Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 06:33

General

  • Target

    sharpmonoinjector.exe

  • Size

    3.1MB

  • MD5

    4522bc113a6f5b984e9ffac278f9f064

  • SHA1

    392ec955d7b5c5da965f7af9f929b89c33409b03

  • SHA256

    2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

  • SHA512

    c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff

  • SSDEEP

    98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
    "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3704
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JugHQ0hpGA0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:180
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:404
        • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
          "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4968
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3980
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IABaEicFtA1m.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4760
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2568
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1840
              • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5052
                • C:\Windows\SYSTEM32\schtasks.exe
                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2636
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgKAhv4IVRRC.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2012
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:2216
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:5016
                    • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                      "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4372
                      • C:\Windows\SYSTEM32\schtasks.exe
                        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1692
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BnnUuWDw3wtL.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3928
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          9⤵
                            PID:3632
                          • C:\Windows\system32\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:3936
                          • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                            "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                            9⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2496
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:1688
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hBRvBI61OWom.bat" "
                              10⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3620
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                11⤵
                                  PID:404
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  11⤵
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:2596
                                • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                  "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                  11⤵
                                  • Checks computer location settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:2356
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                    12⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:5020
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MJstGA1KE9zM.bat" "
                                    12⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4784
                                    • C:\Windows\system32\chcp.com
                                      chcp 65001
                                      13⤵
                                        PID:5096
                                      • C:\Windows\system32\PING.EXE
                                        ping -n 10 localhost
                                        13⤵
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        • Runs ping.exe
                                        PID:4400
                                      • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:1004
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                          14⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3008
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iZuqx7936Dlf.bat" "
                                          14⤵
                                            PID:992
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              15⤵
                                                PID:452
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                15⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:2056
                                              • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                15⤵
                                                • Checks computer location settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4692
                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                  16⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2556
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMytIE5pXdHu.bat" "
                                                  16⤵
                                                    PID:3312
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      17⤵
                                                        PID:4776
                                                      • C:\Windows\system32\PING.EXE
                                                        ping -n 10 localhost
                                                        17⤵
                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                        • Runs ping.exe
                                                        PID:2896
                                                      • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                        17⤵
                                                        • Checks computer location settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:920
                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                          18⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4696
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKjXZt0yoSN0.bat" "
                                                          18⤵
                                                            PID:2260
                                                            • C:\Windows\system32\chcp.com
                                                              chcp 65001
                                                              19⤵
                                                                PID:1688
                                                              • C:\Windows\system32\PING.EXE
                                                                ping -n 10 localhost
                                                                19⤵
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:3184
                                                              • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                                19⤵
                                                                • Checks computer location settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3304
                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                  20⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1736
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t4el5n7ClOGy.bat" "
                                                                  20⤵
                                                                    PID:3620
                                                                    • C:\Windows\system32\chcp.com
                                                                      chcp 65001
                                                                      21⤵
                                                                        PID:4104
                                                                      • C:\Windows\system32\PING.EXE
                                                                        ping -n 10 localhost
                                                                        21⤵
                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                        • Runs ping.exe
                                                                        PID:2028
                                                                      • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                                        21⤵
                                                                        • Checks computer location settings
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5056
                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                          22⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:60
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCnCPNenSTYB.bat" "
                                                                          22⤵
                                                                            PID:2296
                                                                            • C:\Windows\system32\chcp.com
                                                                              chcp 65001
                                                                              23⤵
                                                                                PID:3760
                                                                              • C:\Windows\system32\PING.EXE
                                                                                ping -n 10 localhost
                                                                                23⤵
                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                • Runs ping.exe
                                                                                PID:3536
                                                                              • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                                                23⤵
                                                                                • Checks computer location settings
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:916
                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                  24⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2360
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CDFzX2p3upZ6.bat" "
                                                                                  24⤵
                                                                                    PID:4816
                                                                                    • C:\Windows\system32\chcp.com
                                                                                      chcp 65001
                                                                                      25⤵
                                                                                        PID:3308
                                                                                      • C:\Windows\system32\PING.EXE
                                                                                        ping -n 10 localhost
                                                                                        25⤵
                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                        • Runs ping.exe
                                                                                        PID:3988
                                                                                      • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                                                        25⤵
                                                                                        • Checks computer location settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1400
                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                          26⤵
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:3292
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ZGXzHhXi9aZ.bat" "
                                                                                          26⤵
                                                                                            PID:4776
                                                                                            • C:\Windows\system32\chcp.com
                                                                                              chcp 65001
                                                                                              27⤵
                                                                                                PID:5000
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                ping -n 10 localhost
                                                                                                27⤵
                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                • Runs ping.exe
                                                                                                PID:3064
                                                                                              • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                                                                27⤵
                                                                                                • Checks computer location settings
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3704
                                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                  28⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:5064
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fwptp0kqfyN9.bat" "
                                                                                                  28⤵
                                                                                                    PID:832
                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                      chcp 65001
                                                                                                      29⤵
                                                                                                        PID:4468
                                                                                                      • C:\Windows\system32\PING.EXE
                                                                                                        ping -n 10 localhost
                                                                                                        29⤵
                                                                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                        • Runs ping.exe
                                                                                                        PID:4648
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sharpmonoinjector.exe"
                                                                                                        29⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:468
                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                          30⤵
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:3496
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PVMh6nx655By.bat" "
                                                                                                          30⤵
                                                                                                            PID:3980
                                                                                                            • C:\Windows\system32\chcp.com
                                                                                                              chcp 65001
                                                                                                              31⤵
                                                                                                                PID:4960
                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                ping -n 10 localhost
                                                                                                                31⤵
                                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                • Runs ping.exe
                                                                                                                PID:628

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sharpmonoinjector.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\5ZGXzHhXi9aZ.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    91d48152eea164d73972dbaf9caecdae

                                                    SHA1

                                                    aaaa2d2a9b5dd87659a58eabf17b30eec3bba093

                                                    SHA256

                                                    86a3dbd21b23e015d0f94c0b79ec21232a4078af058248e9b85c001dc57b2df6

                                                    SHA512

                                                    534ddf57a694c53d84a3300e7a3f2b6cfb68273f66c87a92397b8ec97293dbfa75cd2d6206565ba8f6552a23f16c55d5898752f3aceef21cd7378db2cdc8d7be

                                                  • C:\Users\Admin\AppData\Local\Temp\8JugHQ0hpGA0.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    9ad6d1436638570bb4f2aa537325ef85

                                                    SHA1

                                                    12a62ad9dc04ec4861b3d8f838404b0124072f50

                                                    SHA256

                                                    4d7bdbdab6a79ab80a4e92f070d9792ed301b6c1fff55ff3ce43a161f7cc1cba

                                                    SHA512

                                                    fe8fce6fa1edd25f34225390d7594afc5cd6775af22d9235c26703e8100105b1f70d032522b862d192c7e4255453c7a1dbe650ac5fd462d1fb431c78e81c6cc3

                                                  • C:\Users\Admin\AppData\Local\Temp\BnnUuWDw3wtL.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    d88e270b2af8b303b1d8c943c0146441

                                                    SHA1

                                                    3267207598290583befedbd68a988a294ba6b7c5

                                                    SHA256

                                                    9ff62acb97d5feadbcd6106203e3a80bcfa184771985aa321ef3e5302ee4a3a4

                                                    SHA512

                                                    1e4629885b51ac6ed58a5308bff941c9dafd01c207aa86e903fb72baea6643012c2ae668d6b4ca88fb4231edeb0abc442086ed8ff2965b1876df883f7f180168

                                                  • C:\Users\Admin\AppData\Local\Temp\CDFzX2p3upZ6.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    f7cd375ff436c6c10b0ec0e8ea6be2f7

                                                    SHA1

                                                    1662a409786873859af0468754c4fcc1fda5b424

                                                    SHA256

                                                    9a7f530413e2e2d63331460c9eec82c29429a69510c2890ab07d4c521ed0370d

                                                    SHA512

                                                    28616923af891bff3c00ca03ec7713347f9ea9a6f5991a6684cdf5f8420636f4f43cc1605282f415a05b79b4cff1b798ac5e36906d35db8482a892c040d59b50

                                                  • C:\Users\Admin\AppData\Local\Temp\Fwptp0kqfyN9.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    b3d0a68ffdb098363508cc0d3b267828

                                                    SHA1

                                                    b4b56a12c8e04bcb355be6dd455f2cc4176b66b6

                                                    SHA256

                                                    b560966f7c54bfd103ab7999185b34a1e748389faf485f6f6cf50d1c1523f6f2

                                                    SHA512

                                                    757ba4c3df1677ced98e57ec0b8ecd35a8a14f3cb114d8257a5fe5a20f17fd60d39771b2530019e578eb12fbf7984a76e8a1ed2056b448c6f378a5bacfc428e5

                                                  • C:\Users\Admin\AppData\Local\Temp\IABaEicFtA1m.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    ff7b82605e939f49f9ac5af33fb25ef4

                                                    SHA1

                                                    5521841a415d0258af15235287feca5a46bda3c6

                                                    SHA256

                                                    2ff2efa8550874c0fbb66eb4f6b5419b5a7eab1eb27a29615c28957b3d438fbe

                                                    SHA512

                                                    0d9e9b9d323baa14a527a9546ff97d3a344af212720e471fb9d6b7ce49c8c1c33ceda865a9460fc25da4934bae8452966bbdf7f6af3700b3c5c5964d5b35e09e

                                                  • C:\Users\Admin\AppData\Local\Temp\MJstGA1KE9zM.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    62f0c379923931b264f88153d9d99498

                                                    SHA1

                                                    394cf5ea885b8590dcbd7901c7a9a24eeeedd9ea

                                                    SHA256

                                                    c3b77d520737f24396aa7981b2624c59dd6df1d9cd233eee0306ad8f0f8cd076

                                                    SHA512

                                                    8a8a85e1186b1e9cd866bcb1499fecb92cf7aa4d60024827cd12df463182c6a458586b31f8cdf4cbb516ee9a6c31f17d47498581b522c2af03ef2fdcc25068d0

                                                  • C:\Users\Admin\AppData\Local\Temp\PCnCPNenSTYB.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    1f8af4eb407f39e225ceaf06f5ce5703

                                                    SHA1

                                                    371b04dc82d297a0ebdf62f9dcfce419b57e0e83

                                                    SHA256

                                                    3930262e6aceed626dd4278ba45d68ba681e2f5798056875485f51c444cef59c

                                                    SHA512

                                                    bdab0a96be7eb0c2de97c9326dcb40762a95973325a8797d7e6cc5f200729e75409b0ba940a4af82d2943db5fc94c7c172bc8c2577b29c4efdfac92401158cb2

                                                  • C:\Users\Admin\AppData\Local\Temp\PVMh6nx655By.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    b7e0fdb039f77d0c8b10e20a3da45126

                                                    SHA1

                                                    f08b4cb9b5327c6ad439545d01c6234b042faad3

                                                    SHA256

                                                    f5d718549dc58bfb03290f52dda3dc32e28652182a2e0afff9be7d42deb74bb6

                                                    SHA512

                                                    babb5aff05614f4e88d8296d302d6cdfecf6246ae6cad7a9621822d32aaa2ab166bab1473ba5594577215224ad4dd441dc10fe6029a90d008d47e07db94bae1d

                                                  • C:\Users\Admin\AppData\Local\Temp\cgKAhv4IVRRC.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    acd9ac8d1b85da1f1c6504a6c5c3fe12

                                                    SHA1

                                                    410ca1f33acf75d24ceac73f7bc231a9743d9424

                                                    SHA256

                                                    48c8a96e9c56ebe94b96a6b446d2ccfd9369c3ef9c11290141ee69d3793fe6b3

                                                    SHA512

                                                    884e388f0867343de4d83c0d0c4ac05f6ad6ce26e8041a99ab18912cf18c31fe8be8f5de5ac4870daf12e481df77eee4f3c0bc31a587501edb5179d6d211ea12

                                                  • C:\Users\Admin\AppData\Local\Temp\hBRvBI61OWom.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    fec98b64ee98aaadceffb51c561fd9e4

                                                    SHA1

                                                    5e6e9615ff7fc11ed2b7cfcec28ae8d9fa3db04d

                                                    SHA256

                                                    8e87b2fa01063138bc64b1463776a2624f661b6ce599642dd80665c5f932eea9

                                                    SHA512

                                                    f882658a38c91f0bd8a39ffca2bfee3d5818cd2b48c2225142c2b9fcef8c4f5283e2c844e2bf5876db988682d88ae4312b1efe223074290007139ecee248bfb9

                                                  • C:\Users\Admin\AppData\Local\Temp\iZuqx7936Dlf.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    422bd750c9e615645f9f1e9d0f3a71ad

                                                    SHA1

                                                    c984377de9ff74941b01c0c34874fb7efe5b5211

                                                    SHA256

                                                    dde098af924adbfa5a48b5053167ee59de1d5999ec28c26abd8743014409a016

                                                    SHA512

                                                    38a6293052c3b813991b95f0091ef30063e814a1ebd82e2d7764c2692b3275cf32a3dbb28a61875ced19e11592643549081d5c039e43f6226ac089e19fda0ac9

                                                  • C:\Users\Admin\AppData\Local\Temp\jMytIE5pXdHu.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    548489dacb52ac4b2a8117a2f73afc27

                                                    SHA1

                                                    867bdae900230f554ba1329367a75d8ca2b01f46

                                                    SHA256

                                                    453331182a150695b4c734cadc729422342505d590193443cfded39916d4a9ff

                                                    SHA512

                                                    0d3ee4b0c567cd5d4a99929b8d00c0f040e2c4a381419b4dff4fb6c21f48ca18d071c41b99c9aa905b44f12da5d08452e7c428559b00e2280daa5464bd510d36

                                                  • C:\Users\Admin\AppData\Local\Temp\kKjXZt0yoSN0.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    84bb9aea74700c533b79faa00410ffbc

                                                    SHA1

                                                    3ee02cd1d3b09e4a40863a4df54b6e36781a7a3d

                                                    SHA256

                                                    f56efcb682f7fdcc91401b165138cc9b1c685d44d5ad22e3e4269f8cc16de4ed

                                                    SHA512

                                                    05f72a4db6f3f5b7373703b99392c4dd0d68655d7e66ea75e378a79fc0132af6c18649a28986fe7182b4ac449f6b015530d62da0c13b94c48fb942aecc794358

                                                  • C:\Users\Admin\AppData\Local\Temp\t4el5n7ClOGy.bat

                                                    Filesize

                                                    214B

                                                    MD5

                                                    e167291881adc25ad81b78e2f96a6b87

                                                    SHA1

                                                    c4d7f4d02dca6a4e0a8b9742919d19e07c34eec7

                                                    SHA256

                                                    22213c7932e58cc7f441a215ea83ca63d00fa3d6b8c3804bf1abf8b475d655ad

                                                    SHA512

                                                    b12a52ae0c63eeb0223a781a6d97ba8bfdeb2715a364597014b62073bb005d3f556b9e4beda01050bafb3a82321dee4ad44679b3f9bb43d326caf9b732e2fa31

                                                  • memory/4364-3-0x000000001B720000-0x000000001B770000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/4364-2-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4364-10-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4364-1-0x0000000000760000-0x0000000000A84000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/4364-4-0x000000001BF90000-0x000000001C042000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/4364-0-0x00007FFF769F3000-0x00007FFF769F5000-memory.dmp

                                                    Filesize

                                                    8KB