Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 15:05

General

  • Target

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe

  • Size

    3.1MB

  • MD5

    f4da021b8bc9d8ef1ff9ce30b0ab3b79

  • SHA1

    998a833c28617bf3e215fe7a8c3552972da36851

  • SHA256

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

  • SHA512

    77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

  • SSDEEP

    98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

C2

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes
  • encryption_key

    F1EBDB1862062F9265C0B5AC4D02C76D026534D0

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Temp

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 11 IoCs
  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
    "C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TiWKjNPk494B.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2600
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2608
          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Kzbd86jwB5u.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1424
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2260
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2436
                • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                  "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2176
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LuwIKlSrWXEf.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2624
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2892
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2788
                      • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2468
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\ru1jCVhmfWys.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2372
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1848
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1744
                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2220
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vay68pIpa6D9.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:688
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1788
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1420
                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1116
                                    • C:\Windows\system32\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dop6P35ga5Ep.bat" "
                                      13⤵
                                        PID:1832
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          14⤵
                                            PID:976
                                          • C:\Windows\system32\PING.EXE
                                            ping -n 10 localhost
                                            14⤵
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            • Runs ping.exe
                                            PID:1300
                                          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2268
                                            • C:\Windows\system32\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\0hnJ3s2qzz15.bat" "
                                              15⤵
                                                PID:1456
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  16⤵
                                                    PID:2524
                                                  • C:\Windows\system32\PING.EXE
                                                    ping -n 10 localhost
                                                    16⤵
                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                    • Runs ping.exe
                                                    PID:1412
                                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2528
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSnZDizAxrns.bat" "
                                                      17⤵
                                                        PID:1540
                                                        • C:\Windows\system32\chcp.com
                                                          chcp 65001
                                                          18⤵
                                                            PID:2752
                                                          • C:\Windows\system32\PING.EXE
                                                            ping -n 10 localhost
                                                            18⤵
                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                            • Runs ping.exe
                                                            PID:2756
                                                          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2940
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\E52PYi195lGD.bat" "
                                                              19⤵
                                                                PID:2600
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  20⤵
                                                                    PID:2648
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping -n 10 localhost
                                                                    20⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:2428
                                                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:288
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\W3ye0Q2i3JMT.bat" "
                                                                      21⤵
                                                                        PID:2128
                                                                        • C:\Windows\system32\chcp.com
                                                                          chcp 65001
                                                                          22⤵
                                                                            PID:280
                                                                          • C:\Windows\system32\PING.EXE
                                                                            ping -n 10 localhost
                                                                            22⤵
                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                            • Runs ping.exe
                                                                            PID:2060
                                                                          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1624
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\g3xFvrrPSEs4.bat" "
                                                                              23⤵
                                                                                PID:1716
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  24⤵
                                                                                    PID:2920
                                                                                  • C:\Windows\system32\PING.EXE
                                                                                    ping -n 10 localhost
                                                                                    24⤵
                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                    • Runs ping.exe
                                                                                    PID:2788
                                                                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1052
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\JqbBFCWfsELA.bat" "
                                                                                      25⤵
                                                                                        PID:2228
                                                                                        • C:\Windows\system32\chcp.com
                                                                                          chcp 65001
                                                                                          26⤵
                                                                                            PID:1872
                                                                                          • C:\Windows\system32\PING.EXE
                                                                                            ping -n 10 localhost
                                                                                            26⤵
                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                            • Runs ping.exe
                                                                                            PID:1852
                                                                                          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:872
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\n2xZVcmJiAHb.bat" "
                                                                                              27⤵
                                                                                                PID:848
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  28⤵
                                                                                                    PID:448
                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                    ping -n 10 localhost
                                                                                                    28⤵
                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                    • Runs ping.exe
                                                                                                    PID:2052
                                                                                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                                    28⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1632
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ABvhUt0a3klU.bat" "
                                                                                                      29⤵
                                                                                                        PID:1056
                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                          chcp 65001
                                                                                                          30⤵
                                                                                                            PID:760
                                                                                                          • C:\Windows\system32\PING.EXE
                                                                                                            ping -n 10 localhost
                                                                                                            30⤵
                                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                            • Runs ping.exe
                                                                                                            PID:1300
                                                                                                          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                                            30⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2240
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWvnNvtYfCTc.bat" "
                                                                                                              31⤵
                                                                                                                PID:1684
                                                                                                                • C:\Windows\system32\chcp.com
                                                                                                                  chcp 65001
                                                                                                                  32⤵
                                                                                                                    PID:2896
                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                    ping -n 10 localhost
                                                                                                                    32⤵
                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:2532

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Temp\0hnJ3s2qzz15.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      1cdfdb94516364fec839f9b953433dfe

                                                      SHA1

                                                      d01ea182f2a3578f8cde67a0cb36f44d501d6f22

                                                      SHA256

                                                      cf5fe42ac51b9917b1d1c688c1c9db30951d5b093d85993ac364a2288cc661b5

                                                      SHA512

                                                      7bc06a6ddf29462ba09dc21d64e3c09dba7d276720b695ca371eba4aaf9c5d30924727d8cb6775490178e0324cd2bcb994fef8af8effa22e74a23ab4765eaeee

                                                    • C:\Users\Admin\AppData\Local\Temp\9Kzbd86jwB5u.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      ce5bb4441fd27b545e5ec50f88412e2f

                                                      SHA1

                                                      180add21deceab7eab7342c6df28bc74c61dccec

                                                      SHA256

                                                      ab6732e40fd7470467840a4bf0de00c9c4f9497d5cdfb52941a9ca7575305cde

                                                      SHA512

                                                      2a089e0d327dab9e81a064a4dcbff8959fc5daacbf23427f2b7b4ebb3156a4e7864aa9e7e3b032d770c38a77e06b80e95a6f74c7d351a56aca6092c3d89f2b91

                                                    • C:\Users\Admin\AppData\Local\Temp\ABvhUt0a3klU.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      e5a1a4269f14430df9240ba18f003cfc

                                                      SHA1

                                                      f789867df2772615f6c92e8d00b4e9a075c52ca7

                                                      SHA256

                                                      de246aa25daf761268088aaf338bbdd465dd2af3fb7c82f3ebf603b223ecb85a

                                                      SHA512

                                                      e5ac552642e00149821d2e1d79254b6b5ce001e838d235016c77b9ff997c67e9cbf9d1e0ed73a32952bfb9ba37b63186d1238bb1cd42f7335a0657c803dec942

                                                    • C:\Users\Admin\AppData\Local\Temp\Dop6P35ga5Ep.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      70dc497d58eb8cb68ce3c3961b0f043e

                                                      SHA1

                                                      ce8443479aa425baa75e1c65fdd2cbebc7e41830

                                                      SHA256

                                                      312a4dcd77ef7cee21490011e9feaf39bd149ac85a05b224fe3e8ff9f8200c38

                                                      SHA512

                                                      8a973516140926ed393180884ebed2aca696ec71348a2a52d89d5ec5ea062eec0c5534fa5a2ef2935c9c64f16156af6b1673f73de47c71e9dee2ccc05c36737b

                                                    • C:\Users\Admin\AppData\Local\Temp\E52PYi195lGD.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      37b0220d629365f1d06f68d08359efa3

                                                      SHA1

                                                      578a96000abb60c5e9f811410c59c21b82329574

                                                      SHA256

                                                      157478b82d7afc28c5659f36555aa39f1656dad658f635c2849276883ef65427

                                                      SHA512

                                                      d05bb59d836e103d5cc1263163fcfdf8824840a1fb5a085c9b7dd531f4600ae76a0e970eb5a752d50a0cdb1e44a0afc5622dd5dc9e093dce91d6d374a87bff98

                                                    • C:\Users\Admin\AppData\Local\Temp\EWvnNvtYfCTc.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      923f1427434149b792cc4915389e3a62

                                                      SHA1

                                                      7ab78e6931ff74b2748c69102cd63e2da909232f

                                                      SHA256

                                                      bbdcd9fe11da063cf7333d65978529781de6374e809bf3efe347d65561fcffb6

                                                      SHA512

                                                      3d72371ca61253817401981a023ed6b35f9a083af25299eba58de8dc28c0e8b6b55a0e33a3131157c57fff12e7be85ef731edb88d83d68588ce8b06c1bbd1aa3

                                                    • C:\Users\Admin\AppData\Local\Temp\JqbBFCWfsELA.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      533336664b302e3e4faa03cc822d21d5

                                                      SHA1

                                                      3f523ff23c6b37e852d4d99fe56b7f961e2cf9b6

                                                      SHA256

                                                      1de846a792953b81805220da1b368183cb2f5dd29230b013c8e92a72d3ec0f26

                                                      SHA512

                                                      2ef94c744a613aeb681370d0447485763eb8e1e047fa81a0167ee7d00ec15f6207ab91b487d5bd4ec2b146d9c3fc4dff397f98874e575247a059aaa1f1d45173

                                                    • C:\Users\Admin\AppData\Local\Temp\LuwIKlSrWXEf.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      712ad08ef43f509abd1669f7610104c1

                                                      SHA1

                                                      9cab17e1722436b90a47345cf543065c5be179ad

                                                      SHA256

                                                      832e954e7faa0e01760b93008167ccab00d21643b9d76e6d98286763436b331d

                                                      SHA512

                                                      4fce1c4e51ca679ce6cdc8cb62aa17092089fff9e4abb6eddd2cd2fa63fe8bc4c2df5153644ee792c42448e999a4385a975c4118809b0b979f0a85a2f26601c6

                                                    • C:\Users\Admin\AppData\Local\Temp\TiWKjNPk494B.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      235135acfe1db2f94fddaaeef2e6d58d

                                                      SHA1

                                                      73a9176fa90137a68a5e03c847849389a64e4ac2

                                                      SHA256

                                                      03bf20646cc76547ccef0cdbb7568af0a8bb335103e7b9211902cfae4514f84e

                                                      SHA512

                                                      dae1154b5bc02cf2f56930c9dc4319c9bc0e11971d49a4013cbd899deb9969eb2ad5268e52fa3b6fb305ff2b06707576599d2074a41f5de0f9b68784bc009b21

                                                    • C:\Users\Admin\AppData\Local\Temp\Vay68pIpa6D9.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      619055c6004d735523f8f6a5cbf763ad

                                                      SHA1

                                                      d391aaebf5907a95b24bd32aec1c16dffacfe11b

                                                      SHA256

                                                      500689c39ead35ab5adba21aca623753f4b28da0a039a2c876245f0d0dcb5527

                                                      SHA512

                                                      98dec3baeed4ff3876e78719b965797c6954e40eed971293279a0e3a6aae7fc38ae11f9687fb458bf1c8addcee47c62f235c91ec6613be788f2d516a8a697528

                                                    • C:\Users\Admin\AppData\Local\Temp\W3ye0Q2i3JMT.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      d15c6a0f196b4fee39d670dfd4b4a7b7

                                                      SHA1

                                                      0879e8e6c3e719c8bd24d40057953733132b0f61

                                                      SHA256

                                                      384815826c9def06bdc99b033d57cc8bb4faf3a93dfc4a1442259634aac2614a

                                                      SHA512

                                                      07d10e41df45bf63dae4dbfe1443bcd449649c9b53218fca2af4582be119e5239841e954acb0e6fa53e4eb7d7e7016d1784166efca8d15c43f7d87ffd9f57523

                                                    • C:\Users\Admin\AppData\Local\Temp\g3xFvrrPSEs4.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      8e4fb4bd657acb02f99d47ad6abb2538

                                                      SHA1

                                                      fa281bdc6e8fe7bf97348cac712365724597ed48

                                                      SHA256

                                                      63c283f07038a2c13a99df910ee84c5104ee0f5628a25606dd32da86bf191335

                                                      SHA512

                                                      5f7ae8422b313f0e2c1033fe812965611ece00569221023516b6683a75efc482708afd1534887b5cced099a21779be664b3b128e43ee5addbea0eebdf43266e3

                                                    • C:\Users\Admin\AppData\Local\Temp\hSnZDizAxrns.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      f96c3c89460a87b0eb75890b305fa1e6

                                                      SHA1

                                                      eff2ad101aae96a3fa8d9438d47fd312f60bff4b

                                                      SHA256

                                                      9ccbff24d3c2c689f8288e3a50bf8190fc573c435f99400ef26307158b543406

                                                      SHA512

                                                      634388b1c3bf2910d0d310f17e1461e8a32874efefbcb70b9d7de2dc34eceeec2728205160dab64d31e55be6a301d5f289b36ad19544adffef6ae21341d26f7b

                                                    • C:\Users\Admin\AppData\Local\Temp\n2xZVcmJiAHb.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      0c00b6aad1ea0072aa28cfb67c95716c

                                                      SHA1

                                                      29dcdfc6139fd96af89f6adb8e300b1a729aef2d

                                                      SHA256

                                                      ee9bc9e4fd9f468a4ed9920b9529efd923b4a97c60eeab110f7a21b6677062be

                                                      SHA512

                                                      aa011b310c12d92d5180d5aa9f6554d230d738d89030f7c2d1e54e895e8ec598645393bfc006a988966e4a0a7afa6fbdc3e06befaa9f8e616466195f7b11c907

                                                    • C:\Users\Admin\AppData\Local\Temp\ru1jCVhmfWys.bat

                                                      Filesize

                                                      212B

                                                      MD5

                                                      e8ad557f9a8e5420495f7ba95ac917e9

                                                      SHA1

                                                      a2516a418e6c0985da0e663d9f1327e4d06a28d5

                                                      SHA256

                                                      b23df123edc28f7c5f1edc1ebb83a1b06711b621cd9bae9e3650e85f85dbdcf3

                                                      SHA512

                                                      8598305784a5cb6be2f786a9c9f178e9659cbb25375ddd8856c6b5650c531580e0ea365907cda3a74bf8f888e89304bfbad6be25f953da5115247b538f7fddf7

                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

                                                      Filesize

                                                      3.1MB

                                                      MD5

                                                      f4da021b8bc9d8ef1ff9ce30b0ab3b79

                                                      SHA1

                                                      998a833c28617bf3e215fe7a8c3552972da36851

                                                      SHA256

                                                      b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

                                                      SHA512

                                                      77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

                                                    • memory/288-109-0x0000000000AF0000-0x0000000000E14000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/376-23-0x0000000000C20000-0x0000000000F44000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/1624-120-0x00000000012C0000-0x00000000015E4000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/1632-151-0x00000000013B0000-0x00000000016D4000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/2240-163-0x0000000000390000-0x00000000006B4000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/2468-44-0x0000000001270000-0x0000000001594000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/2528-86-0x0000000000110000-0x0000000000434000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/2704-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2704-8-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2704-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2704-1-0x00000000003F0000-0x0000000000714000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/2712-9-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2712-11-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2712-20-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2712-10-0x0000000000100000-0x0000000000424000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                    • memory/2940-97-0x0000000000950000-0x0000000000C74000-memory.dmp

                                                      Filesize

                                                      3.1MB