Analysis

  • max time kernel
    145s
  • max time network
    111s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-12-2024 22:11

General

  • Target

    ggff.exe

  • Size

    3.1MB

  • MD5

    9bcbafeac1f399303090ac7f3a805aa9

  • SHA1

    a1d6a496f8468ac6257beeb2eaf5b368f88da1be

  • SHA256

    01f708414e049d3c7c030c7fc6f584ac905a4b9eba6377e036e6e54eb14fb2cc

  • SHA512

    567c8c02532846277604e310ac95baee0da887676b482f9f00a42564dc92258c1eacdccfdf59f82867ed9a9257504dc646bb2d900fd122dd2881e6fef9275dbd

  • SSDEEP

    49152:XvilL26AaNeWgPhlmVqvMQ7XSKZVZe1J6LoGdxoTHHB72eh2NT:XvaL26AaNeWgPhlmVqkQ7XSKZVZ5

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

science-attract.gl.at.ply.gg::13548

Mutex

6ad33fe9-6ed2-45c9-940d-96954b1558e6

Attributes
  • encryption_key

    E040A051368780825E373BF53836EF5E3A5FBF62

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsDefender.exe

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ggff.exe
    "C:\Users\Admin\AppData\Local\Temp\ggff.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3468
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2624
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pujezyQtmDdL.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4160
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3708
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3848
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4880
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KHjDWqt7oZKJ.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4280
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4724
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2184
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4552
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3268
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZJWpaVAzDHO0.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2056
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:4812
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2512
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2480
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4352
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J6C7hupoBYcn.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1512
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1716
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1448
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2864
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1824
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qzump6dHWFti.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1536
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4452
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1016
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4436
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1416
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hha15OQCtQqs.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4148
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:1380
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4684
                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2632
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2496
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DAe4E3PYntG.bat" "
                                            15⤵
                                              PID:4264
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:4996
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3284
                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:232
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3784
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8HwDmVHaCqU.bat" "
                                                    17⤵
                                                      PID:4312
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:3240
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:980
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1760
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3696
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92y2xgW0N0lh.bat" "
                                                            19⤵
                                                              PID:1784
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3960
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:4116
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4632
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:5092
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UTlqwmzg5GQl.bat" "
                                                                    21⤵
                                                                      PID:3160
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3232
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4552
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:32
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3912
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o7yjAdb19Uxv.bat" "
                                                                            23⤵
                                                                              PID:2312
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:2056
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3600
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4220
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4540
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CZxyq9wIrCGa.bat" "
                                                                                    25⤵
                                                                                      PID:2800
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:1452
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:1540
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2460
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2844
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oySz0lRrALHh.bat" "
                                                                                            27⤵
                                                                                              PID:2072
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:1016
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1708
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3780
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2732
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49zUtcDASC7X.bat" "
                                                                                                    29⤵
                                                                                                      PID:4672
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:4832
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:3104
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3764
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "WindowsDefender.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:3880
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kbn4vJ8ADcLC.bat" "
                                                                                                            31⤵
                                                                                                              PID:4160
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:3216
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:5084

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    7787ce173dfface746f5a9cf5477883d

                                                    SHA1

                                                    4587d870e914785b3a8fb017fec0c0f1c7ec0004

                                                    SHA256

                                                    c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

                                                    SHA512

                                                    3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

                                                  • C:\Users\Admin\AppData\Local\Temp\3DAe4E3PYntG.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    d2986b84cd8155304ba4864165d9fd36

                                                    SHA1

                                                    1894de3351548d0bbeb41f90ab8ce13aba65ebf9

                                                    SHA256

                                                    788f1218ca2e8dcc7a2405d2ff696c0b8f9fb5b7ff2a4b520fbd18161fcfa972

                                                    SHA512

                                                    8b8147fc07c22e44f91ef3b6bf5a6c9eadafe1876adfa5870d6055a7c98f67a54ad0d5ce0044e92a2a02f434787c2c6ffde7db013dbb9810bca35901e63b41cd

                                                  • C:\Users\Admin\AppData\Local\Temp\49zUtcDASC7X.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    f7a873c237e8f55dba48bceba7626eaf

                                                    SHA1

                                                    671a80b29d15384f84b068d5c28709213cc64f0e

                                                    SHA256

                                                    7fa0803b66cf52af8e8ac3af3b0db38eef9a0fb8622e0e25f091d9157d510840

                                                    SHA512

                                                    6bb1a5e4322f44894c295747a28a24e17d9b85023f6d6dd8791b1c456e4b35a2e8d02cf3287ec5dc717cde543d728ad2cb8b1a24ae624cbacbe10921a05a7ad6

                                                  • C:\Users\Admin\AppData\Local\Temp\92y2xgW0N0lh.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    560c0a2d030e4ecc99d9c6da46f5f15b

                                                    SHA1

                                                    8913e94ac16227320c3658bf84ea5d22217f4846

                                                    SHA256

                                                    76b93519bc3789ca914adec0e3df5bfebe1784baf25aef5a4a65dd69f6f33b81

                                                    SHA512

                                                    2f087a7da6e1182c365c89e9b7bc8a76a8f4e300c20bb11dc1f3c4e01e3b85b8b476dd469e837757df38754be0dc871f78d015310c5986458d452d9b8f12a38d

                                                  • C:\Users\Admin\AppData\Local\Temp\CZxyq9wIrCGa.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    fb8154b64d4c145bd1cc6cae37d9ec1e

                                                    SHA1

                                                    b565643789740bea948cf2d65522f31f62a0fbd6

                                                    SHA256

                                                    b89491411ec8ee9934af00a62ac095049cb5f7f678e49be2e329a2be66aeaab3

                                                    SHA512

                                                    fbc8ccc204b343cc19600a22365897a35ead191d201b893ec54ea12f6425634a48c1b8c9cddab69e0b956d4e0b10ee2b327ac97f3bbacb45c3bcc60b9a416213

                                                  • C:\Users\Admin\AppData\Local\Temp\J6C7hupoBYcn.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    1a7a1caee3f8646b1607e3ef15d293ba

                                                    SHA1

                                                    8f1d78d733694bbd7f2af64e70c4d69482120f35

                                                    SHA256

                                                    f8e846b0068d31020adce040b209712565205e0ac6a2d065236ac148a9563a88

                                                    SHA512

                                                    7c8c12a5d247e68a0b7e178f85414713bc1ae0f05e6d687e52a81614afc2cd9f4fa2ef69f4567295c9187b12e69e8a75f70d827d389e2a1f0222878add7af8eb

                                                  • C:\Users\Admin\AppData\Local\Temp\KHjDWqt7oZKJ.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    f2423cdd49b7cf5310038126b5e1ca75

                                                    SHA1

                                                    006a43d9c5bfeba3c8e0a4ba669988021b5f9d32

                                                    SHA256

                                                    dafa2682af77ad5127c8b4f9c4d9ecc4c5917fe7c7ab2ee102155e74c944761b

                                                    SHA512

                                                    f619a186e08930ff4344dd4df6b237ebf7a50287ce81f4022d13925f78ea272a87384cb1f32620a1a4f3eca8d141051ed4dcef8b7156f13142b15e4ef7e023e4

                                                  • C:\Users\Admin\AppData\Local\Temp\UTlqwmzg5GQl.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    323f49c7e3f2ab51efcdccbab3e61a6b

                                                    SHA1

                                                    62e0c4f496a620a1a3e2931cfefe76ff9212b0df

                                                    SHA256

                                                    0b87f45c73e556a33012f62bd872a974f428778ba587222233317c729654470a

                                                    SHA512

                                                    f628bc4a0f498b3665747aa02bfb78c80187b8f5cbd4d9fbdd9fdc8bc44ce740e43afcd982cf74bd1a023f7a41a24e6d97db1285e6f6fb21298b002c96887fb9

                                                  • C:\Users\Admin\AppData\Local\Temp\ZJWpaVAzDHO0.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    b9d35788e22ab70aa1935f47ba571700

                                                    SHA1

                                                    085719d7c6aefe2fa36c211fa408863500602315

                                                    SHA256

                                                    7e7379d86b3b40883f1f4b0fe3e993c07d3eb7acef0bda13cd7a78057f6e7de5

                                                    SHA512

                                                    2ee9b3cef265c6db86118d5ca86d071e008587c5b2521fce78f8c8f7266b1d1b782e01404ba7b675ff0abf62eaa0a58822bcfa1444342e0e5120eb1f650660c1

                                                  • C:\Users\Admin\AppData\Local\Temp\hha15OQCtQqs.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    d218b1504440279c4d7066412bc6424a

                                                    SHA1

                                                    9a390f9867571a4dcc7f93c3fa8e116f6cd99126

                                                    SHA256

                                                    064e77a2640584282a03b5af1fb30d5d380b8bf3f72d7089c06f3d96976d2c6f

                                                    SHA512

                                                    ec0b7878497d995f4f77a320831dbbfc4709d8e8e337c45a88ed6add07ef51f09ad403865b145fa66886cd1e3ee5c28099a30dd71dc722f62da0e27098f329a1

                                                  • C:\Users\Admin\AppData\Local\Temp\k8HwDmVHaCqU.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    4ded353950ac74b7e78037d4977bea41

                                                    SHA1

                                                    415cffad5f4401c4fff35f09e37f95284bc8049c

                                                    SHA256

                                                    f396562645d5ef3f792c1b9b43663dc6847818f64961223d64fe74892e257b42

                                                    SHA512

                                                    a0a5998ea7264fba3a85666b3c4b1050ba926b721f422e4484d8a764e479159f1b823c012f9774c659d42ddbe01edb536afcb7a2cb8020c35e6591bf09a6c7c2

                                                  • C:\Users\Admin\AppData\Local\Temp\kbn4vJ8ADcLC.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    63608c81afd2a34dec7a6873a5892c7e

                                                    SHA1

                                                    4495dabdb541247f996f97b3e1229c3aa617515d

                                                    SHA256

                                                    faaebed4e181a3ffdb4166b5b5ab5bbd65c87fa3a043d18ea9da0601a5c83caa

                                                    SHA512

                                                    3af2acbfc626ec054dd9caf66892e230470cd8b33507b47ce4c117ab2219f51dc41333e8beb51b595c25e4fa0b5bb52ff2a4d6058e782aa4571518146398e83f

                                                  • C:\Users\Admin\AppData\Local\Temp\o7yjAdb19Uxv.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    2520aa599652acdaf0f48eca539621dd

                                                    SHA1

                                                    a7143e3ff9f8678e40cd7fe5512d831629f854cc

                                                    SHA256

                                                    c9f7bcd66a4f09cc0dc936ca6aacc91096e1dbb3cc86f4d4505bab6bf024602a

                                                    SHA512

                                                    52fe991ef4693efb9073ca10384f5310ab6675133124f006bf7cfe678c271468c8bb828df4ea104f86ae2b3468c4ad0ad89e3037a3cd82c24fd191fa70e624e5

                                                  • C:\Users\Admin\AppData\Local\Temp\oySz0lRrALHh.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    8937f5a5b8df3a7b0166169a5a70fe87

                                                    SHA1

                                                    ce35d561dfcc014005b14680753294bafbd92190

                                                    SHA256

                                                    403312fc583e499a45dc874d438714bcedd8ae58d2925949160cc2a838083381

                                                    SHA512

                                                    f699dc9bff872d9cda926cae73ff95e980af17f92f7570656a2210143b5c11e16a477d617148c4ec9b7a7cab76f35b8c87ee327f591a376f268dda91f6117fc2

                                                  • C:\Users\Admin\AppData\Local\Temp\pujezyQtmDdL.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    6e3059b2b20dbf5c14475e814ddc36af

                                                    SHA1

                                                    bb0e90b962ecabab5e0c2f607f30ec899cbf6bf7

                                                    SHA256

                                                    007a41461a81146e17e4a519ceb23a086a0dac54fc3895fb24ff8d0b4f17995c

                                                    SHA512

                                                    26037b65563357dd54f64f33109288cc56b52124f51e327bc2771cef9babb842df1907786c81d0db1548f991ec1d4633f494b996bead18d31b9468b8b01b7567

                                                  • C:\Users\Admin\AppData\Local\Temp\qzump6dHWFti.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    fd7762a0afa531fd1e4c717b0d6a0370

                                                    SHA1

                                                    54cabe482ad19f960292f2782cffe34328943133

                                                    SHA256

                                                    5fd38f1fb55098d53bc359c2657c9e1f970450333d81d655753afd9da1fc0b56

                                                    SHA512

                                                    f6c710dc5444c5743e63b770c94a8280460ad7be2fafa5f53e8174ecaa3a59d11b1502f5633fc0aefaf36a73e1206b80f7f09d9eb3d7ad3342f3635bd2fc2d90

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    9bcbafeac1f399303090ac7f3a805aa9

                                                    SHA1

                                                    a1d6a496f8468ac6257beeb2eaf5b368f88da1be

                                                    SHA256

                                                    01f708414e049d3c7c030c7fc6f584ac905a4b9eba6377e036e6e54eb14fb2cc

                                                    SHA512

                                                    567c8c02532846277604e310ac95baee0da887676b482f9f00a42564dc92258c1eacdccfdf59f82867ed9a9257504dc646bb2d900fd122dd2881e6fef9275dbd

                                                  • memory/2872-1-0x0000000000E80000-0x00000000011A4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/2872-2-0x00007FFDB1920000-0x00007FFDB23E2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2872-0-0x00007FFDB1923000-0x00007FFDB1925000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2872-5-0x00007FFDB1920000-0x00007FFDB23E2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3616-8-0x000000001B520000-0x000000001B570000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/3616-6-0x00007FFDB1920000-0x00007FFDB23E2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3616-7-0x00007FFDB1920000-0x00007FFDB23E2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3616-17-0x00007FFDB1920000-0x00007FFDB23E2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3616-9-0x000000001C560000-0x000000001C612000-memory.dmp

                                                    Filesize

                                                    712KB