Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 15:05

General

  • Target

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe

  • Size

    3.1MB

  • MD5

    f4da021b8bc9d8ef1ff9ce30b0ab3b79

  • SHA1

    998a833c28617bf3e215fe7a8c3552972da36851

  • SHA256

    b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

  • SHA512

    77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

  • SSDEEP

    98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

C2

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes
  • encryption_key

    F1EBDB1862062F9265C0B5AC4D02C76D026534D0

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    Temp

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
    "C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1E47ylHnvxGU.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4700
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3948
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4016
          • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
            "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5100
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ky2HRqxHZ60B.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3468
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2936
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2132
                • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                  "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1436
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewLEDAyR5tmF.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2800
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2176
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4284
                      • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:736
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aG2hqhxBIXfH.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2028
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:392
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:428
                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1768
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsJSMBS5h8oz.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2524
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4812
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4952
                                  • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                    "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:3264
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lyskz5vqrYOp.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3124
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:720
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:996
                                        • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                          "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2684
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H4A2DFPSe0RP.bat" "
                                            15⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1756
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              16⤵
                                                PID:1128
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                16⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:4936
                                              • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                16⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2260
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pnK2nIE8Gqis.bat" "
                                                  17⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2008
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    18⤵
                                                      PID:1976
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      18⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:1048
                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                      18⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3740
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j8YQEAvAm1Hf.bat" "
                                                        19⤵
                                                          PID:4264
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            20⤵
                                                              PID:2984
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              20⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:4424
                                                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                              20⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3908
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Wn5kRB39C2u.bat" "
                                                                21⤵
                                                                  PID:3824
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    22⤵
                                                                      PID:3516
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      22⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:2068
                                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                      22⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1216
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CscGGZW2gxn1.bat" "
                                                                        23⤵
                                                                          PID:2524
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            24⤵
                                                                              PID:3788
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              24⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:2752
                                                                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                              24⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:3552
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAnfNSNflwYt.bat" "
                                                                                25⤵
                                                                                  PID:4776
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    26⤵
                                                                                      PID:2988
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      26⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:1920
                                                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                      26⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3468
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a6KSXwVKkZRV.bat" "
                                                                                        27⤵
                                                                                          PID:3232
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            28⤵
                                                                                              PID:2556
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              28⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:4132
                                                                                            • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                              28⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:3140
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7etPDXnjzWc.bat" "
                                                                                                29⤵
                                                                                                  PID:2908
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    30⤵
                                                                                                      PID:1016
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      30⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:2808
                                                                                                    • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
                                                                                                      30⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2984
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R9cH0iSPDBmr.bat" "
                                                                                                        31⤵
                                                                                                          PID:1416
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            32⤵
                                                                                                              PID:4308
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              32⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:4316

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                8f0271a63446aef01cf2bfc7b7c7976b

                                                SHA1

                                                b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                SHA256

                                                da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                SHA512

                                                78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                              • C:\Users\Admin\AppData\Local\Temp\1E47ylHnvxGU.bat

                                                Filesize

                                                212B

                                                MD5

                                                6b061f2703f43b3710bd037f464fa50d

                                                SHA1

                                                48c97017d2a1d8b39f4eb3ad446722b562133fd4

                                                SHA256

                                                8c0c7d95c9e0dc634ee9d12ff8d199bd1603e9e5354f466d1ac633904943d1cd

                                                SHA512

                                                39ea6a481508d39c8b0d2406877c0a1f8b76a07872347adecc8a37aec5764417b9f52ab2c42160bc7cba524d442724c2d868501ddfa5b32f37a1aeafd6667795

                                              • C:\Users\Admin\AppData\Local\Temp\4Wn5kRB39C2u.bat

                                                Filesize

                                                212B

                                                MD5

                                                a0839e4c7b7280e96f44b16622766f8f

                                                SHA1

                                                c3c2f620d21a9ffb643fcbad72e26474895ae820

                                                SHA256

                                                e4203c4ed5a4df7158ff9f1c21ee4935972e58aefde1425e124434252f779664

                                                SHA512

                                                aaf364643471369bc880c8e69d2ec82b9a72e80095bfcab628a3611d3682a319bc5fb58378c6929b6c45a5c6b0b28837b7cb98ec924bd8beeb8a40cfdf2d0e12

                                              • C:\Users\Admin\AppData\Local\Temp\CscGGZW2gxn1.bat

                                                Filesize

                                                212B

                                                MD5

                                                3014c68ecd991bdb4d7acf645035bb14

                                                SHA1

                                                aefd690a41b8901b6d38eb51d3aa45e1cc576a2c

                                                SHA256

                                                df3a8829a7cedac445f5e06c665dd7d09b8f67daf521752081d5b3dd72fd225a

                                                SHA512

                                                649895dcda4a6d7ce8d0079483a671a8479ecc6f4f355dff69d693062e8a431d2dbbd49b36306a8e8a643fb33837d910009f935ff2e08816bfe422bd2e087d02

                                              • C:\Users\Admin\AppData\Local\Temp\GsJSMBS5h8oz.bat

                                                Filesize

                                                212B

                                                MD5

                                                49561271ab70291b97d9a5ce24d67db8

                                                SHA1

                                                7ca9c54c3777e5ef0ded9626291d097acf682241

                                                SHA256

                                                ad085ea2c9c70dc20f075cb61d964b74075c5b9d2c7ebecdcb05fb3c538d5854

                                                SHA512

                                                a88bef9b558ed13cc1fdce39837fbe23489e470d31353767f026daf92f124fcc5c4f9825a68050d234bf51f239d46a802a2266e3e98669fbb8a41a9e31cdf6f9

                                              • C:\Users\Admin\AppData\Local\Temp\H4A2DFPSe0RP.bat

                                                Filesize

                                                212B

                                                MD5

                                                c252e1a57e60ff4c3d217d562cb0ac75

                                                SHA1

                                                4f0059662b6fe29cd5926a517aabfb6c47d79434

                                                SHA256

                                                09d3859bd4ddd8506e07cbef116795b19545d4b00733caee5d52ee829c42695a

                                                SHA512

                                                ed20a1d204cc3e26cf7263378bc99b9be84d1276f6ea895e87835e8f25857750fb2c097e6ab36c3beaac2bcfc1f09c4de3deccb24a529dd5aa21b670f242fda4

                                              • C:\Users\Admin\AppData\Local\Temp\Ky2HRqxHZ60B.bat

                                                Filesize

                                                212B

                                                MD5

                                                49021ee2c8e0f30142db72ce2b45b857

                                                SHA1

                                                b484eb2d0f45b8f45fb7d09c54c9acc1748f536a

                                                SHA256

                                                f8de053f1ff24af61133202c1664bb907e14cd129c8b37a4d5ee245ab25a7011

                                                SHA512

                                                41161ea53d5d9143bc2f2a0a87f36749eb34732b2462a7e50dc4bd04b6bae3aed62fa750132a30c68a34e93063a46fe69a1d761bd49467e76119ae224e3b53f7

                                              • C:\Users\Admin\AppData\Local\Temp\Lyskz5vqrYOp.bat

                                                Filesize

                                                212B

                                                MD5

                                                fd5a34c3d5c6d3cac7ecf4b9d5ba39ad

                                                SHA1

                                                6d64ce130e6e09425c6e0c149202573a1d199e7e

                                                SHA256

                                                ab1e95c3b0495f382861ba48224b625e7d2183595d13946bcd20015afcce21e4

                                                SHA512

                                                df911373f0482dbf6f39e3d45a6124f405d3805ebaec8759a7bd1c894e7582586564d9e6031e7e9558dfe7946e29626613943645d76e9507d8d9694b96a47751

                                              • C:\Users\Admin\AppData\Local\Temp\R9cH0iSPDBmr.bat

                                                Filesize

                                                212B

                                                MD5

                                                2089ccfac3d800614692b209c891cfbb

                                                SHA1

                                                9d33e270dcb186a21f7b0acd78039e6165e1774e

                                                SHA256

                                                cab4ee9c0f750a7d96f14a7294e6c7a8a36b958eabfecb49a7aa8d078bad18e3

                                                SHA512

                                                cb5f0073e5e69ecd23aadc27f0aebcde17b6eb54d22bcd81046fdb0c48d9e42f4cd86393ff0aa6bfbd35de2215087dab5bb1dc81e2f4232ea5651d6b892376ba

                                              • C:\Users\Admin\AppData\Local\Temp\a6KSXwVKkZRV.bat

                                                Filesize

                                                212B

                                                MD5

                                                50d0a1af5d480d2ba96a8d85dd05a5cc

                                                SHA1

                                                975126c71898c090432c38e997ec5fb25d56fa1b

                                                SHA256

                                                6cfc77aadd27d7e6537347bfd4de39e8f544139c08d222c9a393b269ab790f3a

                                                SHA512

                                                8604e2ece90e70bbaff8c8552aa56eab3a58df5a62e5b69399c0a40d7cf6e0e0221b9712c4ce4d3f63c35d52f149ce47d5f1b747effcb7defb2c99c69e85f54d

                                              • C:\Users\Admin\AppData\Local\Temp\a7etPDXnjzWc.bat

                                                Filesize

                                                212B

                                                MD5

                                                6c64bf91cc49aeb28d7b666ddedb2ebf

                                                SHA1

                                                d62fac87a7cd6d8e21809a0e4793faae6d26e484

                                                SHA256

                                                d2e06a7f6af66f0663b93198337d7e69f6b1fe04b461f21914041f70043451bc

                                                SHA512

                                                9ead1ee83a4a92dc018c898e881773c98e92c66f0ffb6e87b6f326afd78bace3bcb5d0bdfc4255fd79ebdb32db7388bc47685b22665826b34b6c03fc9f840917

                                              • C:\Users\Admin\AppData\Local\Temp\aG2hqhxBIXfH.bat

                                                Filesize

                                                212B

                                                MD5

                                                e7f98fd9035498f80144283b13dae76d

                                                SHA1

                                                caa29736877c9db916c5c23d86fac9b5cb2b0adf

                                                SHA256

                                                bd1b816ad374b113375ba4e5e29a8bab9c9eb2ed1adc2f3ec457123e09b8d2fd

                                                SHA512

                                                d199c46903ff2fb311c9e05507be48866a70cf6ebd0dbe3d7c1d5385c6cb9a5e276b60583956593a50041496991f607adce74b36726bc6a3cb2ae584d4c68ecb

                                              • C:\Users\Admin\AppData\Local\Temp\ewLEDAyR5tmF.bat

                                                Filesize

                                                212B

                                                MD5

                                                65a618d4cf070a503386c0e12688328f

                                                SHA1

                                                d0a3173fd587b5bd9cf8359370d1754dfdb89157

                                                SHA256

                                                83dfa87bb2cbe88a8e830486676672ef9616ebaedae23e7176a918b4f2bf6b98

                                                SHA512

                                                e5ac085438056fa392901de20107d7c8db43ce0c18f0b17965d96f3a0692e6b54327ef48b4b829b6fb93a39d588a65f594cc0e1c774eecf6b05a1baf8430ccc2

                                              • C:\Users\Admin\AppData\Local\Temp\j8YQEAvAm1Hf.bat

                                                Filesize

                                                212B

                                                MD5

                                                418f651bec6a848c70c11dfd23e0d4dc

                                                SHA1

                                                71f40ead2bbdb6158b36ea86c7157caa8663b237

                                                SHA256

                                                a407ac02cdf17d0531209d03c19db5decaf22c59e23b3588647248595aa21465

                                                SHA512

                                                4d071caa54333521fd526ebc955b8e6de94b5c1c98c85ce131abd3f90e1b92e419148a8c3e0eb6b973f45bc3b18777800182947cdf82285450d357bf3a60f84c

                                              • C:\Users\Admin\AppData\Local\Temp\lAnfNSNflwYt.bat

                                                Filesize

                                                212B

                                                MD5

                                                a80921e13e105d2f02df1352379dbf3b

                                                SHA1

                                                7293dd1bd022b5b3b5dc5fbf7272c4bf2c66e3a6

                                                SHA256

                                                d6fd8a540f5d12d8a0b1759e49c937de6fc7857894c348e60c402cfaf43b6444

                                                SHA512

                                                6544f67ed3789fcec7cdd293d452dae767b290fbb38bc3e5a79b63ffe3f41dc34d23d3dea0918e64060f9154f1223374c40a55b30dce9b6dca0f6db42485f6a5

                                              • C:\Users\Admin\AppData\Local\Temp\pnK2nIE8Gqis.bat

                                                Filesize

                                                212B

                                                MD5

                                                527243a2838615793d0e0e5f4532c0f1

                                                SHA1

                                                c34b872b31a19f0c6ae162ccded4b9b772555b52

                                                SHA256

                                                a71a30b4f15b4fd0048dd6a401afd33d3efcf829fa18e5260d9dc984380a3a99

                                                SHA512

                                                0dc5a9e2c935ebfb31cb6b5dfdb17acbf2439818cc8fd3faebd696e1d4cd999a79a4147fafc5787552b8c2769ee01aa0cf4ce90bd19d6920fde1a832885c8a70

                                              • C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

                                                Filesize

                                                3.1MB

                                                MD5

                                                f4da021b8bc9d8ef1ff9ce30b0ab3b79

                                                SHA1

                                                998a833c28617bf3e215fe7a8c3552972da36851

                                                SHA256

                                                b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

                                                SHA512

                                                77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

                                              • memory/3084-17-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/3084-12-0x000000001D000000-0x000000001D0B2000-memory.dmp

                                                Filesize

                                                712KB

                                              • memory/3084-11-0x000000001BE50000-0x000000001BEA0000-memory.dmp

                                                Filesize

                                                320KB

                                              • memory/3084-9-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/5088-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/5088-10-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/5088-2-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/5088-1-0x0000000000700000-0x0000000000A24000-memory.dmp

                                                Filesize

                                                3.1MB