quasar | 910222c58e9a584fe4015ef10462470b320b624d7b56056b3ffcf7ea2f479b80

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

twojamatkat-built.exe
Size

3.1MB
MD5

27dad1cf69f9cb558f4d975c8bf34faa
SHA1

ea7beaa366b83b6e8410b10cdf055d08df49c907
SHA256

910222c58e9a584fe4015ef10462470b320b624d7b56056b3ffcf7ea2f479b80
SHA512

5f2251f3b017ee9103416928d23d179de716f84d21c287b441d05130b8102df9b8fe616a46a15e62ad524f27b99beb755949ab0d79c1ef9d77b25eb079076c1a
SSDEEP

49152:Xv+e821/aQWl8P0lSk3aKA3Z+ndBxNESEzk/iNLoGdWLTHHB72eh2NT:Xv9821/aQWl8P0lSk3DA3Z+nbxmF

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

performance-ha.gl.at.ply.gg:33365

performance-ha.gl.at.ply.gg:13678

Mutex

ba5220e2-c4e8-4381-aad8-a85115ef955e

Attributes

encryption_key
67C139F3E9A16FF8132A3DCF42197B8BA3C38609
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/3860-1-0x00000000004D0000-0x00000000007F4000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral1/memory/3860-1-0x00000000004D0000-0x00000000007F4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1928 Client.exe
3264 Client.exe
2104 Client.exe
2460 Client.exe
3864 Client.exe
2568 Client.exe
4496 Client.exe
3836 Client.exe
4792 Client.exe
4652 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1896 PING.EXE
2328 PING.EXE
2040 PING.EXE
3704 PING.EXE
4664 PING.EXE
2704 PING.EXE
4876 PING.EXE
1940 PING.EXE
3356 PING.EXE

pid	process
1928	Client.exe
3264	Client.exe
2104	Client.exe
2460	Client.exe
3864	Client.exe
2568	Client.exe
4496	Client.exe
3836	Client.exe
4792	Client.exe
4652	Client.exe

pid	process
1896	PING.EXE
2328	PING.EXE
2040	PING.EXE
3704	PING.EXE
4664	PING.EXE
2704	PING.EXE
4876	PING.EXE
1940	PING.EXE
3356	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

twojamatkat-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3860	twojamatkat-built.exe
Token: SeDebugPrivilege	1928	Client.exe
Token: SeDebugPrivilege	3264	Client.exe
Token: SeDebugPrivilege	2104	Client.exe
Token: SeDebugPrivilege	2460	Client.exe
Token: SeDebugPrivilege	3864	Client.exe
Token: SeDebugPrivilege	2568	Client.exe
Token: SeDebugPrivilege	4496	Client.exe
Token: SeDebugPrivilege	3836	Client.exe
Token: SeDebugPrivilege	4792	Client.exe
Token: SeDebugPrivilege	4652	Client.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1928 Client.exe
3264 Client.exe
2104 Client.exe
2460 Client.exe
3864 Client.exe
2568 Client.exe
4496 Client.exe
3836 Client.exe
4792 Client.exe
4652 Client.exe
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1928 Client.exe
3264 Client.exe
2104 Client.exe
2460 Client.exe
3864 Client.exe
2568 Client.exe
4496 Client.exe
3836 Client.exe
4792 Client.exe
4652 Client.exe

pid	process
1928	Client.exe
3264	Client.exe
2104	Client.exe
2460	Client.exe
3864	Client.exe
2568	Client.exe
4496	Client.exe
3836	Client.exe
4792	Client.exe
4652	Client.exe

pid	process
1928	Client.exe
3264	Client.exe
2104	Client.exe
2460	Client.exe
3864	Client.exe
2568	Client.exe
4496	Client.exe
3836	Client.exe
4792	Client.exe
4652	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

twojamatkat-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3860 wrote to memory of 1928	3860	twojamatkat-built.exe	Client.exe
PID 3860 wrote to memory of 1928	3860	twojamatkat-built.exe	Client.exe
PID 1928 wrote to memory of 4056	1928	Client.exe	cmd.exe
PID 1928 wrote to memory of 4056	1928	Client.exe	cmd.exe
PID 4056 wrote to memory of 2436	4056	cmd.exe	chcp.com
PID 4056 wrote to memory of 2436	4056	cmd.exe	chcp.com
PID 4056 wrote to memory of 1896	4056	cmd.exe	PING.EXE
PID 4056 wrote to memory of 1896	4056	cmd.exe	PING.EXE
PID 4056 wrote to memory of 3264	4056	cmd.exe	Client.exe
PID 4056 wrote to memory of 3264	4056	cmd.exe	Client.exe
PID 3264 wrote to memory of 4428	3264	Client.exe	cmd.exe
PID 3264 wrote to memory of 4428	3264	Client.exe	cmd.exe
PID 4428 wrote to memory of 2696	4428	cmd.exe	chcp.com
PID 4428 wrote to memory of 2696	4428	cmd.exe	chcp.com
PID 4428 wrote to memory of 2704	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 2704	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 2104	4428	cmd.exe	Client.exe
PID 4428 wrote to memory of 2104	4428	cmd.exe	Client.exe
PID 2104 wrote to memory of 452	2104	Client.exe	cmd.exe
PID 2104 wrote to memory of 452	2104	Client.exe	cmd.exe
PID 452 wrote to memory of 916	452	cmd.exe	chcp.com
PID 452 wrote to memory of 916	452	cmd.exe	chcp.com
PID 452 wrote to memory of 2328	452	cmd.exe	PING.EXE
PID 452 wrote to memory of 2328	452	cmd.exe	PING.EXE
PID 452 wrote to memory of 2460	452	cmd.exe	Client.exe
PID 452 wrote to memory of 2460	452	cmd.exe	Client.exe
PID 2460 wrote to memory of 1044	2460	Client.exe	cmd.exe
PID 2460 wrote to memory of 1044	2460	Client.exe	cmd.exe
PID 1044 wrote to memory of 3732	1044	cmd.exe	chcp.com
PID 1044 wrote to memory of 3732	1044	cmd.exe	chcp.com
PID 1044 wrote to memory of 4876	1044	cmd.exe	PING.EXE
PID 1044 wrote to memory of 4876	1044	cmd.exe	PING.EXE
PID 1044 wrote to memory of 3864	1044	cmd.exe	Client.exe
PID 1044 wrote to memory of 3864	1044	cmd.exe	Client.exe
PID 3864 wrote to memory of 2308	3864	Client.exe	cmd.exe
PID 3864 wrote to memory of 2308	3864	Client.exe	cmd.exe
PID 2308 wrote to memory of 2868	2308	cmd.exe	chcp.com
PID 2308 wrote to memory of 2868	2308	cmd.exe	chcp.com
PID 2308 wrote to memory of 1940	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 1940	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 2568	2308	cmd.exe	Client.exe
PID 2308 wrote to memory of 2568	2308	cmd.exe	Client.exe
PID 2568 wrote to memory of 2380	2568	Client.exe	cmd.exe
PID 2568 wrote to memory of 2380	2568	Client.exe	cmd.exe
PID 2380 wrote to memory of 4940	2380	cmd.exe	chcp.com
PID 2380 wrote to memory of 4940	2380	cmd.exe	chcp.com
PID 2380 wrote to memory of 2040	2380	cmd.exe	PING.EXE
PID 2380 wrote to memory of 2040	2380	cmd.exe	PING.EXE
PID 2380 wrote to memory of 4496	2380	cmd.exe	Client.exe
PID 2380 wrote to memory of 4496	2380	cmd.exe	Client.exe
PID 4496 wrote to memory of 1116	4496	Client.exe	cmd.exe
PID 4496 wrote to memory of 1116	4496	Client.exe	cmd.exe
PID 1116 wrote to memory of 4316	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 4316	1116	cmd.exe	chcp.com
PID 1116 wrote to memory of 3704	1116	cmd.exe	PING.EXE
PID 1116 wrote to memory of 3704	1116	cmd.exe	PING.EXE
PID 1116 wrote to memory of 3836	1116	cmd.exe	Client.exe
PID 1116 wrote to memory of 3836	1116	cmd.exe	Client.exe
PID 3836 wrote to memory of 560	3836	Client.exe	cmd.exe
PID 3836 wrote to memory of 560	3836	Client.exe	cmd.exe
PID 560 wrote to memory of 2024	560	cmd.exe	chcp.com
PID 560 wrote to memory of 2024	560	cmd.exe	chcp.com
PID 560 wrote to memory of 3356	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 3356	560	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\twojamatkat-built.exe
"C:\Users\Admin\AppData\Local\Temp\twojamatkat-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P7TZJuKrYWHQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2436

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1896

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65OswQAKZC4A.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2696

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2704

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQii8SRd8rmc.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:916

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2328

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyYgZ6bb1h7u.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:3732

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IPHtFtAEok1A.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2868

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1940

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\datgLpV5rjdI.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2040

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sS0zbHsBByJN.bat" "
15⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:4316

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3704

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkbYDcTEPlwY.bat" "
17⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiwRbPgeLbhY.bat" "
19⤵
PID:2436

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:1932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4664

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\65OswQAKZC4A.bat
Filesize
207B

MD5
884aeaea3c507b73a7e35a1ead65f83e

SHA1
e1227e0a137cee05f1ed8b3e6926ab7bfc775c88

SHA256
167206624fb4c7c74ea39ed9d8ba4835eebe6bbe200535f7f57a130dcdea7fdd

SHA512
5868be9cf0557585196c6d1a625bfcf36fabbee07d494489b57cf25c193df4bf3d68bb22cff460c3de738a8bd40b17ffdeec584bb81a7e929530b57177ed4d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPHtFtAEok1A.bat
Filesize
207B

MD5
2659b2da1ac7c84f5bff8bec3a84a503

SHA1
f5c1f731678e734d6a174b38524f4bb3e65be8f1

SHA256
67be6a4af035a8907fadfd14dcf6280f98112e2b405ffb2f68c6393abc915191

SHA512
8f3a579f1675e0327af3492c8d34c1219a663e2a8359be90635a4481aa1ec8fc42306d2107fca9d87a6e5d0138f321873565efca48afffeb0d3607b68e5469b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkbYDcTEPlwY.bat
Filesize
207B

MD5
35d22b387602dca675de670b266f954f

SHA1
257b8c0ab0cbacaa956013f3011febd72d68b7e7

SHA256
0300fa11dae8522e4dc9e3257d41e17a5ad47e1c0db84bdb9c3452487e61fa3e

SHA512
31f60b7eadf2d6e4bb7f5a36075084f7ab43d6d0c1d0014814525b67ab50a131c57e6f5bc8e6b67b1b63e1dda83276a47274808f43e782a1571ced3ea3359570

Download Submit
C:\Users\Admin\AppData\Local\Temp\P7TZJuKrYWHQ.bat
Filesize
207B

MD5
e81e7d725d2a62958c6135225cc86191

SHA1
581395b80b23457f80e544bf1c81c10b605b0a6a

SHA256
68df811613b27761d3ccfb84618f506839f3a6adb766c9c50694c1198b126f69

SHA512
b557b34f621137ff9332d9d3b41c28762a786db1fc1e5cc703ff5f05f52ac2c568946971bbcfd01a957b47bc7fc42b0a2368d489d635115753b2f3ff6fb72700

Download Submit
C:\Users\Admin\AppData\Local\Temp\datgLpV5rjdI.bat
Filesize
207B

MD5
8e030c2d713da6811a84c86eb3fecc90

SHA1
e8e6ae34cea59928bf621fadc44df3da1deca76d

SHA256
73baffbac66225bed874c6a8f1e93b10f9cc8140a2ff69cdaf8e60d417693549

SHA512
e791159f53240b5dd1959ded27e74093a871d18a82cbf5c2ca341adab25033e65a40c7878d99659d9cfb5597aad3267d851e75d071c64738188f373d2172cc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiwRbPgeLbhY.bat
Filesize
207B

MD5
1b16d6677acb41f90feccdf8caf0df0b

SHA1
f1468ff21f6e4c55ddea27d9fb0ff85ff2446494

SHA256
5d3936bfda4c49b19cfb6ad3e5a2dd7e077d57e330a19c774c6228fbbf989212

SHA512
d9a6a6b79c78b967bf3526091c3da29878927134abddc964a5ca0462022c977f58202c1b32ecca7163c6f5c8552c983515a6230ac80dfa6d86ec61e285ac1828

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQii8SRd8rmc.bat
Filesize
207B

MD5
ea095484450aa00a24fb68c5cc0bd809

SHA1
01d2ed0d001dc41b47a2744831c207be661e408d

SHA256
1e7784a27697ab989cf430357614a22eb447ce5d2f281e5bf5382c671354f43e

SHA512
39a5045736be3af28e8320277eb8c2d665b45e9bb7ed6eafe997d3c4306bac9f40793ae6ff7d65cba369b9937f92533b8ed948f0f1831af671006e01b9cb701f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyYgZ6bb1h7u.bat
Filesize
207B

MD5
3052cfad6afff2dd7093902634b88b41

SHA1
0c41c8cf8390e47d8c8ee005bf0a4a08ee1b0e3e

SHA256
8f0c4b9c875b270071f160b10e9981e430d71d304975aeaed8606fb61b097adf

SHA512
1b8bde67996b3771c2eff29837c2492b1e00c1eaad7b99b05cc248a455e60d101006d6dc7b6fe62526593024747ee4048bda63ab70b2c4ab67c7ff8e94ceab7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sS0zbHsBByJN.bat
Filesize
207B

MD5
e10d03ec78fdf3f698b51c74be8c2ba4

SHA1
67bfba45d4453fa61d706c029b7601f4be041ca4

SHA256
c463fc9db0d9c90bcd0b3a55073fdaf0a8e89acb470022db57b93186f76bc51c

SHA512
54d45442eddbb51df3b3fea14c64db8f8728f8bbdd1edf70f856b34cba5057f803fe9a2750e08c2ed15f8aacf9546743729b092e39455f09aa33096dfbe148c8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
27dad1cf69f9cb558f4d975c8bf34faa

SHA1
ea7beaa366b83b6e8410b10cdf055d08df49c907

SHA256
910222c58e9a584fe4015ef10462470b320b624d7b56056b3ffcf7ea2f479b80

SHA512
5f2251f3b017ee9103416928d23d179de716f84d21c287b441d05130b8102df9b8fe616a46a15e62ad524f27b99beb755949ab0d79c1ef9d77b25eb079076c1a

Download Submit
memory/1928-12-0x000000001E200000-0x000000001E2B2000-memory.dmp

Filesize
712KB

Download
memory/1928-8-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1928-17-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1928-11-0x000000001E0F0000-0x000000001E140000-memory.dmp

Filesize
320KB

Download
memory/1928-10-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/3860-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

Filesize
8KB

Download
memory/3860-2-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/3860-9-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/3860-1-0x00000000004D0000-0x00000000007F4000-memory.dmp

Filesize
3.1MB

Download