Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:34

General

  • Target

    RuntimeBroker.exe

  • Size

    3.1MB

  • MD5

    f4da021b8bc9d8ef1ff9ce30b0ab3b79

  • SHA1

    998a833c28617bf3e215fe7a8c3552972da36851

  • SHA256

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

  • SHA512

    77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

  • SSDEEP

    98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

C2

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes
  • encryption_key

    F1EBDB1862062F9265C0B5AC4D02C76D026534D0

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Temp

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GtFnIuCBvRXO.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4540
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4312
          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4276
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9qvq1lvKQaov.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4568
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3832
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1904
                • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                  "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4532
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T3Kf8PLbgyh3.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4424
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1832
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2352
                      • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1364
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noKxJ01n9X0I.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:60
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4316
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2320
                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4308
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UbJSmlyyXYwQ.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1560
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1244
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:3904
                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4104
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PRvIFPVdkRLi.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1216
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4588
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1740
                                        • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                          "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:4936
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fPIyvGhMQgyp.bat" "
                                            15⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1716
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              16⤵
                                                PID:4008
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                16⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:372
                                              • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                16⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1772
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NNZQZaYaJjA0.bat" "
                                                  17⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1104
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    18⤵
                                                      PID:1996
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      18⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2508
                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                      18⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4372
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaMyGArQJMe1.bat" "
                                                        19⤵
                                                          PID:3216
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            20⤵
                                                              PID:3536
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              20⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:3008
                                                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                              20⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4120
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l88dQQHk1ryR.bat" "
                                                                21⤵
                                                                  PID:3724
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    22⤵
                                                                      PID:2912
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      22⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:5028
                                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                      22⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:696
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0xZKmdTp1ABS.bat" "
                                                                        23⤵
                                                                          PID:3412
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            24⤵
                                                                              PID:4616
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              24⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:1736
                                                                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                              24⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:736
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNjvOGxxeYOG.bat" "
                                                                                25⤵
                                                                                  PID:2100
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    26⤵
                                                                                      PID:3548
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      26⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:3364
                                                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                      26⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2392
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoEjOr6td19J.bat" "
                                                                                        27⤵
                                                                                          PID:3792
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            28⤵
                                                                                              PID:3880
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              28⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:664
                                                                                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                              28⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2152
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwdfQDV5sZUk.bat" "
                                                                                                29⤵
                                                                                                  PID:2404
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    30⤵
                                                                                                      PID:3800
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      30⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:4008

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                            Filesize

                                            1KB

                                            MD5

                                            baf55b95da4a601229647f25dad12878

                                            SHA1

                                            abc16954ebfd213733c4493fc1910164d825cac8

                                            SHA256

                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                            SHA512

                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                          • C:\Users\Admin\AppData\Local\Temp\0xZKmdTp1ABS.bat

                                            Filesize

                                            212B

                                            MD5

                                            2b8ad50a832ec0010efaf846a436cf47

                                            SHA1

                                            437bf28f79d7e7f513377027af9e45906ab6cede

                                            SHA256

                                            115c4735c68b6788fa3a568fa0282ed7d07481ec7ef2eb9cdf1c7d556eaa1fac

                                            SHA512

                                            483c8100c126559a7970a21513e9e9c6a398a4231922beab22a63c4fd0ddf2babbbc9461cedd18cec207867f0d3b7c11959bc2b47f1a66928dd13a521da6ce1f

                                          • C:\Users\Admin\AppData\Local\Temp\9qvq1lvKQaov.bat

                                            Filesize

                                            212B

                                            MD5

                                            153cb0f6abeb23d7d900e8595918d726

                                            SHA1

                                            dccfec958acb16ac0c760d7d1aa4bded8b711bc3

                                            SHA256

                                            f8773789780a0088fb7f912f82b8932b2dadadd4b64a90c6ee0bbc62978b4b39

                                            SHA512

                                            f0dc422202a06b1f35622c4dbc19b723976210f1bc47daf07d0a4dc84a3ed0cfe2a5585a0a8b7dd3f0273e9de0ec52846968f7f79b3dfe5dd209cc7cc04cde1f

                                          • C:\Users\Admin\AppData\Local\Temp\BwdfQDV5sZUk.bat

                                            Filesize

                                            212B

                                            MD5

                                            20d1b8ff5a779eacebc6bf250365739f

                                            SHA1

                                            0d67058501ac939328d01d92ba3d535482d2dd4e

                                            SHA256

                                            b14369111cb38ccdfc79e2b0c178f33973d7ece4f04337fab7975fb7409457a0

                                            SHA512

                                            39d6c77bc3e5252ead91af6ac12b5c723e4579239ab1dccc81c1ed9d4b4333ca274c98148154ebe08f0feb8582fb3efc468836828df2b60a414aeb28e5ac16c3

                                          • C:\Users\Admin\AppData\Local\Temp\GtFnIuCBvRXO.bat

                                            Filesize

                                            212B

                                            MD5

                                            c1ad99e8bf00d2f777cdf608163a2afc

                                            SHA1

                                            139643a6aad2fce328832c3a4a99556ddc32c604

                                            SHA256

                                            ad52effad599b58f48e04424952de48443699449306bbf108cab9adb0d8fd526

                                            SHA512

                                            5d8c2115291748a3bd85057261803e0a67ff5ddceece7753c7357473bbc80f8fcdddbd37326e539b06261678804d131fa5e8a0acbf4919f90d12b65cb9263a91

                                          • C:\Users\Admin\AppData\Local\Temp\JaMyGArQJMe1.bat

                                            Filesize

                                            212B

                                            MD5

                                            6309c4b64b0d995e8ddc71fb411009ad

                                            SHA1

                                            2b7b2301367837007a4d6f4f678a66553eacaf66

                                            SHA256

                                            5371038d8abe1269ab2618cb11157e49b067eb4f4d8007acf3df98bba14afa0d

                                            SHA512

                                            03bf04a124733753460c04f1001cd9044c689800913c61d28c912834f66e1b53b6d0f4478303938366f05870ee776c72d7ffeda64d7e5ccee0b5fd5cf0ae3d06

                                          • C:\Users\Admin\AppData\Local\Temp\NNZQZaYaJjA0.bat

                                            Filesize

                                            212B

                                            MD5

                                            a109b38250e5560d487d00bfb251cfc0

                                            SHA1

                                            5bdfe0c8ebe50f5bde7aad7440203ab3890e2407

                                            SHA256

                                            5114b5d8bc21e54b5097d6ed31d0bd3468c30380827903f06cc58a1e76ba342d

                                            SHA512

                                            bdeadbc568b8b681da232800af2b72f895d2e23fd8131c5b887c29f51ad155dc97ca30b22255b5e47f4cc5dd70558cc0d91745f4f251d470b65aee06ec953d8a

                                          • C:\Users\Admin\AppData\Local\Temp\NoEjOr6td19J.bat

                                            Filesize

                                            212B

                                            MD5

                                            6d3e58974ab04c42aadd73f1093a56c8

                                            SHA1

                                            5c4cd868c8ae0864a8754ca43452cc8fa821da85

                                            SHA256

                                            d0af4698a94f77413575ecaeb03d31339cca51d56c1fcbe55ec6432c3ba39d05

                                            SHA512

                                            919ce6c3e6c424dc28b472cb6c675e68c3f90b3348565beae7be0d8f4c91750c9875cd6bd4b42227dd0452aebe23e50dc7df1402fe5a7bf04dfa1ff95cf4d880

                                          • C:\Users\Admin\AppData\Local\Temp\PRvIFPVdkRLi.bat

                                            Filesize

                                            212B

                                            MD5

                                            dff1e6e641cf3da01db1ab3efad12985

                                            SHA1

                                            e96e5a48ebbf279c1322031ac6a641663f42431f

                                            SHA256

                                            ee19a82e855a37aa19fe2a2502214d1a538d7ec47258e909fe458df7ed23be15

                                            SHA512

                                            54d7418e20b4d8ad9a2db09cbdd5891fd6896bc7ce3ec059610a7cb6830cdfa798e914fc96af920fb2c64e12e6a874b8d2f5b2fc3447c96478aaedf2e1da3d9a

                                          • C:\Users\Admin\AppData\Local\Temp\T3Kf8PLbgyh3.bat

                                            Filesize

                                            212B

                                            MD5

                                            9c32b072779fa7ee473724870c268e76

                                            SHA1

                                            fd4303ae44c7d1584d956a4cf71b9c3b6dfcf991

                                            SHA256

                                            25013764a28f486af962ffe9273d253bc0eaca628e026de64c02aa5dd99da898

                                            SHA512

                                            138af41e3a5092165a7b0e5410fc86bb9d6064dea70b174a20b85248422d84644cb5529cc79f27c692c90bdc8a053efa4f2c9ee5569ce4b7651bbd1996faee8a

                                          • C:\Users\Admin\AppData\Local\Temp\UbJSmlyyXYwQ.bat

                                            Filesize

                                            212B

                                            MD5

                                            2aacf2b51a5f5c7d94768b75c1a2ac6d

                                            SHA1

                                            c91d89911912feb076a4abbaadec0d06b7ec7027

                                            SHA256

                                            3049de7e13e8e1e1a5a7a822532db91a89060761637004190b24e867d0ca8bce

                                            SHA512

                                            9244e87c62fb0e7362673af9788fb4e62929275a41c4be363033a2c3479ef6b423fffcc7c91e0067f16ddcb37328916941cf34b21b9fe0e912f69b2f2db9025c

                                          • C:\Users\Admin\AppData\Local\Temp\fPIyvGhMQgyp.bat

                                            Filesize

                                            212B

                                            MD5

                                            564dd18fc7d19577f867ad4ae84f4777

                                            SHA1

                                            890e85325943a8f41d42e9e84edfc2b00f8fcc7b

                                            SHA256

                                            e4042a2b6f181f142c97f8a4a23b4f2cf25d7c1bf93afeaf439f0962a0845d7d

                                            SHA512

                                            2429c3a31462c3b1a32003b4b6530a06fa4c206bcfa42df33946af573b722a21f5f3f41fa7062d313c39995152788c5d8f13ec5ae0e48970aa03bf881788cba5

                                          • C:\Users\Admin\AppData\Local\Temp\kNjvOGxxeYOG.bat

                                            Filesize

                                            212B

                                            MD5

                                            76aded24da8a9ee80945751d4383c7ce

                                            SHA1

                                            bc2212fb34099e795d032e4fa68bfae1e4535992

                                            SHA256

                                            291942fa37cb3726d2807df88497a753e76ce5ede84033b9ef02f5e248086367

                                            SHA512

                                            0392e8c0b740beecb987f92bcaa58e921f87a14dc3a6dbd576bc6e9db4b12a75e6c13c5412ca6457ac3f63318cb21ba41ebdd78c985b70e32c094035fdf686c0

                                          • C:\Users\Admin\AppData\Local\Temp\l88dQQHk1ryR.bat

                                            Filesize

                                            212B

                                            MD5

                                            5f685f4eecbdca3fa112113d147d15de

                                            SHA1

                                            2d71c584203410e24111d676fba1661588a005df

                                            SHA256

                                            54ac4daf6b7e1cf44e1d1f106a014d6f975b3f9c3ecefcb253b308f401476255

                                            SHA512

                                            ffd7d4a02df03712630e3f90bcb7fd3240ed2a42644c283eb0d956b31612f42c8259c80db5ffe3a32f4f1d8457d131c6225cf3f59b8bfb00ff612554e11b11f3

                                          • C:\Users\Admin\AppData\Local\Temp\noKxJ01n9X0I.bat

                                            Filesize

                                            212B

                                            MD5

                                            392720bfe76092017582917fd1bd1aa6

                                            SHA1

                                            731a97e3857e997b4005ce1cb4d5947542307288

                                            SHA256

                                            81566a95ed6bf8be6a39c82f70e763aae31a8c951c415e93899f68204344c681

                                            SHA512

                                            d8df093857bb741736c227beec3109ac925b386d7a3e626892ceffc6966fb60ae2642ec302acd3676f6c56ffc3eb8f3aedb014c46d632f83325488cdee62137f

                                          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

                                            Filesize

                                            3.1MB

                                            MD5

                                            f4da021b8bc9d8ef1ff9ce30b0ab3b79

                                            SHA1

                                            998a833c28617bf3e215fe7a8c3552972da36851

                                            SHA256

                                            b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

                                            SHA512

                                            77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

                                          • memory/4284-15-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4284-11-0x000000001D160000-0x000000001D212000-memory.dmp

                                            Filesize

                                            712KB

                                          • memory/4284-10-0x000000001D050000-0x000000001D0A0000-memory.dmp

                                            Filesize

                                            320KB

                                          • memory/4284-9-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4428-0-0x00007FFD0AF03000-0x00007FFD0AF05000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/4428-1-0x0000000000170000-0x0000000000494000-memory.dmp

                                            Filesize

                                            3.1MB