Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/12/2024, 08:03

241227-jxp4patlbl 10

27/12/2024, 08:02

241227-jxfj9atlbk 10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    27/12/2024, 08:02

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    c0a15477ed759cacb6e41c32df4ee3b6

  • SHA1

    1105f1a6da7fc5286fc6bbf3bb09b0640c390475

  • SHA256

    40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

  • SHA512

    595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa

  • SSDEEP

    49152:WvEt62XlaSFNWPjljiFa2RoUYI4bRJ6rbR3LoGdDNTHHB72eh2NT:WvY62XlaSFNWPjljiFXRoUYI4bRJ69T

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Ljqzskib:4782

Mutex

6d2bad0c-8668-4007-b0ab-432a32c2b700

Attributes
  • encryption_key

    EBBC63CA357CC42C1ADBEA1947460FC46B646E71

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    file explorer start up

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2352
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1540
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EK4NKuL7T0nT.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2412
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:984
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5052
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4536
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4o74w0EbJOPQ.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4648
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2824
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2984
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:5020
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4780
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUmgRpVKT13Z.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:60
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3368
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1532
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:420
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2384
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q30iA4bCw9zn.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3784
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1820
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:5088
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:4616
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2448
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKHXlvrxOkxE.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2060
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:3692
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1028
                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:2724
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4084
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C7U6hAz5OIuS.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2836
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:3240
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3192
                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          • Suspicious use of SetWindowsHookEx
                                          PID:964
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1868
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1STon5kE5aOe.bat" "
                                            15⤵
                                              PID:3736
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:1040
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1892
                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3616
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:328
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHTYCbXs4VIX.bat" "
                                                    17⤵
                                                      PID:2924
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:1140
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1168
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:4428
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:388
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O647Qrxlp72l.bat" "
                                                            19⤵
                                                              PID:4792
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:2732
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:3280
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:936
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3160
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l6CnUaZxtvYu.bat" "
                                                                    21⤵
                                                                      PID:2676
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:4640
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:2448
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:2756
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2300
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRS9PfQHnbxu.bat" "
                                                                            23⤵
                                                                              PID:1232
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:4044
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3624
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:3060
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "file explorer start up" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4200
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nTgwkYW2kPoG.bat" "
                                                                                    25⤵
                                                                                      PID:4280
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:2796
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:2916

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        7787ce173dfface746f5a9cf5477883d

                                        SHA1

                                        4587d870e914785b3a8fb017fec0c0f1c7ec0004

                                        SHA256

                                        c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

                                        SHA512

                                        3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

                                      • C:\Users\Admin\AppData\Local\Temp\1STon5kE5aOe.bat

                                        Filesize

                                        207B

                                        MD5

                                        60d32ce244cd3f01425c516d75625ef3

                                        SHA1

                                        c292d5edfeaa43c785bc29574e588c7f95cb63b1

                                        SHA256

                                        62ba2950a6a2c0f7ddd5f4625c88bf4019d655f31bd777d12fa94d2b58cfdf00

                                        SHA512

                                        300180f9907d37cef61ec5ce93349fd1ac434b3a6626c08fca1974606581eb073192d1cbadcbb57db6c2a4a30876d19a069f3da1a9a783f6fbd828255a3debeb

                                      • C:\Users\Admin\AppData\Local\Temp\4o74w0EbJOPQ.bat

                                        Filesize

                                        207B

                                        MD5

                                        c7b4c038cabfa1e7fe763e30c497552a

                                        SHA1

                                        4e0f324bd6c5572987dd924f51e4afc1e84bf5f4

                                        SHA256

                                        f9c24a9430a03b6fec888314f5d6a27a92b5ad687429a2c860e5ca01d021cec0

                                        SHA512

                                        147906cc92887ed56ee1adf79ea1fc7a165d348c61892fc3639208e9a58c8d3ae0cfefe2c4783e9390d03b0d3d562ca0927267b391155273788895bbfb8357a5

                                      • C:\Users\Admin\AppData\Local\Temp\C7U6hAz5OIuS.bat

                                        Filesize

                                        207B

                                        MD5

                                        f61b3550058649f746a698b98d23f971

                                        SHA1

                                        63d96a8c7dca7c6bcf64f45232b00ed876ff9120

                                        SHA256

                                        4a9489452525a64609d55aea088634dccf997dc382b4d5de0deff4cf9a743847

                                        SHA512

                                        f894d289ab9d71ce1a03d76cf43a52e8a1707ffcb75e8c2917b1159de710f1f0d298145779d90c083ab83559fbbd045668d8a4e0323962e4ce8b7367289cf154

                                      • C:\Users\Admin\AppData\Local\Temp\EK4NKuL7T0nT.bat

                                        Filesize

                                        207B

                                        MD5

                                        df9bbe5d5e25d743e81864290807876a

                                        SHA1

                                        ddce4a98858d216e2416f194e672916a3e60422c

                                        SHA256

                                        9a7355c6fe45d82fb80c79b7482ffd50542389a2b2c1ad867ed8ef932dd9d301

                                        SHA512

                                        0c8f91489399e33f290c8901be32251472ac3f4e692682a9cc86833bc21f963084b9f4c24681a4583ada3978dbe96394040bd254246b6f3b4a7c178440c96118

                                      • C:\Users\Admin\AppData\Local\Temp\NHTYCbXs4VIX.bat

                                        Filesize

                                        207B

                                        MD5

                                        80e637628cd5791ecc202215f390d1aa

                                        SHA1

                                        a09ac468c0b65bdf40c776ab05554c124f000db3

                                        SHA256

                                        d97ec66ec5078e4a69445f42dd7f627e43fa7a6a6851248f2d35bbf55dc94887

                                        SHA512

                                        6b14a62954d72721cdcadcaaf99d6f4d650b03d9a9ff122bc7728162eaaef3ad733ef566d00c440e34a0e34e843d52b80970b9c00c1d55ca2a305d3aa502973f

                                      • C:\Users\Admin\AppData\Local\Temp\O647Qrxlp72l.bat

                                        Filesize

                                        207B

                                        MD5

                                        966e60cd2cecedb73c428318de04d3e6

                                        SHA1

                                        1250ff0a26474bfc5e3859bf0b01dd9b53e2fed1

                                        SHA256

                                        c74946bcde1962339abe30f089311e577e2d08b6582e4e6d63679d21e47678ea

                                        SHA512

                                        092c1650720edb8db643e1032fe320c1f26de83116bcdb3ef3b86294a973e2218487556ca230c4f875bf10b9c252e730004f38d75df2bf1944942e7b0252ca11

                                      • C:\Users\Admin\AppData\Local\Temp\RKHXlvrxOkxE.bat

                                        Filesize

                                        207B

                                        MD5

                                        5fe8bffc3e8df05672e13ff1bb017b9e

                                        SHA1

                                        704dfb6d949457fda1e47c90a6fbbf10a900a014

                                        SHA256

                                        29e509d6b80d14e772fb6670047c175ec9b36c5983a74026a67e8b50f130e325

                                        SHA512

                                        9331edf8c0883237bc24dceb9843d036968365a5c8241b007195defef345af6eb37ba5f7fe16224b18b07c66212b1f128c50d8556d26cb108064be5dfe3c6f88

                                      • C:\Users\Admin\AppData\Local\Temp\SRS9PfQHnbxu.bat

                                        Filesize

                                        207B

                                        MD5

                                        8de2d46b30461a81066f686887949391

                                        SHA1

                                        701ee5e2442826b226b26395498860d4ef49f221

                                        SHA256

                                        9a3f8355a314a3d62b75757186ed4471810140883766631275bdfa836377e334

                                        SHA512

                                        347001aa67d9199470e48a08d5637bed1073e003f9975f57f4dfad3f0c5a028e37f2a8305476becda7657703630c43b9c8e407b4f36f9f61ced09cbebedfd059

                                      • C:\Users\Admin\AppData\Local\Temp\cUmgRpVKT13Z.bat

                                        Filesize

                                        207B

                                        MD5

                                        72f1d2fe70a613e0b5e95cdabd655df2

                                        SHA1

                                        85a63fdec3b57f8ae46124675b026fc899f2b2b9

                                        SHA256

                                        4433fcb2e63467d84eefc59662441dfad5aa7001f1978f4a7886a22532570546

                                        SHA512

                                        a3a4e39d2adb567b96e30fe6f06da64d83f394174d75a1af2c8951d9b3c7a1a8090d9f3915b50b31833756ac848697ee7cc7f22a04254accd39c1b660d81e837

                                      • C:\Users\Admin\AppData\Local\Temp\l6CnUaZxtvYu.bat

                                        Filesize

                                        207B

                                        MD5

                                        8ffa0fea66be91f03b87f7801ffc1b1f

                                        SHA1

                                        c35e2651cee6f82e622e55b9ceceab51e026aba2

                                        SHA256

                                        f78cc903511f57457f6b92a5c82e344c4e82fa21d332b4e995a94d3e9640f250

                                        SHA512

                                        0dcf46526945234b40a56585f4a98484a923ab80329286adf1b490ea8f67cab188b1649068118c402584e616688d85bed2c2122bb20a43a928fe6f733a719909

                                      • C:\Users\Admin\AppData\Local\Temp\nTgwkYW2kPoG.bat

                                        Filesize

                                        207B

                                        MD5

                                        db0850a0902b2f0a12f0e1434c0f5092

                                        SHA1

                                        315c014f42a8d84e7f88b9e6ede5c42d5852b5db

                                        SHA256

                                        e3a2cb58403174ed6a83c8fe735d1b5c74a9abdc215778df54d4e6f523f3daca

                                        SHA512

                                        f050178e981187bbccb24ce8abb9f2fdd331d8af81b86bc137880d45611e60a85ec5e26008f15bbca9f0236d947f89925cfb93410047f737450920d30724eb4e

                                      • C:\Users\Admin\AppData\Local\Temp\q30iA4bCw9zn.bat

                                        Filesize

                                        207B

                                        MD5

                                        8c6ba4390535c299c9bcec664ba5f580

                                        SHA1

                                        48a7361a8f75848deefb39cfa2a51585dc5fadf1

                                        SHA256

                                        ad576837fea0c8c48288cdff50d3aba9216af7482f54df34fef72fbafda1b48c

                                        SHA512

                                        21b948b44050ef8106374e8579c7a2636cadd9f6608af12617fdd34194a69f15d1f1ab170e4dd12931466d1b8ade9a57d2eb4bf313af16fe40e65187533603e1

                                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                        Filesize

                                        3.1MB

                                        MD5

                                        c0a15477ed759cacb6e41c32df4ee3b6

                                        SHA1

                                        1105f1a6da7fc5286fc6bbf3bb09b0640c390475

                                        SHA256

                                        40b1e1519d9240e23b0052b13f30cac24db6c23814fb91ec3c151f6e8a477858

                                        SHA512

                                        595c423778602e61e37ba19761c43d6b333357113e31c50cc0947336a122cf3499e2924af3dc523e57df79fd0be435e61286f9c255630d95b56adc15735e6bfa

                                      • memory/1388-0-0x00007FF85CBE3000-0x00007FF85CBE5000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/1388-5-0x00007FF85CBE0000-0x00007FF85D6A2000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/1388-2-0x00007FF85CBE0000-0x00007FF85D6A2000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/1388-1-0x0000000000EE0000-0x0000000001204000-memory.dmp

                                        Filesize

                                        3.1MB

                                      • memory/2088-6-0x00007FF85CBE0000-0x00007FF85D6A2000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2088-18-0x00007FF85CBE0000-0x00007FF85D6A2000-memory.dmp

                                        Filesize

                                        10.8MB

                                      • memory/2088-9-0x000000001CA60000-0x000000001CB12000-memory.dmp

                                        Filesize

                                        712KB

                                      • memory/2088-8-0x000000001C950000-0x000000001C9A0000-memory.dmp

                                        Filesize

                                        320KB

                                      • memory/2088-7-0x00007FF85CBE0000-0x00007FF85D6A2000-memory.dmp

                                        Filesize

                                        10.8MB