quasar | 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

Analysis

max time kernel
156s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
Size

348KB
MD5

be1958cb2bbcde1fa0ebbdc73a579fff
SHA1

d91235298ccc73a1712407db6ff7b83225e66c82
SHA256

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512

e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Score

10^/10

quasar infected persistence spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

INFECTED

mpapwpodllalw:4787

Mutex

QSR_MUTEX_ZHiYRTyEwnDVythpPG

Attributes

encryption_key
JJ24c9vhc2iN2AuqTdrZ
install_name
lclsrv.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Microsoft SMB Filter 2.0
subdirectory
Windows

Signatures

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2296-130-0x0000000000810000-0x000000000086E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe	family_quasar

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

5044 schtasks.exe
9 ip-api.com
16 api.ipify.org
24 api.ipify.org
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata
Executes dropped EXE 6 IoCs

Processes:

lclsrv.exelclsrv.exelclsrv.exelclsrv.exelclsrv.exelclsrv.exe

pid process

1984 lclsrv.exe
4344 lclsrv.exe
3108 lclsrv.exe
940 lclsrv.exe
4756 lclsrv.exe
1636 lclsrv.exe

pid	process
5044	schtasks.exe
9	ip-api.com
16	api.ipify.org
24	api.ipify.org

pid	process
1984	lclsrv.exe
4344	lclsrv.exe
3108	lclsrv.exe
940	lclsrv.exe
4756	lclsrv.exe
1636	lclsrv.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lclsrv.exelclsrv.exelclsrv.exelclsrv.exelclsrv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	lclsrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	lclsrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	lclsrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	lclsrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	lclsrv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lclsrv.exelclsrv.exelclsrv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft SMB Filter 2.0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\lclsrv.exe\""	lclsrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft SMB Filter 2.0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\lclsrv.exe\""	lclsrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft SMB Filter 2.0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\lclsrv.exe\""	lclsrv.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
16 api.ipify.org
24 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
9	ip-api.com
16	api.ipify.org
24	api.ipify.org

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4400	1984	WerFault.exe	lclsrv.exe
4360	4344	WerFault.exe	lclsrv.exe
3284	3108	WerFault.exe	lclsrv.exe
5096	940	WerFault.exe	lclsrv.exe
4824	4756	WerFault.exe	lclsrv.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1800 schtasks.exe
176 schtasks.exe
3436 schtasks.exe
2112 schtasks.exe
2348 schtasks.exe
5044 schtasks.exe
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

696 PING.EXE
1484 PING.EXE
4968 PING.EXE
4316 PING.EXE
3180 PING.EXE

pid	process
1800	schtasks.exe
176	schtasks.exe
3436	schtasks.exe
2112	schtasks.exe
2348	schtasks.exe
5044	schtasks.exe

pid	process
696	PING.EXE
1484	PING.EXE
4968	PING.EXE
4316	PING.EXE
3180	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exelclsrv.exelclsrv.exelclsrv.exelclsrv.exelclsrv.exe

description	pid	process
Token: SeDebugPrivilege	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
Token: SeDebugPrivilege	1984	lclsrv.exe
Token: SeDebugPrivilege	4344	lclsrv.exe
Token: SeDebugPrivilege	3108	lclsrv.exe
Token: SeDebugPrivilege	940	lclsrv.exe
Token: SeDebugPrivilege	4756	lclsrv.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

lclsrv.exelclsrv.exelclsrv.exelclsrv.exelclsrv.exe

pid process

1984 lclsrv.exe
4344 lclsrv.exe
3108 lclsrv.exe
940 lclsrv.exe
4756 lclsrv.exe

pid	process
1984	lclsrv.exe
4344	lclsrv.exe
3108	lclsrv.exe
940	lclsrv.exe
4756	lclsrv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exelclsrv.execmd.exelclsrv.execmd.exelclsrv.execmd.exelclsrv.execmd.exe

description	pid	process	target process
PID 2296 wrote to memory of 5044	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 2296 wrote to memory of 5044	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 2296 wrote to memory of 5044	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	schtasks.exe
PID 2296 wrote to memory of 1984	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 2296 wrote to memory of 1984	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 2296 wrote to memory of 1984	2296	0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe	lclsrv.exe
PID 1984 wrote to memory of 1800	1984	lclsrv.exe	schtasks.exe
PID 1984 wrote to memory of 1800	1984	lclsrv.exe	schtasks.exe
PID 1984 wrote to memory of 1800	1984	lclsrv.exe	schtasks.exe
PID 1984 wrote to memory of 5068	1984	lclsrv.exe	cmd.exe
PID 1984 wrote to memory of 5068	1984	lclsrv.exe	cmd.exe
PID 1984 wrote to memory of 5068	1984	lclsrv.exe	cmd.exe
PID 5068 wrote to memory of 1668	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 1668	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 1668	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 4316	5068	cmd.exe	PING.EXE
PID 5068 wrote to memory of 4316	5068	cmd.exe	PING.EXE
PID 5068 wrote to memory of 4316	5068	cmd.exe	PING.EXE
PID 5068 wrote to memory of 4344	5068	cmd.exe	lclsrv.exe
PID 5068 wrote to memory of 4344	5068	cmd.exe	lclsrv.exe
PID 5068 wrote to memory of 4344	5068	cmd.exe	lclsrv.exe
PID 4344 wrote to memory of 176	4344	lclsrv.exe	schtasks.exe
PID 4344 wrote to memory of 176	4344	lclsrv.exe	schtasks.exe
PID 4344 wrote to memory of 176	4344	lclsrv.exe	schtasks.exe
PID 4344 wrote to memory of 4540	4344	lclsrv.exe	cmd.exe
PID 4344 wrote to memory of 4540	4344	lclsrv.exe	cmd.exe
PID 4344 wrote to memory of 4540	4344	lclsrv.exe	cmd.exe
PID 4540 wrote to memory of 2268	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 2268	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 2268	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 3180	4540	cmd.exe	PING.EXE
PID 4540 wrote to memory of 3180	4540	cmd.exe	PING.EXE
PID 4540 wrote to memory of 3180	4540	cmd.exe	PING.EXE
PID 4540 wrote to memory of 3108	4540	cmd.exe	lclsrv.exe
PID 4540 wrote to memory of 3108	4540	cmd.exe	lclsrv.exe
PID 4540 wrote to memory of 3108	4540	cmd.exe	lclsrv.exe
PID 3108 wrote to memory of 3436	3108	lclsrv.exe	schtasks.exe
PID 3108 wrote to memory of 3436	3108	lclsrv.exe	schtasks.exe
PID 3108 wrote to memory of 3436	3108	lclsrv.exe	schtasks.exe
PID 3108 wrote to memory of 1216	3108	lclsrv.exe	cmd.exe
PID 3108 wrote to memory of 1216	3108	lclsrv.exe	cmd.exe
PID 3108 wrote to memory of 1216	3108	lclsrv.exe	cmd.exe
PID 1216 wrote to memory of 3808	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 3808	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 3808	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 696	1216	cmd.exe	PING.EXE
PID 1216 wrote to memory of 696	1216	cmd.exe	PING.EXE
PID 1216 wrote to memory of 696	1216	cmd.exe	PING.EXE
PID 1216 wrote to memory of 940	1216	cmd.exe	lclsrv.exe
PID 1216 wrote to memory of 940	1216	cmd.exe	lclsrv.exe
PID 1216 wrote to memory of 940	1216	cmd.exe	lclsrv.exe
PID 940 wrote to memory of 2112	940	lclsrv.exe	schtasks.exe
PID 940 wrote to memory of 2112	940	lclsrv.exe	schtasks.exe
PID 940 wrote to memory of 2112	940	lclsrv.exe	schtasks.exe
PID 940 wrote to memory of 2552	940	lclsrv.exe	cmd.exe
PID 940 wrote to memory of 2552	940	lclsrv.exe	cmd.exe
PID 940 wrote to memory of 2552	940	lclsrv.exe	cmd.exe
PID 2552 wrote to memory of 1640	2552	cmd.exe	chcp.com
PID 2552 wrote to memory of 1640	2552	cmd.exe	chcp.com
PID 2552 wrote to memory of 1640	2552	cmd.exe	chcp.com
PID 2552 wrote to memory of 1484	2552	cmd.exe	PING.EXE
PID 2552 wrote to memory of 1484	2552	cmd.exe	PING.EXE
PID 2552 wrote to memory of 1484	2552	cmd.exe	PING.EXE
PID 2552 wrote to memory of 4756	2552	cmd.exe	lclsrv.exe

C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe
"C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:5044

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liulL45oDVHy.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4316

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PRSsZ3fDNyHy.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2268

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3180

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwXiV9SNUIKn.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:3808

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:696

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECEKUuHVqH0k.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1640

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1484

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft SMB Filter 2.0" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZM42FJNPseYO.bat" "
11⤵
PID:2992

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3120

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4968

C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
"C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe"
12⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 2216
11⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 2232
9⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2240
7⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2216
5⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 2016
3⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1984 -ip 1984
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4344 -ip 4344
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3108 -ip 3108
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 940 -ip 940
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4756 -ip 4756
1⤵
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ECEKUuHVqH0k.bat
Filesize
208B

MD5
2008d62f1055a2406d5e0d91a8607fa4

SHA1
33b5cf467354793ba205c97a0e28af8cfc5ec777

SHA256
c30a084e132e717c7708c8be18d984fd8f9e6b7635268a1be953b6bb895b6385

SHA512
ead7b27d0821b628fd5afa9a24d582a5d2d0804a8692e149f937973fe8619f54b913f8ba4d187ce98563953a78f1436d57aa6eef13fbdee0aa69480c962e57b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRSsZ3fDNyHy.bat
Filesize
208B

MD5
d06da5e9419c82f82ebea02a998b7ff4

SHA1
b245bfe333c1bc1e2cb84437adcbe8d0c29bec71

SHA256
9c1a74b73c5afa24fab949ce5d92f3d32a66d9e9f56154a4c6c94d614e87123a

SHA512
05464b4a477675907a2b03f1d8ad4dcc07453db6be9f0bbf99e5196d9141f26382568ed0de5b4b0b2452fae739191ed85afe064ee947f580eff7f3a5199a21c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZM42FJNPseYO.bat
Filesize
208B

MD5
4df020e46155c832fca4abb72a839348

SHA1
9457ad9e4e093bae6427e61e8ebeb64b60ce7384

SHA256
b6b42b58e94a50806a97c701725aee19c6e997ea7e626cefed10334f00d451d5

SHA512
bf27b1001b01a03763b7ca036e63878a83af104844b9409736367f31ac50100f5fb2331f10fc8501ffd9525d1393c5531a23d5a498ce2f2b870949b814128a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\liulL45oDVHy.bat
Filesize
208B

MD5
06cd0bb1c5c424db885fd7ebe4e2af92

SHA1
b10d85813a90f9653a026f4c4fb2cee32fd622da

SHA256
99558d7ebe7e56768e6a47e9bc07ee422da3f9f0c2fed4a47fc236feef251f7f

SHA512
a86f6e1ccc08878720feb2cbd4ddfbebd4b52b248116214303d47fbff694f0db342e0b56923f55a70bba8db84b8269817e539a3faf0a734b1ab89895ceb81986

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwXiV9SNUIKn.bat
Filesize
208B

MD5
d0340ea84d466c093b556937b9c563e0

SHA1
c03777060906154777983e087b404f17c329417d

SHA256
4dd05a0b7deb9ed0ad3f6fa24c1d82e8e108b2ce09e142083740b13e9afc4a41

SHA512
4f31cd9475c660c081f0bb7d3346067ec9ca0929e1e003a5aae1bdb3d52a8008d76cc10b12f8fd2bfd6c10e527e3df806412d800794af95d1ade3779e8e03700

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-20-2022
Filesize
224B

MD5
3bb35e4169ceb4a066b80757a6981a54

SHA1
022d9fb9525f30b61e7199b79c0d957a8b7a47ce

SHA256
a8f68136981d944b83e7cacd814f9794381091cd78cd9a591d305c63b9e76cd6

SHA512
0533bb323d7ec185be2ce2a424b9718a3b7411bc7df0a9e963ba3b46f029204261784f812d75bd8df3687f164fbce2aa51344716b9b4f3552a3137faafadbef3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-20-2022
Filesize
224B

MD5
e8e1649de4e210c155d1377e3f351f46

SHA1
52f7c6b3a069b58400ece54ef2bec5377920dda5

SHA256
e616d0d35e9fc5c202fecdb039bc824c7a71d930626fcee0a7710618721b8f17

SHA512
2f03f1c6000371359cd0b9e4026dbdf5f437703a15ab47017c8ddcfc81637187c45b550b9accb9a9413ca67e3a28c63d0b56fe8c01621cd35b0b5e51cb7fa26a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-20-2022
Filesize
224B

MD5
21e0e1e0988f5b9553f6ed4ab15a170a

SHA1
e7dbaf69db7477df2cf57b3655accdb2538092a3

SHA256
8b1fc70d4a40c44166d4af31b36dce640e51087f6a0cc62f6e8b89a652d4bc20

SHA512
7294f731773c8c696bd845752726a67cb76465e0c012043a9e08108dfb3191f967613b14f677cbbcc5235fa1e74f47b07a5929442d6a9612c57d8dca26ed34fe

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-20-2022
Filesize
224B

MD5
c6aaf5f579b87bcc3a390bee5fe35c25

SHA1
7a03c9122118ca3255fa789439dc4fc13744caee

SHA256
f23cb9cd7582ba7b4bb41c3add84a87d517c73f55a8e1fec6754e6b1bd6ab490

SHA512
9d152ef76642e0e959f2d75828564f1763e281196996f532b5e4583fa5bd317fd2514c403db01ccc49b220642febde6587733ec211dd219b63ca4eb929d0d85c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\lclsrv.exe
Filesize
348KB

MD5
be1958cb2bbcde1fa0ebbdc73a579fff

SHA1
d91235298ccc73a1712407db6ff7b83225e66c82

SHA256
0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f

SHA512
e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Download Submit
memory/176-148-0x0000000000000000-mapping.dmp

Download
memory/696-161-0x0000000000000000-mapping.dmp

Download
memory/940-162-0x0000000000000000-mapping.dmp

Download
memory/1216-158-0x0000000000000000-mapping.dmp

Download
memory/1484-169-0x0000000000000000-mapping.dmp

Download
memory/1636-178-0x0000000000000000-mapping.dmp

Download
memory/1640-168-0x0000000000000000-mapping.dmp

Download
memory/1668-143-0x0000000000000000-mapping.dmp

Download
memory/1800-139-0x0000000000000000-mapping.dmp

Download
memory/1984-140-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download
memory/1984-136-0x0000000000000000-mapping.dmp

Download
memory/2112-164-0x0000000000000000-mapping.dmp

Download
memory/2268-152-0x0000000000000000-mapping.dmp

Download
memory/2296-131-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/2296-132-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/2296-133-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/2296-134-0x0000000006240000-0x0000000006252000-memory.dmp

Filesize
72KB

Download
memory/2296-130-0x0000000000810000-0x000000000086E000-memory.dmp

Filesize
376KB

Download
memory/2348-172-0x0000000000000000-mapping.dmp

Download
memory/2552-166-0x0000000000000000-mapping.dmp

Download
memory/2992-174-0x0000000000000000-mapping.dmp

Download
memory/3108-154-0x0000000000000000-mapping.dmp

Download
memory/3120-176-0x0000000000000000-mapping.dmp

Download
memory/3180-153-0x0000000000000000-mapping.dmp

Download
memory/3436-156-0x0000000000000000-mapping.dmp

Download
memory/3808-160-0x0000000000000000-mapping.dmp

Download
memory/4316-144-0x0000000000000000-mapping.dmp

Download
memory/4344-145-0x0000000000000000-mapping.dmp

Download
memory/4344-147-0x0000000006410000-0x000000000644C000-memory.dmp

Filesize
240KB

Download
memory/4540-150-0x0000000000000000-mapping.dmp

Download
memory/4756-170-0x0000000000000000-mapping.dmp

Download
memory/4968-177-0x0000000000000000-mapping.dmp

Download
memory/5044-135-0x0000000000000000-mapping.dmp

Download
memory/5068-141-0x0000000000000000-mapping.dmp

Download