Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 10:58

General

  • Target

    2klz.exe

  • Size

    3.1MB

  • MD5

    01cb0e497f40e7d02f93255475f175e1

  • SHA1

    98c779497d6514b91cd1410f627a5320f6b3eab5

  • SHA256

    15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

  • SHA512

    fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

  • SSDEEP

    49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes
  • encryption_key

    CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE

  • install_name

    2klz.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2klz.exe
    "C:\Users\Admin\AppData\Local\Temp\2klz.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g87pAU03xwoT.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:412
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4204
          • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3800
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qxsKxvlbphqM.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3984
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2320
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3120
                • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:4652
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmzSgpKHpk12.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2556
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:4996
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4528
                      • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:4748
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hImAvNc6Yf1P.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4056
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4340
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1032
                            • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:1516
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M4V0djVf2fiw.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:764
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1240
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:2288
                                  • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:3532
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgghoKz3RyaW.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3392
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4132
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3672
                                        • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          • Suspicious use of WriteProcessMemory
                                          PID:3988
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4hwTBzv3sylT.bat" "
                                            15⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3776
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              16⤵
                                                PID:4604
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                16⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:2716
                                              • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                16⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                • Suspicious use of WriteProcessMemory
                                                PID:4616
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bb9enGKS7N0q.bat" "
                                                  17⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4024
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    18⤵
                                                      PID:5088
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      18⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:740
                                                    • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                      18⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      PID:3436
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwgmjxzh39Pv.bat" "
                                                        19⤵
                                                          PID:4064
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            20⤵
                                                              PID:448
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              20⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:1372
                                                            • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                              "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                              20⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:4792
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4STQcweGkASl.bat" "
                                                                21⤵
                                                                  PID:4644
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    22⤵
                                                                      PID:4796
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      22⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:4112
                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                                      22⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      PID:2072
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gZL6XnkGQP65.bat" "
                                                                        23⤵
                                                                          PID:2232
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            24⤵
                                                                              PID:532
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              24⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:1572
                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                                              24⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:4056
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v7zayhLiXGx4.bat" "
                                                                                25⤵
                                                                                  PID:1480
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    26⤵
                                                                                      PID:1956
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      26⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:1224
                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                                                      26⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      • Suspicious use of SendNotifyMessage
                                                                                      PID:4848
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K7dz2InmZd7q.bat" "
                                                                                        27⤵
                                                                                          PID:3352
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            28⤵
                                                                                              PID:2600
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              28⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:1260
                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                                                              28⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:1004
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8dwpZxdeJyrf.bat" "
                                                                                                29⤵
                                                                                                  PID:4276
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    30⤵
                                                                                                      PID:1816
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      30⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:1324
                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
                                                                                                      30⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                      PID:2716
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9XaKpqPobLoO.bat" "
                                                                                                        31⤵
                                                                                                          PID:3256
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            32⤵
                                                                                                              PID:5088
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              32⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:4648

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2klz.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                baf55b95da4a601229647f25dad12878

                                                SHA1

                                                abc16954ebfd213733c4493fc1910164d825cac8

                                                SHA256

                                                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                SHA512

                                                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                              • C:\Users\Admin\AppData\Local\Temp\4STQcweGkASl.bat

                                                Filesize

                                                205B

                                                MD5

                                                9edb7fe150edbb8ff859327a1f952161

                                                SHA1

                                                4a8df073fecaff70c2c65a9186b9ef9126118010

                                                SHA256

                                                d3873f0b07be7a534137948761dea75cedc19406de35e884acb0893c6ab829fa

                                                SHA512

                                                a120f15e3617fe9a8aecd8a6e59bc6758aecb96cdbc39bb3c46b342cbd4a8ff5d5275aef1ae0894f2797b498aec3d136d7251ffa2658d025f2ac06026e3f7887

                                              • C:\Users\Admin\AppData\Local\Temp\4hwTBzv3sylT.bat

                                                Filesize

                                                205B

                                                MD5

                                                e5c3da51c6493403f1b8f1691f4370cd

                                                SHA1

                                                4c3cf35a71f909488a48003ebc11fd8409f5253f

                                                SHA256

                                                5598f2250ef1f21c69199c576983520804fcbcee6b26f0c4574f12c11a179f34

                                                SHA512

                                                6934e01474f1d16a51fe5f7e307d43fdb3874242caf76102643cf0a8a54a89894ffebfab8f56d8cbe7004d22bffc89ce96d44667c35dfcff06e4d37e9323d055

                                              • C:\Users\Admin\AppData\Local\Temp\8dwpZxdeJyrf.bat

                                                Filesize

                                                205B

                                                MD5

                                                cc302ccf0090b1567cb4d6c516b6dbc5

                                                SHA1

                                                1f4177f99e49916ae62a16a58180b66ce0874b27

                                                SHA256

                                                b27108c5bc3901e6e541c7cdaa9b6e3ed8a715e6c154fa8423498b87776da700

                                                SHA512

                                                c0d31b4e34d6be6fd37d48140666c6ad4cac0d1981e55f5d4cedc5012e33fbf2d4404a6f3773586899f907e764e934ab6902f14c3a80119b056912f98b7ad6a8

                                              • C:\Users\Admin\AppData\Local\Temp\9XaKpqPobLoO.bat

                                                Filesize

                                                205B

                                                MD5

                                                065fd8022c0667f3b57aec255e9b2a20

                                                SHA1

                                                c9bb20414313cbcbf3622bedd3c86d712db69ff1

                                                SHA256

                                                304173d3a0e1bd8dfe5b4f26d599f014286fa9322f1940ab3b42059d384af808

                                                SHA512

                                                b5c1d795d9a5dec675631a4f6caba1e65fd75dad090c6e7611e1259b6baaa1d1dc0abc7d19adcac275a682c83775df31a2f3c5678984214b4b15081e043cc5b6

                                              • C:\Users\Admin\AppData\Local\Temp\K7dz2InmZd7q.bat

                                                Filesize

                                                205B

                                                MD5

                                                24ee5a2f2e38627dc5a0896f8d45c956

                                                SHA1

                                                fbb253bf572ea8c8f235f75539e476eed369df33

                                                SHA256

                                                c0fabdfb0571bf5cb1eb78bf56fe9fff9366cd8a3c8e52af0000a362d7e90e51

                                                SHA512

                                                d5fa02a69be377af30a26b7f8f26827a6efd2dfc620661842e3995d474a18524bc244b852b92cd57e5ad12ad4ed383bbcc5ad3852a92fdd65f1b499021c4df7d

                                              • C:\Users\Admin\AppData\Local\Temp\M4V0djVf2fiw.bat

                                                Filesize

                                                205B

                                                MD5

                                                519a64059e2b2467e55892ef3059b2a5

                                                SHA1

                                                428ab2dea09698fe33d07c5d78aec5d921a03897

                                                SHA256

                                                396156958eced5cd906135a473dd93ca28ec5575bbba1eb57e0f8c4a5d72b28a

                                                SHA512

                                                9be92f1c27ef11caf14a22b8d66975267699a823ce0c537d5bd0d0e5e2a522cb1fa37ef5f291bd806373d02924af500aef6d2421c393edcfaf9c124ca9b466b8

                                              • C:\Users\Admin\AppData\Local\Temp\VmzSgpKHpk12.bat

                                                Filesize

                                                205B

                                                MD5

                                                190e8909d0fd5044146dba96715b1749

                                                SHA1

                                                39d900885dcbea11f3ac916c2673a39e490ff9c4

                                                SHA256

                                                b96ed62dc2a04d686cfb0a0f2139cccc8d89d8ddb6c13181d0a73aa9de5ba921

                                                SHA512

                                                65c2c404649e13c77e6679d9c07d3ccfa2a8b0638e05f0b5e221e8361b4fdb58ae14e2863777cfe23aa1553738ed127b6c6887ed0f2a57e0612b04ec31b3cedb

                                              • C:\Users\Admin\AppData\Local\Temp\bb9enGKS7N0q.bat

                                                Filesize

                                                205B

                                                MD5

                                                c901fff3847a4ed767d6da642673eebd

                                                SHA1

                                                7d322bae033d96fd79813b5e6e33ca96f79cdd18

                                                SHA256

                                                3404bb939ef9481f8203701f9df72ccb559f514ab8b7952570112cb05e23e0b1

                                                SHA512

                                                5c0bf2835c2d79121ae8f572e81423ab1648abe085851d476ecd092f0e739b1ff21ffac807ac050edfd6a847b71a86ff384c58eed18eaa1948d413851e3a7f6c

                                              • C:\Users\Admin\AppData\Local\Temp\g87pAU03xwoT.bat

                                                Filesize

                                                205B

                                                MD5

                                                e501a7eecf1d36b8f4a00bfd5686f007

                                                SHA1

                                                f48445d5cb486257d55d8ce92180316d3c913641

                                                SHA256

                                                cf95e75edd9a497c5f73ae1965b86e7bbc359d0fcdcda432abdfa3d2858ab756

                                                SHA512

                                                b611416dd8a243b5a476057261f0cd7151deff9e9873f4b51342fb67d8cc396632d6e0848aed6d8cd5a3d88044ac26425f440ff7d589fa13be372772d5a4d046

                                              • C:\Users\Admin\AppData\Local\Temp\gZL6XnkGQP65.bat

                                                Filesize

                                                205B

                                                MD5

                                                f5fbb2107ba10d21149054e144241afe

                                                SHA1

                                                4c157ff39a363bd2c994d1f10ae3ac236cf9f004

                                                SHA256

                                                21cddfaa0d3962731c1fd542a4f29aee05a473bcf363d5df040815cc24ca5b22

                                                SHA512

                                                3e20d376de45aea12a79aac72a19d8ff5cae45655d1d02a2e4bad2875eaa098931ecbcc3881dcf2cf8a556f1459a7537c05ee7b0ccdfc6edf8f6cc94cf94f905

                                              • C:\Users\Admin\AppData\Local\Temp\gwgmjxzh39Pv.bat

                                                Filesize

                                                205B

                                                MD5

                                                1be5b83d26c3fa570bee059a74ecea0c

                                                SHA1

                                                9d772fe0a661ab27687153b8410901cc8e525a5d

                                                SHA256

                                                e99e47e80b4e2828b7dc6749708c2e8fba22f09f8a57a9cbcfecaede0a5bd407

                                                SHA512

                                                72644489a63838908b8a8d1fca735aa27447166921e484a7b79034b5e0b8171c70c8b59c85923d521cdc59f9db3813c3419b90e05785595044c222b4043d04d5

                                              • C:\Users\Admin\AppData\Local\Temp\hImAvNc6Yf1P.bat

                                                Filesize

                                                205B

                                                MD5

                                                43d5d73678f6a0d33e5788510e4a094e

                                                SHA1

                                                372584c1d75b1a7b1ee818ace29dca56c93b2be3

                                                SHA256

                                                931387cca4cc10c90de758bffd3e1cc227a0f1846dac6bb95172a42de427336a

                                                SHA512

                                                70a6f96420d731776d9521cef0fc0248ab92d575fff1442027ba873c265068468928cc6c894b80946dd96d5eec265df801d9074aaa80aafc6209e59766ccbff3

                                              • C:\Users\Admin\AppData\Local\Temp\lgghoKz3RyaW.bat

                                                Filesize

                                                205B

                                                MD5

                                                850a91bbef72f09c1ed4342a603bd6b9

                                                SHA1

                                                d66eef76b9e2d38ef26da4a9773c1f1e6d55bca8

                                                SHA256

                                                5641adf471a877c53498dcd18c2f1eca469ec2d3082323ab80876bba3f702e89

                                                SHA512

                                                47bc1b4b42c514a9412345007f60c2e1eba01de21a4a448c308bd2b7ba1879c3eb8b63160e15606ca3e0a90c56582ee4a0a10f4cfa8c84c7b17d3ff3052d3f62

                                              • C:\Users\Admin\AppData\Local\Temp\qxsKxvlbphqM.bat

                                                Filesize

                                                205B

                                                MD5

                                                9be355bcc1dc038c95e4f3fda2b5700a

                                                SHA1

                                                d40c477ec260fd9ff2078c55416b6156178e2293

                                                SHA256

                                                6c30343cd70b9094a38b82b323dc6ede07164d5b0811b551e40bf27a09242c32

                                                SHA512

                                                404131ab94ce01bbd0bdf6b35165c3ba4946883572480fbaebdc9b5adfad0939c91f8cee09fb50c05f18f9f0bfed36e4905866f99d1d80a44efa5f94c935750d

                                              • C:\Users\Admin\AppData\Local\Temp\v7zayhLiXGx4.bat

                                                Filesize

                                                205B

                                                MD5

                                                4e533b2db7bdbf3d1d5b8363d0f2770b

                                                SHA1

                                                0170f0b2ecbc92154284245b21c4286b09a15f12

                                                SHA256

                                                293afc908397e05f6013d046a29c0337bdcd94d05fbb346062479323492d7796

                                                SHA512

                                                e5cbe8b3a55c82fa5d938d158caf782f9c1566261663e9a2727f44b68951c3fafc6b521b6f6202361c2c3c69d6d1c3d5a2b1cd47c3946e109acf2cb60ad2a3da

                                              • C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

                                                Filesize

                                                3.1MB

                                                MD5

                                                01cb0e497f40e7d02f93255475f175e1

                                                SHA1

                                                98c779497d6514b91cd1410f627a5320f6b3eab5

                                                SHA256

                                                15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

                                                SHA512

                                                fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

                                              • memory/1048-0-0x00007FFBF2B73000-0x00007FFBF2B75000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1048-11-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/1048-2-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/1048-1-0x0000000000360000-0x0000000000684000-memory.dmp

                                                Filesize

                                                3.1MB

                                              • memory/3540-18-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/3540-14-0x000000001DD10000-0x000000001DDC2000-memory.dmp

                                                Filesize

                                                712KB

                                              • memory/3540-13-0x000000001DC00000-0x000000001DC50000-memory.dmp

                                                Filesize

                                                320KB

                                              • memory/3540-12-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/3540-10-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

                                                Filesize

                                                10.8MB