Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 03:25

General

  • Target

    cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe

  • Size

    3.1MB

  • MD5

    2be44f2f5ea83cbc61fbd13b50c0f88c

  • SHA1

    f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9

  • SHA256

    cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a

  • SHA512

    95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2

  • SSDEEP

    49152:KvyI22SsaNYfdPBldt698dBcjHXBnubRZELoGdaTHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjHXBnoK

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

AUTRE

C2

voltazur.ddns.net:4789

Mutex

eddf685a-87b7-4f5a-9bac-e09fd56aab1e

Attributes
  • encryption_key

    77E1CE64C90713D69376A654F4C56C1E0262C545

  • install_name

    Clients.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsSystemTask

  • subdirectory

    SubDare

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe
    "C:\Users\Admin\AppData\Local\Temp\cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2260
    • C:\Program Files\SubDare\Clients.exe
      "C:\Program Files\SubDare\Clients.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1000
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lbRxf9X8ebso.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1568
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2008
          • C:\Program Files\SubDare\Clients.exe
            "C:\Program Files\SubDare\Clients.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:400
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4732
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jt3US3w2aogo.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:608
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4640
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4744
                • C:\Program Files\SubDare\Clients.exe
                  "C:\Program Files\SubDare\Clients.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4872
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4672
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1kuGlddAwgXH.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1124
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:412
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:3784
                      • C:\Program Files\SubDare\Clients.exe
                        "C:\Program Files\SubDare\Clients.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2296
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2844
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9I4gOqMdXk0U.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:828
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1080
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3096
                            • C:\Program Files\SubDare\Clients.exe
                              "C:\Program Files\SubDare\Clients.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2328
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1688
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAfFTg0aKnCv.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3256
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1924
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:3000
                                  • C:\Program Files\SubDare\Clients.exe
                                    "C:\Program Files\SubDare\Clients.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4512
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4080
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsFbQ1NdjjNk.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2236
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:3840
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4476
                                        • C:\Program Files\SubDare\Clients.exe
                                          "C:\Program Files\SubDare\Clients.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2596
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1928
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwzDtIKTzmmN.bat" "
                                            15⤵
                                              PID:4732
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:2344
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:4832
                                                • C:\Program Files\SubDare\Clients.exe
                                                  "C:\Program Files\SubDare\Clients.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4844
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4936
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M6gS3LhqcRB0.bat" "
                                                    17⤵
                                                      PID:5064
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:3572
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1176
                                                        • C:\Program Files\SubDare\Clients.exe
                                                          "C:\Program Files\SubDare\Clients.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5008
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2808
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SE8FuEsdWks0.bat" "
                                                            19⤵
                                                              PID:4792
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:1748
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:1872
                                                                • C:\Program Files\SubDare\Clients.exe
                                                                  "C:\Program Files\SubDare\Clients.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2648
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3764
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lnub3REabM9N.bat" "
                                                                    21⤵
                                                                      PID:3104
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:2940
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:860
                                                                        • C:\Program Files\SubDare\Clients.exe
                                                                          "C:\Program Files\SubDare\Clients.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4040
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4352
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHA3eFgErzur.bat" "
                                                                            23⤵
                                                                              PID:1760
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:1924
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:4460
                                                                                • C:\Program Files\SubDare\Clients.exe
                                                                                  "C:\Program Files\SubDare\Clients.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:872
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:2944
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MdeVntnpAgl9.bat" "
                                                                                    25⤵
                                                                                      PID:4272
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:1836
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:4960
                                                                                        • C:\Program Files\SubDare\Clients.exe
                                                                                          "C:\Program Files\SubDare\Clients.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4948
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1328
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qdSROlPn9Rz3.bat" "
                                                                                            27⤵
                                                                                              PID:2596
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:2020
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:5108
                                                                                                • C:\Program Files\SubDare\Clients.exe
                                                                                                  "C:\Program Files\SubDare\Clients.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:4504
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:368
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zF9xqWl8CfuF.bat" "
                                                                                                    29⤵
                                                                                                      PID:3540
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:756
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:2264
                                                                                                        • C:\Program Files\SubDare\Clients.exe
                                                                                                          "C:\Program Files\SubDare\Clients.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2156
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "WindowsSystemTask" /sc ONLOGON /tr "C:\Program Files\SubDare\Clients.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:2860
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1E6BnfFvS2A.bat" "
                                                                                                            31⤵
                                                                                                              PID:412
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:4000
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:4708

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files\SubDare\Clients.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    2be44f2f5ea83cbc61fbd13b50c0f88c

                                                    SHA1

                                                    f44df0aeb39d32c7fcff0b60e1e1283f051cd8c9

                                                    SHA256

                                                    cd3dea94c6c2ddb8efc1efa8c5e105edde87ecbb18ab75b5d5fb7bc502542f5a

                                                    SHA512

                                                    95f321154f0fee3171d735ec19c0c44dfb1e67f979b6590ebb134b7f14f8510c69b66d1c67a161481e643c52e61965e410c52a6779c89e3e41b04bc73e8bd7e2

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Clients.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\1kuGlddAwgXH.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    07e3b06e3cd852df77585309dcb43e06

                                                    SHA1

                                                    e89f79d546279be6cf0a7925e2cad244dbc70b87

                                                    SHA256

                                                    697c68fd5f13052eae860d7a7d1cd4f64e855a23f72fcde757917ef65691b822

                                                    SHA512

                                                    515f2758b268f3bcc5ad896c0148aa8cd0a07554b61ca02d5254bdad7104ea7d5ff495e22f13a665b8abbfa2ca29cfcbf147e74dd27539ee1c4cdaaead57e309

                                                  • C:\Users\Admin\AppData\Local\Temp\9I4gOqMdXk0U.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    c9b576300fb1fe78434cae5fa2e31398

                                                    SHA1

                                                    99ffafa631320306fb96a8aa4435cf11b6677796

                                                    SHA256

                                                    9b380bf4a8eb45c98fb8860c6a3cce48a274e80f076ef1e9163354894a72a67c

                                                    SHA512

                                                    29d461552932f057a3df76d3740cee85975ad3642519b36453ad62c8a01768de7217d64f0eb0a9f4fcd7e6f66177d0e932e6e4955063e74ac6141b8f5c0ce023

                                                  • C:\Users\Admin\AppData\Local\Temp\GHA3eFgErzur.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    bbae629a6e784e6bb5aba4e4026c79c4

                                                    SHA1

                                                    a6db91e8a6b2ba388d3609431455433718b3675d

                                                    SHA256

                                                    f47b4e338cf8781fbbbc55a7ea6f0bc131dd436245cf5090a560e69d98163374

                                                    SHA512

                                                    6867cd7eac630004d17583bff6d5db6036655b9b1981bc3de8677380ea96fdf2a7a3901eab717f13a352c3cd1131ace89f49986b24f1c938c5cd8cdb0b24bfba

                                                  • C:\Users\Admin\AppData\Local\Temp\Lnub3REabM9N.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    18fad0317c5af20621ebffe821079deb

                                                    SHA1

                                                    a657b43e08f9a68bf9d861025a1f5032a4527ac1

                                                    SHA256

                                                    3eda83cc8181abfb82e8398650b6cde7dc173f1f8dad687484a94a4d9fdfe8c7

                                                    SHA512

                                                    c6c8f69fba075f9a509c5aa6b651fc381bb1c5f6dc474304b4c2a6abeece284843a0a8d0dbad4e2af9df19446aa62a518d540e7aa5c4d43f2bab758ccc92b3cc

                                                  • C:\Users\Admin\AppData\Local\Temp\M6gS3LhqcRB0.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    663ad06a42975be4d80b3fa50d85b92a

                                                    SHA1

                                                    1d7996f1063963f132ac08991ee40b87d9be2219

                                                    SHA256

                                                    018b12a117b33303bc77872ebf62924a89c78828ffb88e597c3a279fc05f3321

                                                    SHA512

                                                    3fb21cd2a58729d4c198da0d89629c6268a129787ae6edfbb743844027192755c99cee2fec99cedaccb1774b551ff9cc184b6a85e5c35d55187f78d474db5563

                                                  • C:\Users\Admin\AppData\Local\Temp\MdeVntnpAgl9.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    76d3cdb0502cc45cc6f79277c4f55e1d

                                                    SHA1

                                                    3b9d3e66ffcbee4c6b228be614ab625ffed91e67

                                                    SHA256

                                                    b106c039f7380621778045f0cbf99d7578e45e922f0d27f61f4a60afc864a662

                                                    SHA512

                                                    ae716563d018c41a16568bf9b4bc6ac4e937d4fd2fba99d1596067e5675d863db1a3a10ea8755730cd3ac13467f84b978c07c9b686abc20e783307041e9d554d

                                                  • C:\Users\Admin\AppData\Local\Temp\SE8FuEsdWks0.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    a2eca58cc86f0291d00cac4682028f8e

                                                    SHA1

                                                    eedcf12f1a2cc4cbf64f74a8580c22c39844ebd6

                                                    SHA256

                                                    d3be6de98b592e915228e2a6d8b9cc1baa4ee7345f63e7be2d0c8e32322b701d

                                                    SHA512

                                                    0525f4c6c8dfe9b5df90a589fb6c3e6fa08af7509e80d3d2541839a325079d6e1a3eeca30aad4840c61b50491b39a97d8db7a2bf69e8cd8bf5f9ad7c0c1acd3a

                                                  • C:\Users\Admin\AppData\Local\Temp\ZwzDtIKTzmmN.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    bb4fc822fff27e971722d32abf2d1b35

                                                    SHA1

                                                    db3f9a6b19963868ac4f0c70fc5c81393952ef54

                                                    SHA256

                                                    f40698004ddccbc8375abbc13ebd0d47966b03c9cc741484158e27e367246ac2

                                                    SHA512

                                                    a857007348fbaddc32cfe386e2f120545f014c40a00149b794de9922c8b31ecca6dbbb1340d384c51550b363d85caff345e37503c8e5cb8047089e28ceec7c78

                                                  • C:\Users\Admin\AppData\Local\Temp\jt3US3w2aogo.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    5644c983caf7733ccd21ee95cad9e170

                                                    SHA1

                                                    eb3e65e8b2de8151ced386a9681fe270f2b7409e

                                                    SHA256

                                                    8e0e10c479357cb05969c7d44b59206de5e29daf54e5a62f90f6c29a0f6ca5f4

                                                    SHA512

                                                    7e764efc7c705da39a983826ff4f3a4959ebe91b15edb82f57a7e9407f6b2c734fc4b4d8176f5707b9eceedf33ac8b0f9ae6d89029a125bcb05855348cd55d1a

                                                  • C:\Users\Admin\AppData\Local\Temp\lbRxf9X8ebso.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    fa3b2fbb398606af3121164f453b9624

                                                    SHA1

                                                    af85c20c880c88107eff39a9d1b5b2694c7f74d8

                                                    SHA256

                                                    a4ed437a20a64b5e2a7e8e632594860b5cb67f0aee1f076493ce3fd6bc7b58a3

                                                    SHA512

                                                    592e6a037f4a96df9752e0b9c19aba688774138565ed09784d49b245495dcbb724c1ff8da4a0550fefd0c87b95d5bef146bcbf368b556287ac125d00bd0c4716

                                                  • C:\Users\Admin\AppData\Local\Temp\mAfFTg0aKnCv.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    94b9392d33425abff02cff9075737d19

                                                    SHA1

                                                    7dc02f5a89e73e7c1977143499c49cf30205a668

                                                    SHA256

                                                    8353d4106b0abf813d2d44168e39d0de3afde09f99952affa79ff28c4d71a73d

                                                    SHA512

                                                    9bd6e60d679701a79869a85cdf4d569ff177d32e226551387c34095bc88dc441a9fc7ebe9f3740215d5e008ec0111fc0c1b7c03a527a9a0b1b591091bbff9231

                                                  • C:\Users\Admin\AppData\Local\Temp\qdSROlPn9Rz3.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    663fd15855e650caa46e0fef7353b1f2

                                                    SHA1

                                                    e45b1c486b0ffc65032988decd0955ca8f290126

                                                    SHA256

                                                    877b7ea4bbe6a103f36449c12826f802eb88bb83681835c8f83399e7b84137db

                                                    SHA512

                                                    02f05e59d0c1fece4266cc16ec205b8b48d08d6326ddf9f6980e35cb5e27afb02e0bb76c72d4f62efff18a1a6300a37befaf887a6ef8fa8bbd1d0d47dbfaf342

                                                  • C:\Users\Admin\AppData\Local\Temp\v1E6BnfFvS2A.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    c3d0eeb2670e78a912af8083dd3888b6

                                                    SHA1

                                                    9e4005f57543a9bd476e49e9c63c7b5b20b65b70

                                                    SHA256

                                                    dc1d2da434cd3f55dc21809af8b63921342e0e5449beb61914211e0aada4f01e

                                                    SHA512

                                                    2e39356a7f349579f202ab78dbc6096db0bd1e0d7060d0d8fe7d231560ad03e608798265eb9b7044f251638595b4d87c575f9f6c1eeaa9e58e800c0d43f9e4e8

                                                  • C:\Users\Admin\AppData\Local\Temp\zF9xqWl8CfuF.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    6e730ae09ccf001c5a57e121cc9550cd

                                                    SHA1

                                                    3d9948573c7653f29c8da6003a5cf8d0a5d105ef

                                                    SHA256

                                                    dfc445293421bae3bb427796bbe156a6fe584304081c782c56f4711e5b18b025

                                                    SHA512

                                                    85f487f1c5ec59a3019317c548a124f6106ee30bf4f7022722d14f33b7bb5d33491b321aae1a6d1f114711c8f6f7c38156b177eae528f910c258ac4fdbbe77ac

                                                  • C:\Users\Admin\AppData\Local\Temp\zsFbQ1NdjjNk.bat

                                                    Filesize

                                                    195B

                                                    MD5

                                                    d2b2b18565b959fa22b3ba00d4c67935

                                                    SHA1

                                                    a4af3cbfb31c97730e885facef606a835b233677

                                                    SHA256

                                                    e94cf5e264e1b7ebabd7fb2cb8585a3de942f2b2bd6f40ed9ee15f089c150873

                                                    SHA512

                                                    eff22c24ffdd0e8941bf40cc72d69f43d32a1e42ed2ae29af8afb1fd4f0c3f7a1437c6a01a54272abc02087868afe3a4aeb7b43bc4032409b1396cd468c341a4

                                                  • memory/3080-2-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3080-0-0x00007FFD22063000-0x00007FFD22065000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/3080-9-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3080-1-0x0000000000D00000-0x0000000001024000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/4028-11-0x000000001D2A0000-0x000000001D2F0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/4028-8-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4028-10-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4028-12-0x000000001D3B0000-0x000000001D462000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/4028-17-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

                                                    Filesize

                                                    10.8MB