quasar | 85b551f3f7d0b53ec30709df217d767e2358e74efae7df9bfa9e74f48ead784d

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

3.1MB
MD5

98cd04c4ac429841ac630d57a8407c6f
SHA1

dcbde5d92c108aceca4342ca2b89157d4bd0444e
SHA256

85b551f3f7d0b53ec30709df217d767e2358e74efae7df9bfa9e74f48ead784d
SHA512

66f7b6c4c0cd1b1abad5f5a500b77cf7601004e269acb313381cc074b58d6a127913adf0bc4da439f5df361d0252e645ab5d6ad5378c1933a8592d1997e826b3
SSDEEP

49152:Xv0uf2NUaNmwzPWlvdaKM7ZxTwHMxOFFmzqcoGd4QTHHB72eh2NT:Xvjf2NUaNmwzPWlvdaB7ZxTwsxOFMo

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

51fe5088-4e6f-43ea-a53f-ed49150587aa324254r4r3weff4f45r3ewwtrfrt

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/4872-1-0x0000000000480000-0x00000000007A4000-memory.dmp family_quasar

resource	yara_rule
behavioral1/memory/4872-1-0x0000000000480000-0x00000000007A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

316 PING.EXE
5100 PING.EXE
2224 PING.EXE
4976 PING.EXE
3996 PING.EXE
4368 PING.EXE
3844 PING.EXE
392 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

748 schtasks.exe
1900 schtasks.exe
4220 schtasks.exe
2724 schtasks.exe
4372 schtasks.exe
3180 schtasks.exe
1336 schtasks.exe
4068 schtasks.exe
5024 schtasks.exe

pid	process
316	PING.EXE
5100	PING.EXE
2224	PING.EXE
4976	PING.EXE
3996	PING.EXE
4368	PING.EXE
3844	PING.EXE
392	PING.EXE

pid	process
748	schtasks.exe
1900	schtasks.exe
4220	schtasks.exe
2724	schtasks.exe
4372	schtasks.exe
3180	schtasks.exe
1336	schtasks.exe
4068	schtasks.exe
5024	schtasks.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Loader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exe

description	pid	process
Token: SeDebugPrivilege	4872	Loader.exe
Token: SeDebugPrivilege	1492	Loader.exe
Token: SeDebugPrivilege	812	Loader.exe
Token: SeDebugPrivilege	3016	Loader.exe
Token: SeDebugPrivilege	2628	Loader.exe
Token: SeDebugPrivilege	1160	Loader.exe
Token: SeDebugPrivilege	680	Loader.exe
Token: SeDebugPrivilege	664	Loader.exe
Token: SeDebugPrivilege	3168	Loader.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Loader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exe

pid process

4872 Loader.exe
1492 Loader.exe
2628 Loader.exe
1160 Loader.exe
680 Loader.exe
664 Loader.exe
3168 Loader.exe

pid	process
4872	Loader.exe
1492	Loader.exe
2628	Loader.exe
1160	Loader.exe
680	Loader.exe
664	Loader.exe
3168	Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.execmd.exeLoader.execmd.exeLoader.execmd.exeLoader.execmd.exeLoader.execmd.exeLoader.execmd.exeLoader.exe

description	pid	process	target process
PID 4872 wrote to memory of 748	4872	Loader.exe	schtasks.exe
PID 4872 wrote to memory of 748	4872	Loader.exe	schtasks.exe
PID 4872 wrote to memory of 2384	4872	Loader.exe	cmd.exe
PID 4872 wrote to memory of 2384	4872	Loader.exe	cmd.exe
PID 2384 wrote to memory of 4932	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 4932	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 316	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 316	2384	cmd.exe	PING.EXE
PID 2384 wrote to memory of 1492	2384	cmd.exe	Loader.exe
PID 2384 wrote to memory of 1492	2384	cmd.exe	Loader.exe
PID 1492 wrote to memory of 1336	1492	Loader.exe	schtasks.exe
PID 1492 wrote to memory of 1336	1492	Loader.exe	schtasks.exe
PID 1492 wrote to memory of 3268	1492	Loader.exe	cmd.exe
PID 1492 wrote to memory of 3268	1492	Loader.exe	cmd.exe
PID 3268 wrote to memory of 1632	3268	cmd.exe	chcp.com
PID 3268 wrote to memory of 1632	3268	cmd.exe	chcp.com
PID 3268 wrote to memory of 5100	3268	cmd.exe	PING.EXE
PID 3268 wrote to memory of 5100	3268	cmd.exe	PING.EXE
PID 3268 wrote to memory of 812	3268	cmd.exe	Loader.exe
PID 3268 wrote to memory of 812	3268	cmd.exe	Loader.exe
PID 812 wrote to memory of 1900	812	Loader.exe	schtasks.exe
PID 812 wrote to memory of 1900	812	Loader.exe	schtasks.exe
PID 812 wrote to memory of 1428	812	Loader.exe	cmd.exe
PID 812 wrote to memory of 1428	812	Loader.exe	cmd.exe
PID 1428 wrote to memory of 3376	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 3376	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 2224	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 2224	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 3016	1428	cmd.exe	Loader.exe
PID 1428 wrote to memory of 3016	1428	cmd.exe	Loader.exe
PID 3016 wrote to memory of 4220	3016	Loader.exe	schtasks.exe
PID 3016 wrote to memory of 4220	3016	Loader.exe	schtasks.exe
PID 3016 wrote to memory of 1060	3016	Loader.exe	cmd.exe
PID 3016 wrote to memory of 1060	3016	Loader.exe	cmd.exe
PID 1060 wrote to memory of 2544	1060	cmd.exe	chcp.com
PID 1060 wrote to memory of 2544	1060	cmd.exe	chcp.com
PID 1060 wrote to memory of 4976	1060	cmd.exe	PING.EXE
PID 1060 wrote to memory of 4976	1060	cmd.exe	PING.EXE
PID 1060 wrote to memory of 2628	1060	cmd.exe	Loader.exe
PID 1060 wrote to memory of 2628	1060	cmd.exe	Loader.exe
PID 2628 wrote to memory of 2724	2628	Loader.exe	schtasks.exe
PID 2628 wrote to memory of 2724	2628	Loader.exe	schtasks.exe
PID 2628 wrote to memory of 3860	2628	Loader.exe	cmd.exe
PID 2628 wrote to memory of 3860	2628	Loader.exe	cmd.exe
PID 3860 wrote to memory of 4548	3860	cmd.exe	chcp.com
PID 3860 wrote to memory of 4548	3860	cmd.exe	chcp.com
PID 3860 wrote to memory of 3996	3860	cmd.exe	PING.EXE
PID 3860 wrote to memory of 3996	3860	cmd.exe	PING.EXE
PID 3860 wrote to memory of 1160	3860	cmd.exe	Loader.exe
PID 3860 wrote to memory of 1160	3860	cmd.exe	Loader.exe
PID 1160 wrote to memory of 4372	1160	Loader.exe	schtasks.exe
PID 1160 wrote to memory of 4372	1160	Loader.exe	schtasks.exe
PID 1160 wrote to memory of 888	1160	Loader.exe	cmd.exe
PID 1160 wrote to memory of 888	1160	Loader.exe	cmd.exe
PID 888 wrote to memory of 2600	888	cmd.exe	chcp.com
PID 888 wrote to memory of 2600	888	cmd.exe	chcp.com
PID 888 wrote to memory of 4368	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 4368	888	cmd.exe	PING.EXE
PID 888 wrote to memory of 680	888	cmd.exe	Loader.exe
PID 888 wrote to memory of 680	888	cmd.exe	Loader.exe
PID 680 wrote to memory of 4068	680	Loader.exe	schtasks.exe
PID 680 wrote to memory of 4068	680	Loader.exe	schtasks.exe
PID 680 wrote to memory of 1260	680	Loader.exe	cmd.exe
PID 680 wrote to memory of 1260	680	Loader.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qp8MtW4xBsUB.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:316

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcYrifgGXLmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1632

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:5100

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NySr4mk0UjNq.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:3376

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2224

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
8⤵
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qr49jU3GpSvs.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:2544

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4976

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
10⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQIRhE7xCycL.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:4548

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:3996

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
12⤵
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcAegUpU1yxy.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:2600

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4368

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
14⤵
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8bNIgAkPgEgd.bat" "
14⤵
PID:1260

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:4236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:3844

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
16⤵
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGS3cfGYQrVr.bat" "
16⤵
PID:3648

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:2532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:392

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
18⤵
- Scheduled Task/Job: Scheduled Task
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bNIgAkPgEgd.bat
Filesize
203B

MD5
e0bd8beddec4b9ee2f8c233f26a67b6a

SHA1
dfadcc9d1ac25021513b90f55bf798f49183549e

SHA256
b30b5e7408a84c92e787f9e1154b415ac90c36b1e17263e1b2ae5d72e4b89c38

SHA512
5fdcf05d10bcbdb4db4b6702b72066ec67f79e6209edba8c973a5948b8022fbaa161d29808f36210915cc61db8a57f2dec1bc9c40afc6fd057cab624ede78b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQIRhE7xCycL.bat
Filesize
203B

MD5
b191b689582c2c99b1b1feaafad1259f

SHA1
481281bc091f18f9420b2f436f1f8670f9101a52

SHA256
bbcade0be18b5eb3bd296b6aa9b02d92432e516447fd810f3b330671c76dcec6

SHA512
b92e55033669a9497c7767ca157b9b6d88d36e6ffe4dc5c486525e5638f212d166b6168b84bf9eb71ea3769140c1764a4d6a94a144b1af04b52d7a5023a487fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGS3cfGYQrVr.bat
Filesize
203B

MD5
1cd1d40199d0b3a5e94146616ea45636

SHA1
db7a838be06d9f07c3e3fd739f64a01cb9d66173

SHA256
34d8c7a65750ff5fac416a953bfe9dfab7ec0523241e10bc91575693efccd550

SHA512
7eac91fd4bd0ec283a41970b076833cf13833686523c3c014b8615be22df17e2fa434ed371a0f03e435b404f8f99bdcbe48c67374d05d205b42ce23bf1d66e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcYrifgGXLmd.bat
Filesize
203B

MD5
6f9f23298b98e2755ca847d09175fa8f

SHA1
e2c6ba2568ee086138877d1b1696feb24ebc1a24

SHA256
fe3a74f7f737f7ea5771bb67a2c1f64dc212ac921a1c6762bb28dad7fb205414

SHA512
2b60634e330c107dde4945c42c4bdbf433b87e670c0f1bcfcd22874d37642e48dcbf18d23117227f1160bdde6732e13d4f4ab63792b7c9fa5988a778fc246b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\NySr4mk0UjNq.bat
Filesize
203B

MD5
4436b84a35e323ce9996f81e937b464d

SHA1
ae2dc310e6ed26640d5d95fb13a08065679a4de7

SHA256
96b0856b209cbb55e6cf59e7a6b2c11a20ce0260e64cb9803dfe596742b46270

SHA512
e3cfab937d5c1bc9180c68f9967da784a9cdd333f75b0aa5d5932b873085ef8be7261a1b7002a82a3bc5f285b13f3f24fa52ee4b2ac47f0007da3f1d82167e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qp8MtW4xBsUB.bat
Filesize
203B

MD5
d9e09485388c2a9789f04a6213a234aa

SHA1
0c9aedd4911b2e86002e7e9b66d644c28d49b2d2

SHA256
ce11a7a8dcda4ce41a5b45f2e15706a6d77b7137898e6c6f037e23e45490e629

SHA512
29debb9ab6bd7835243171b3443861b9b56f2e8328ebefffe6bb1bf07d079ba11a254f0df2f9395460ddc67d8255118fe59088c7ad2a0eadb98e4777a02f313c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qr49jU3GpSvs.bat
Filesize
203B

MD5
3c51cd290f18932501e3a1961e7275ab

SHA1
6fb6667ca2fb275891a6ee2bd3c029916a21eb4c

SHA256
b41069fb0641c181d0c331f87eb34c0d78bf10f480b4776a88623becea9836ed

SHA512
63ed25ad5bf25a3e6713bdb969879d2ef2d0472e244ca0ef4d13b019163ea00cb6ff80559935b06137df294c4834ce1dbc512c53c052aff6eef4ab2f98f73f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcAegUpU1yxy.bat
Filesize
203B

MD5
eed98a68b8f761c52de8bb42cf669626

SHA1
359d6ca4a88cea81bc8e3ef3691883d3023b24a2

SHA256
b6c95aa58278acfab2e28d3fbbdb4ce297115eb3616b2dcf566ccab01bf0491a

SHA512
2ebee1100f927ba5f70f57faab0a3135246a379b36639537aa4b481edbca6eb40515f1dde8f4d81015e83a354f03adc12c718b17f01dc887c20144097c2b9422

Download Submit
memory/4872-0-0x00007FFDB7283000-0x00007FFDB7285000-memory.dmp

Filesize
8KB

Download
memory/4872-9-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/4872-4-0x000000001D540000-0x000000001D5F2000-memory.dmp

Filesize
712KB

Download
memory/4872-3-0x0000000002940000-0x0000000002990000-memory.dmp

Filesize
320KB

Download
memory/4872-2-0x00007FFDB7280000-0x00007FFDB7D41000-memory.dmp

Filesize
10.8MB

Download
memory/4872-1-0x0000000000480000-0x00000000007A4000-memory.dmp

Filesize
3.1MB

Download