quasar | 5605c73c546e1dc58135d9f966e449d4acf0e791f4095989f4b746522e726f27

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

dc2017d875a294af1881e553b11b8717
SHA1

40b4ab857db967b61d4708943f157f248c49b844
SHA256

5605c73c546e1dc58135d9f966e449d4acf0e791f4095989f4b746522e726f27
SHA512

faf2982b82dade07c2c88425bdc8f77ee4ee6e28d850f612db7e370547afd2c6337b6cc5b0087685a199e1e83d6666fcaae0109aa89bf6ea4ca2d150b9972262
SSDEEP

49152:PvEt62XlaSFNWPjljiFa2RoUYIkdyRfDKoGdf+THHB72eh2NT:PvY62XlaSFNWPjljiFXRoUYIkdyRfm

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

0.tcp.eu.ngrok.io:12165

Mutex

fbfe2df1-f4ca-4d07-920f-4075f27bc8a1

Attributes

encryption_key
B22432E943AA88394E5F97387369DCA7D8B67608
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
system 32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/236-1-0x0000000000740000-0x0000000000A64000-memory.dmp family_quasar
C:\Windows\System32\SubDir\Client.exe family_quasar
Executes dropped EXE 7 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

3048 Client.exe
5012 Client.exe
1000 Client.exe
1544 Client.exe
4400 Client.exe
4728 Client.exe
2732 Client.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

14 0.tcp.eu.ngrok.io
1 0.tcp.eu.ngrok.io
5 0.tcp.eu.ngrok.io
10 0.tcp.eu.ngrok.io
11 0.tcp.eu.ngrok.io
12 0.tcp.eu.ngrok.io
13 0.tcp.eu.ngrok.io

resource	yara_rule
behavioral1/memory/236-1-0x0000000000740000-0x0000000000A64000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar

pid	process
3048	Client.exe
5012	Client.exe
1000	Client.exe
1544	Client.exe
4400	Client.exe
4728	Client.exe
2732	Client.exe

flow	ioc
14	0.tcp.eu.ngrok.io
1	0.tcp.eu.ngrok.io
5	0.tcp.eu.ngrok.io
10	0.tcp.eu.ngrok.io
11	0.tcp.eu.ngrok.io
12	0.tcp.eu.ngrok.io
13	0.tcp.eu.ngrok.io

Drops file in System32 directory 17 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1504 PING.EXE
4808 PING.EXE
4048 PING.EXE
1388 PING.EXE
1040 PING.EXE
1984 PING.EXE
3104 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1692 schtasks.exe
1548 schtasks.exe
2072 schtasks.exe
4900 schtasks.exe
1804 schtasks.exe
1444 schtasks.exe
1552 schtasks.exe
1688 schtasks.exe

pid	process
1504	PING.EXE
4808	PING.EXE
4048	PING.EXE
1388	PING.EXE
1040	PING.EXE
1984	PING.EXE
3104	PING.EXE

pid	process
1692	schtasks.exe
1548	schtasks.exe
2072	schtasks.exe
4900	schtasks.exe
1804	schtasks.exe
1444	schtasks.exe
1552	schtasks.exe
1688	schtasks.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	236	Client-built.exe
Token: SeDebugPrivilege	3048	Client.exe
Token: SeDebugPrivilege	5012	Client.exe
Token: SeDebugPrivilege	1000	Client.exe
Token: SeDebugPrivilege	1544	Client.exe
Token: SeDebugPrivilege	4400	Client.exe
Token: SeDebugPrivilege	4728	Client.exe
Token: SeDebugPrivilege	2732	Client.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

3048 Client.exe
5012 Client.exe
1000 Client.exe
1544 Client.exe
4400 Client.exe
4728 Client.exe
2732 Client.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

3048 Client.exe
5012 Client.exe
1000 Client.exe
1544 Client.exe
4400 Client.exe
4728 Client.exe
2732 Client.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

3048 Client.exe
5012 Client.exe
1000 Client.exe
1544 Client.exe
4400 Client.exe
4728 Client.exe
2732 Client.exe

pid	process
3048	Client.exe
5012	Client.exe
1000	Client.exe
1544	Client.exe
4400	Client.exe
4728	Client.exe
2732	Client.exe

pid	process
3048	Client.exe
5012	Client.exe
1000	Client.exe
1544	Client.exe
4400	Client.exe
4728	Client.exe
2732	Client.exe

pid	process
3048	Client.exe
5012	Client.exe
1000	Client.exe
1544	Client.exe
4400	Client.exe
4728	Client.exe
2732	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 236 wrote to memory of 1804	236	Client-built.exe	schtasks.exe
PID 236 wrote to memory of 1804	236	Client-built.exe	schtasks.exe
PID 236 wrote to memory of 3048	236	Client-built.exe	Client.exe
PID 236 wrote to memory of 3048	236	Client-built.exe	Client.exe
PID 3048 wrote to memory of 1444	3048	Client.exe	schtasks.exe
PID 3048 wrote to memory of 1444	3048	Client.exe	schtasks.exe
PID 3048 wrote to memory of 3148	3048	Client.exe	cmd.exe
PID 3048 wrote to memory of 3148	3048	Client.exe	cmd.exe
PID 3148 wrote to memory of 5116	3148	cmd.exe	chcp.com
PID 3148 wrote to memory of 5116	3148	cmd.exe	chcp.com
PID 3148 wrote to memory of 1504	3148	cmd.exe	PING.EXE
PID 3148 wrote to memory of 1504	3148	cmd.exe	PING.EXE
PID 3148 wrote to memory of 5012	3148	cmd.exe	Client.exe
PID 3148 wrote to memory of 5012	3148	cmd.exe	Client.exe
PID 5012 wrote to memory of 1552	5012	Client.exe	schtasks.exe
PID 5012 wrote to memory of 1552	5012	Client.exe	schtasks.exe
PID 5012 wrote to memory of 3672	5012	Client.exe	cmd.exe
PID 5012 wrote to memory of 3672	5012	Client.exe	cmd.exe
PID 3672 wrote to memory of 1508	3672	cmd.exe	chcp.com
PID 3672 wrote to memory of 1508	3672	cmd.exe	chcp.com
PID 3672 wrote to memory of 4808	3672	cmd.exe	PING.EXE
PID 3672 wrote to memory of 4808	3672	cmd.exe	PING.EXE
PID 3672 wrote to memory of 1000	3672	cmd.exe	Client.exe
PID 3672 wrote to memory of 1000	3672	cmd.exe	Client.exe
PID 1000 wrote to memory of 1688	1000	Client.exe	schtasks.exe
PID 1000 wrote to memory of 1688	1000	Client.exe	schtasks.exe
PID 1000 wrote to memory of 3504	1000	Client.exe	cmd.exe
PID 1000 wrote to memory of 3504	1000	Client.exe	cmd.exe
PID 3504 wrote to memory of 4776	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 4776	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 4048	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 4048	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 1544	3504	cmd.exe	Client.exe
PID 3504 wrote to memory of 1544	3504	cmd.exe	Client.exe
PID 1544 wrote to memory of 1692	1544	Client.exe	schtasks.exe
PID 1544 wrote to memory of 1692	1544	Client.exe	schtasks.exe
PID 1544 wrote to memory of 4480	1544	Client.exe	cmd.exe
PID 1544 wrote to memory of 4480	1544	Client.exe	cmd.exe
PID 4480 wrote to memory of 912	4480	cmd.exe	chcp.com
PID 4480 wrote to memory of 912	4480	cmd.exe	chcp.com
PID 4480 wrote to memory of 1388	4480	cmd.exe	PING.EXE
PID 4480 wrote to memory of 1388	4480	cmd.exe	PING.EXE
PID 4480 wrote to memory of 4400	4480	cmd.exe	Client.exe
PID 4480 wrote to memory of 4400	4480	cmd.exe	Client.exe
PID 4400 wrote to memory of 1548	4400	Client.exe	schtasks.exe
PID 4400 wrote to memory of 1548	4400	Client.exe	schtasks.exe
PID 4400 wrote to memory of 3732	4400	Client.exe	cmd.exe
PID 4400 wrote to memory of 3732	4400	Client.exe	cmd.exe
PID 3732 wrote to memory of 828	3732	cmd.exe	chcp.com
PID 3732 wrote to memory of 828	3732	cmd.exe	chcp.com
PID 3732 wrote to memory of 1040	3732	cmd.exe	PING.EXE
PID 3732 wrote to memory of 1040	3732	cmd.exe	PING.EXE
PID 3732 wrote to memory of 4728	3732	cmd.exe	Client.exe
PID 3732 wrote to memory of 4728	3732	cmd.exe	Client.exe
PID 4728 wrote to memory of 2072	4728	Client.exe	schtasks.exe
PID 4728 wrote to memory of 2072	4728	Client.exe	schtasks.exe
PID 4728 wrote to memory of 4844	4728	Client.exe	cmd.exe
PID 4728 wrote to memory of 4844	4728	Client.exe	cmd.exe
PID 4844 wrote to memory of 4516	4844	cmd.exe	chcp.com
PID 4844 wrote to memory of 4516	4844	cmd.exe	chcp.com
PID 4844 wrote to memory of 1984	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 1984	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 2732	4844	cmd.exe	Client.exe
PID 4844 wrote to memory of 2732	4844	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPCipWqAL597.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:5116

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1504

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6gdFBxySKyJY.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4808

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWesT06rAZ6s.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4776

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4048

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUh9jAfBagUw.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:912

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1388

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S7HKRFq0ovrF.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:828

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1040

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SrjB1LMjAhlv.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4516

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1984

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pLhGX8rsqTlp.bat" "
15⤵
PID:460

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2280

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6gdFBxySKyJY.bat
Filesize
196B

MD5
bd856e664014b7eea2d5ca6a888888f1

SHA1
55df959665abc2eb3fe5fd859685897f55a73a9e

SHA256
9872c372050cac8e7d52239922eea9502f17510ef29c81821ab5369a34b15efc

SHA512
8e9c77eed5f7d9629f4486c3bc8d542275083c2afd377b9f5e7dca6320f0bc6082ef8958f1df3c123cd40187ee869cc74e19f2ab2165d29c27d180c374ec65dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWesT06rAZ6s.bat
Filesize
196B

MD5
2ead0c67d362d758471db5319625b3bd

SHA1
35cc74ea00b10f037be876d610b1b3ee68109e8d

SHA256
eb515b0237d959aec71824f5c8b4e8bdd01eff124eef94ad9d0fe3e3d69492ec

SHA512
c6cc71d7ec54397a962ac8be9bd8350d7f375801eb0a8b9f8e0e812c9ac5c0ec7aed5faaf3762b0febe6ebe13ef11271d24fe91f8bd7ca1e19fa83418843aa03

Download Submit
C:\Users\Admin\AppData\Local\Temp\S7HKRFq0ovrF.bat
Filesize
196B

MD5
14f83b666df9f6b58c12a61d713e7756

SHA1
e79f274d7b51f9adc1e3a84fd0b78c8067c8e01a

SHA256
9dd0b5b7f16c96cbf03c5002235b58bd82aca50ed7c7b74de715a7fc7dda20d3

SHA512
997b5e7908d041f1ad4d7ac240a9aca8e22dbae0271de90e3ac7c06ff6ebe8993cf1084a583fcb5622ec8c3ef3ea3c4c07faafb9a4186f2e74b4a1255199c96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SrjB1LMjAhlv.bat
Filesize
196B

MD5
ababf88234eb347fa61179d8a44734a9

SHA1
de077f751eaf4cadf3c8b437e3ee3b730fdd280a

SHA256
685346be9a8f4b78bd99ca7ab640e4f89be004f18e344216eb45a34f0cd7e076

SHA512
2633805e9049faf133262b76ed08aeac76b86641aa75e1c4e17c4a53b666a111256fd0bbc99214e72844e51a19967698800f511bad2a821eb5f4771d35fe05d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUh9jAfBagUw.bat
Filesize
196B

MD5
46588f341480a8738112545f2f89b49d

SHA1
9dd57652c5366caf3d3cfe758b1a338afa7771db

SHA256
a0e31bbf9d58ee1d1a831b785e93497f688a55c01732376939b3d1a8221353e1

SHA512
ceecdcf96cc01d6698a140486c93d9e68a24d14ae44f64d313773ca06f1fad5f59de9c12b747dd28e9782048b95a0cebe3c9720732b9e613f9cf23a20b5863c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLhGX8rsqTlp.bat
Filesize
196B

MD5
2c64822b5e76b24050fc818a65402268

SHA1
7ab6ba19a98a19cc18c3393c52b879d3ca243c5e

SHA256
f209db6f1ea830570fa0550bba7652bc6d57894ea6bf1bb6d28a9287d1561452

SHA512
96e8a1993fda14108e995ffd1139192d048d935657d1614293365818676a65cd6cccdc3b2f077663dcd1c768d8db22cc51448b52b59eb812fc308f0e0ab02936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tPCipWqAL597.bat
Filesize
196B

MD5
b127f0548af21a69470c35965e4eaf8c

SHA1
1fd9c3c7383d4e2cdb65745b728e08a61c7fba4f

SHA256
56ca93c36dda0dc7522578086c7c40c827b3babf2b25cdbcf3caa0b20d81c659

SHA512
2d37d75be14bbefd3e80594c85c301f5a8bbe3b76bed0140393b981bee662b65158f9aa07e84b1f4afa926ebf6ab28703bd30be7b43018bde031ccecd87a3241

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
3.1MB

MD5
dc2017d875a294af1881e553b11b8717

SHA1
40b4ab857db967b61d4708943f157f248c49b844

SHA256
5605c73c546e1dc58135d9f966e449d4acf0e791f4095989f4b746522e726f27

SHA512
faf2982b82dade07c2c88425bdc8f77ee4ee6e28d850f612db7e370547afd2c6337b6cc5b0087685a199e1e83d6666fcaae0109aa89bf6ea4ca2d150b9972262

Download Submit
memory/236-9-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/236-0-0x00007FF9B0373000-0x00007FF9B0375000-memory.dmp

Filesize
8KB

Download
memory/236-2-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/236-1-0x0000000000740000-0x0000000000A64000-memory.dmp

Filesize
3.1MB

Download
memory/3048-18-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/3048-13-0x000000001D050000-0x000000001D102000-memory.dmp

Filesize
712KB

Download
memory/3048-12-0x000000001CF40000-0x000000001CF90000-memory.dmp

Filesize
320KB

Download
memory/3048-11-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/3048-10-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download