\Va136ZCIJrkC.bat
| MD5 | 7728461a7542e5b4f3a4d145bbba7c13 |
| SHA1 | 1e6d592f841cff0a1c05c8d35a5b454a3adc1c3c |
| SHA256 | b2709b9d89de932ba836de6be0913d71798afbbdda328f1b2726a097c477b7e7 |
| SHA512 | ed722e0b038aeacc17dbd9e364d23075a9415fb2a5ac5041b9612b7a4dcd2b132425d24d459b1942dd2763f65176b01c14356189feaaf039788a5ee2c794ee69 |
C:\Users\Admin\AppData\Local\Temp\njbtU04eM45g.bat
| MD5 | be6c7da4c90a5ef0c7480a8a9fbbc1b6 |
| SHA1 | dc57c041aa0d061a894cfd792a46423cea92877e |
| SHA256 | 915867a60e7d1f81f5dd828fbb1aee8ad96ae7a32151f173f2819999b3683de5 |
| SHA512 | 93eb3fe66306471a0c12c2e2ad168a0278603fd832d9f17b48816e37127ea0b0878ba5c23a0f79d395afb271f3da71cb5f1439a81d9b11be266f1935c02d64fd |