quasar | e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
Size

411KB
MD5

2adea70fccf261c8c99d87be94dff75b
SHA1

ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623
SHA256

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0
SHA512

286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Score

10^/10

quasar bot spyware suricata trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

BoT

deepfred420.ddns.net:9064

Mutex

GonbH7yXnux3KU6CkF

Attributes

encryption_key
ctcKPuPY3bRDHuYmzlto
install_name
Explorer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Explorer
subdirectory
WServices

Signatures

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1356-140-0x0000000000920000-0x000000000096E000-memory.dmp	family_quasar
behavioral2/memory/1356-139-0x0000000000920000-0x000000000096E000-memory.dmp	family_quasar
behavioral2/memory/2072-158-0x00000000008E0000-0x000000000092E000-memory.dmp	family_quasar
behavioral2/memory/2072-159-0x00000000008E0000-0x000000000092E000-memory.dmp	family_quasar
behavioral2/memory/4800-174-0x0000000000860000-0x00000000008AE000-memory.dmp	family_quasar
behavioral2/memory/5108-191-0x00000000008A0000-0x00000000008EE000-memory.dmp	family_quasar
behavioral2/memory/4652-205-0x00000000008D0000-0x000000000091E000-memory.dmp	family_quasar
behavioral2/memory/4964-229-0x0000000000870000-0x00000000008BE000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 25 IoCs

Processes:

Audio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exe

pid	process
2336	Audio Service.exe
1356	Audio Service.exe
4732	Audio Service.exe
5096	Audio Service.exe
4812	Audio Service.exe
2072	Audio Service.exe
3408	Audio Service.exe
1220	Audio Service.exe
4800	Audio Service.exe
1152	Audio Service.exe
1548	Audio Service.exe
536	Audio Service.exe
2940	Audio Service.exe
5108	Audio Service.exe
4868	Audio Service.exe
3180	Audio Service.exe
4652	Audio Service.exe
1888	Audio Service.exe
1728	Audio Service.exe
4228	Audio Service.exe
1536	Audio Service.exe
1092	Audio Service.exe
3488	Audio Service.exe
4964	Audio Service.exe
1316	Audio Service.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Audio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Audio Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Audio Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Audio Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Audio Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Audio Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Audio Service.exe

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audio Service.vbs notepad.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audio Service.vbs	notepad.exe

flow	ioc
31	ip-api.com

Suspicious use of SetThreadContext 7 IoCs

Processes:

Audio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exe

description	pid	process	target process
PID 2336 set thread context of 1356	2336	Audio Service.exe	Audio Service.exe
PID 5096 set thread context of 2072	5096	Audio Service.exe	Audio Service.exe
PID 4812 set thread context of 4800	4812	Audio Service.exe	Audio Service.exe
PID 1220 set thread context of 5108	1220	Audio Service.exe	Audio Service.exe
PID 1548 set thread context of 4652	1548	Audio Service.exe	Audio Service.exe
PID 536 set thread context of 1728	536	Audio Service.exe	Audio Service.exe
PID 2940 set thread context of 4964	2940	Audio Service.exe	Audio Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3496	1356	WerFault.exe	Audio Service.exe
4972	2072	WerFault.exe	Audio Service.exe
4932	4800	WerFault.exe	Audio Service.exe
3548	5108	WerFault.exe	Audio Service.exe
1444	4652	WerFault.exe	Audio Service.exe
4608	4964	WerFault.exe	Audio Service.exe

NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe:ZoneIdentifier notepad.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4320 PING.EXE
368 PING.EXE
3728 PING.EXE
2980 PING.EXE
1312 PING.EXE
4432 PING.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe:ZoneIdentifier	notepad.exe

pid	process
4320	PING.EXE
368	PING.EXE
3728	PING.EXE
2980	PING.EXE
1312	PING.EXE
4432	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exeAudio Service.exeAudio Service.exe

pid	process
1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
2336	Audio Service.exe
2336	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe
4732	Audio Service.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Audio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exe

pid	process
2336	Audio Service.exe
5096	Audio Service.exe
4812	Audio Service.exe
1220	Audio Service.exe
1548	Audio Service.exe
536	Audio Service.exe
2940	Audio Service.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Audio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exe

description	pid	process
Token: SeDebugPrivilege	1356	Audio Service.exe
Token: SeDebugPrivilege	2072	Audio Service.exe
Token: SeDebugPrivilege	4800	Audio Service.exe
Token: SeDebugPrivilege	5108	Audio Service.exe
Token: SeDebugPrivilege	4652	Audio Service.exe
Token: SeDebugPrivilege	4964	Audio Service.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Audio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exeAudio Service.exe

pid process

1356 Audio Service.exe
2072 Audio Service.exe
4800 Audio Service.exe
5108 Audio Service.exe
4652 Audio Service.exe
4964 Audio Service.exe

pid	process
1356	Audio Service.exe
2072	Audio Service.exe
4800	Audio Service.exe
5108	Audio Service.exe
4652	Audio Service.exe
4964	Audio Service.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exenotepad.exeAudio Service.exeAudio Service.execmd.exeAudio Service.exeAudio Service.exeAudio Service.execmd.exeAudio Service.exeAudio Service.exeAudio Service.execmd.exeAudio Service.exe

description	pid	process	target process
PID 1728 wrote to memory of 1196	1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 1728 wrote to memory of 1196	1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 1728 wrote to memory of 1196	1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 1728 wrote to memory of 1196	1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 1728 wrote to memory of 1196	1728	e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe	notepad.exe
PID 1196 wrote to memory of 2336	1196	notepad.exe	Audio Service.exe
PID 1196 wrote to memory of 2336	1196	notepad.exe	Audio Service.exe
PID 1196 wrote to memory of 2336	1196	notepad.exe	Audio Service.exe
PID 2336 wrote to memory of 1356	2336	Audio Service.exe	Audio Service.exe
PID 2336 wrote to memory of 1356	2336	Audio Service.exe	Audio Service.exe
PID 2336 wrote to memory of 1356	2336	Audio Service.exe	Audio Service.exe
PID 2336 wrote to memory of 4732	2336	Audio Service.exe	Audio Service.exe
PID 2336 wrote to memory of 4732	2336	Audio Service.exe	Audio Service.exe
PID 2336 wrote to memory of 4732	2336	Audio Service.exe	Audio Service.exe
PID 1356 wrote to memory of 2600	1356	Audio Service.exe	cmd.exe
PID 1356 wrote to memory of 2600	1356	Audio Service.exe	cmd.exe
PID 1356 wrote to memory of 2600	1356	Audio Service.exe	cmd.exe
PID 2600 wrote to memory of 4080	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 4080	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 4080	2600	cmd.exe	chcp.com
PID 2600 wrote to memory of 2980	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2980	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2980	2600	cmd.exe	PING.EXE
PID 4732 wrote to memory of 5096	4732	Audio Service.exe	Audio Service.exe
PID 4732 wrote to memory of 5096	4732	Audio Service.exe	Audio Service.exe
PID 4732 wrote to memory of 5096	4732	Audio Service.exe	Audio Service.exe
PID 2600 wrote to memory of 4812	2600	cmd.exe	Audio Service.exe
PID 2600 wrote to memory of 4812	2600	cmd.exe	Audio Service.exe
PID 2600 wrote to memory of 4812	2600	cmd.exe	Audio Service.exe
PID 5096 wrote to memory of 2072	5096	Audio Service.exe	Audio Service.exe
PID 5096 wrote to memory of 2072	5096	Audio Service.exe	Audio Service.exe
PID 5096 wrote to memory of 2072	5096	Audio Service.exe	Audio Service.exe
PID 5096 wrote to memory of 3408	5096	Audio Service.exe	Audio Service.exe
PID 5096 wrote to memory of 3408	5096	Audio Service.exe	Audio Service.exe
PID 5096 wrote to memory of 3408	5096	Audio Service.exe	Audio Service.exe
PID 2072 wrote to memory of 712	2072	Audio Service.exe	cmd.exe
PID 2072 wrote to memory of 712	2072	Audio Service.exe	cmd.exe
PID 2072 wrote to memory of 712	2072	Audio Service.exe	cmd.exe
PID 712 wrote to memory of 1680	712	cmd.exe	chcp.com
PID 712 wrote to memory of 1680	712	cmd.exe	chcp.com
PID 712 wrote to memory of 1680	712	cmd.exe	chcp.com
PID 712 wrote to memory of 1312	712	cmd.exe	PING.EXE
PID 712 wrote to memory of 1312	712	cmd.exe	PING.EXE
PID 712 wrote to memory of 1312	712	cmd.exe	PING.EXE
PID 3408 wrote to memory of 1220	3408	Audio Service.exe	Audio Service.exe
PID 3408 wrote to memory of 1220	3408	Audio Service.exe	Audio Service.exe
PID 3408 wrote to memory of 1220	3408	Audio Service.exe	Audio Service.exe
PID 4812 wrote to memory of 4800	4812	Audio Service.exe	Audio Service.exe
PID 4812 wrote to memory of 4800	4812	Audio Service.exe	Audio Service.exe
PID 4812 wrote to memory of 4800	4812	Audio Service.exe	Audio Service.exe
PID 4812 wrote to memory of 1152	4812	Audio Service.exe	Audio Service.exe
PID 4812 wrote to memory of 1152	4812	Audio Service.exe	Audio Service.exe
PID 4812 wrote to memory of 1152	4812	Audio Service.exe	Audio Service.exe
PID 4800 wrote to memory of 3512	4800	Audio Service.exe	cmd.exe
PID 4800 wrote to memory of 3512	4800	Audio Service.exe	cmd.exe
PID 4800 wrote to memory of 3512	4800	Audio Service.exe	cmd.exe
PID 3512 wrote to memory of 1900	3512	cmd.exe	chcp.com
PID 3512 wrote to memory of 1900	3512	cmd.exe	chcp.com
PID 3512 wrote to memory of 1900	3512	cmd.exe	chcp.com
PID 3512 wrote to memory of 4432	3512	cmd.exe	PING.EXE
PID 3512 wrote to memory of 4432	3512	cmd.exe	PING.EXE
PID 3512 wrote to memory of 4432	3512	cmd.exe	PING.EXE
PID 1152 wrote to memory of 1548	1152	Audio Service.exe	Audio Service.exe
PID 1152 wrote to memory of 1548	1152	Audio Service.exe	Audio Service.exe

C:\Users\Admin\AppData\Local\Temp\e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe
"C:\Users\Admin\AppData\Local\Temp\e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0314IzVEpXru.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2980

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mfdizPu7KMog.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4432

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2940

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQXRHPWBgE0S.bat" "
11⤵
PID:956

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4996

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 2220
11⤵
- Program crash
PID:4608

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 4964 240703609
10⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 2264
8⤵
- Program crash
PID:4932

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 4800 240661500
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1548

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TPs1Yukx1Cfu.bat" "
10⤵
PID:4248

C:\Windows\SysWOW64\chcp.com
chcp 65001
11⤵
PID:2796

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 2148
10⤵
- Program crash
PID:1444

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 4652 240695062
9⤵
- Executes dropped EXE
PID:1888

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
10⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 2236
5⤵
- Program crash
PID:3496

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 1356 240617437
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RLXutycx7Afr.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1680

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1312

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:536

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
9⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 1728 240695687
9⤵
- Executes dropped EXE
PID:4228

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
10⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1720
7⤵
- Program crash
PID:4972

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 2072 240653453
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1220

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqpVsnL46WRt.bat" "
9⤵
PID:4748

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4320

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
10⤵
- Executes dropped EXE
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 2252
9⤵
- Program crash
PID:3548

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe" 2 5108 240687031
8⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
"C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe"
9⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1356 -ip 1356
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2072 -ip 2072
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4800 -ip 4800
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5108 -ip 5108
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4652 -ip 4652
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4964 -ip 4964
1⤵
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Audio Service.exe.log
Filesize
701B

MD5
5de8527438c860bfa3140dc420a03e52

SHA1
235af682986b3292f20d8d71a8671353f5d6e16d

SHA256
d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

SHA512
77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0314IzVEpXru.bat
Filesize
216B

MD5
5cbcdbc89e811d399b0c8048d17c83ce

SHA1
9a5f6585a93eda2b9bd71540431e7a5724a3886a

SHA256
f17c30904b18294ae1c3bdf0c687e9cd574b0659b6c62c121c40fc8c14884eb4

SHA512
9fa8f926e086f8d6c3a58dfabd1fdc62a3587cb21b2cfff0e132ad4eadfe93a3f3413f9733461e93060d4a35cc83d8df8176f2b6117f699905d3c3f776f11912

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLXutycx7Afr.bat
Filesize
216B

MD5
591564c783e0c8ed2287349e806e2713

SHA1
202d3ebff33546676d83e12284fcf1f178189107

SHA256
4dd387a5a1abc8376d6871c388cbd161898fb26fe5643844e6058158275f5b64

SHA512
849136003fd46ef8a1f54c922a28d635d1261e3c8fb9e7eca7eeb2e81bbe423d24c3c1949f1bc92928c22ac515a5db95d17f0fd977bf123b7a8ac54bd5cef2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TPs1Yukx1Cfu.bat
Filesize
216B

MD5
57d5a5dcc77e33c2a8b746b17d1caa97

SHA1
67d612d42cf771e17224048786e885c8bf7746dd

SHA256
d60811877f8f5cb3832616f4aceef7147dd32adf7e926ba5aca3a889cd5c5cc0

SHA512
46d171294c4435641047e49764aa928d04e5133399b6b259437f44c200be88529ffd37ed091fec81af65a67426ad660723047af4718c02513ca68b20c4b6ac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqpVsnL46WRt.bat
Filesize
216B

MD5
5d28dd6209849303303573a4862ddcd9

SHA1
f5b1d767983a0e922a52b97ce7db690f7040a581

SHA256
503c83779d9d83b29747ade1f19c7adf43aabbe412a68a444dc618f4d8f76b9f

SHA512
e0dd93246665e5d38c0104bcb3e4ade61f2c513d2aa670628339ddb934a10617b64c6f2b1729694e70e490cf8028ebab875a9f09762af011801c648b7a840fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfdizPu7KMog.bat
Filesize
216B

MD5
9c17d14dcca7c9ec0dbf63d1b1375093

SHA1
2f8a748a59f872853d6c84c9a87cbc342de496e6

SHA256
92fc15b7a948e142fd9d68c01411884f9cd7f43a198811aecca6d9d496a178e1

SHA512
f33e566a8d14289b1e8df7c517dadde00ff6c480f73709ec13fd01930e93f1e6858167d8d28ee5e2f00f028105091a7e866518e03b02b0589ae880023272a67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQXRHPWBgE0S.bat
Filesize
216B

MD5
088d37424da04f86f6e63c8f20fec6b2

SHA1
5412c93896ad815a16022d60aa17954510c7d4e1

SHA256
486f32392439ea7cca7b4e04d42fa6eea6caad3316a2c4c4bcc21cba971ab66b

SHA512
2d93e074e68ebd3be21162fa0b70a8b94309f62f963202d18d062f9e6a75204d3a5b392b33205411863a390790400b1b8c9ba6944da52bc598e08591f590bb35

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-24-2022
Filesize
224B

MD5
e4b4ab780d750df45ce8cef41fded575

SHA1
93d5f13222ccdeafc7014a96f2eebbedef12ede0

SHA256
1b36596e5041dd7c60270206f7f61da87ba1135e61b0a0634d4188571bc3f1ff

SHA512
280b90b5265ae82659495f9f1953bf57f2f8bacd055b46c0af44985de79e2ec3e04c65093db4edfb87a9c57840dd7893affc777a7a3a4a7046ebac0d79ecd199

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-24-2022
Filesize
224B

MD5
ea8cc7cbaac29d746a8364c6c48b52dc

SHA1
24ef93d9fb2ebe1fb8f8d4da5838acdbf2e35815

SHA256
557b04f55f943b7dc67e260ce5055d4701a666c74a0ead149eece106716585fd

SHA512
89f4c24f08cf44bc8b07a5c3c5e27bd6ad71b996b82743abd00f613e725afce70d5203e56ffa24eb36cdb2afaeef739b74843942f32eb455a345af1e5606396c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-24-2022
Filesize
224B

MD5
74b55f41f2658d37993c9dbee1143524

SHA1
668923dc7a294a2bc97df6ef901f2cebfe9dbfb7

SHA256
fab84c8bfefec9c23a592c110472d2241458d15fdac49927d80e19e7991e0ffc

SHA512
5a3f4a52a3e5e025dc9cb46797c3cb0ab5c908c994b55bda65a83f25c3e1674a5d8283a04b6b3f2d20a28239aae208e4f2d3ce0b33793cdb44ad7fc994a4a388

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-24-2022
Filesize
224B

MD5
139ee6fe7723e7f7bfe2422aac2920d9

SHA1
be9f489600e7154f34b4be7b27e21f65dcac57c5

SHA256
50d20759366df9038b9adc5a03dd6770f491f659e9c49f2bdd9ad1cb10426001

SHA512
4c378452046b496dedd91d62a286b7b455257ec312c4e7435e896c71af370ca8ba4e7e731eb0126208b7429c9495d23ca8e8695a1f6b3796a8971fea9410032f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-24-2022
Filesize
224B

MD5
539d1f2f3830b0ed3edbed8cb82c9f59

SHA1
d75229a46308da065ff3781f8a63fccd8ced714f

SHA256
e029502a62f33119b6b0176e48e8aebdd0bc84961ce02f588feac6c34e998856

SHA512
956cb7c8e0a6b0991ebde2feea327973cd9175cb6c64dbf6985a5d568f8cc7522c7c613bc899e0ca001dd48d7c21deca48fa6c6f3e51ae35aed47336a1bdba54

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\Users\Admin\AppData\Roaming\Services\Audio Service.exe
Filesize
411KB

MD5
2adea70fccf261c8c99d87be94dff75b

SHA1
ec8fb48c9a4fb3dbd227c1049f08c00e0b4a1623

SHA256
e22cce54e5bca8dbef485c6ab22fc9e3fa38b7315691cd902efb522ad8011ba0

SHA512
286b11acb1e1becafce0fc26bed6eeaa9f05e33c64dd7d36a3ddb3b7706ca8144fcb0d7d18c753ec05e693ac2767631b62bddd89bd04cd482961964499677487

Download Submit
C:\autorun.inf
Filesize
31B

MD5
cbefdfb6579e8aac44c0d19501f07aa0

SHA1
3e6b2d2e08e70179a6bf42ba7103e12ddbaa70fc

SHA256
41df24b22a3a1a5b4b058a05b09e7ea18f09c7f9e3ad2525ae524a8f89f4ca78

SHA512
c2d8b7418c6fcfbd4be0583a56c63b80f44013b199ac2fa46d51e6f5d2ead9d0d61816e148c554db3f6d94446858566e608aa78668771a3d02a8b460567aa9b3

Download Submit
C:\autorun.inf
Filesize
31B

MD5
cbefdfb6579e8aac44c0d19501f07aa0

SHA1
3e6b2d2e08e70179a6bf42ba7103e12ddbaa70fc

SHA256
41df24b22a3a1a5b4b058a05b09e7ea18f09c7f9e3ad2525ae524a8f89f4ca78

SHA512
c2d8b7418c6fcfbd4be0583a56c63b80f44013b199ac2fa46d51e6f5d2ead9d0d61816e148c554db3f6d94446858566e608aa78668771a3d02a8b460567aa9b3

Download Submit
C:\autorun.inf
Filesize
31B

MD5
cbefdfb6579e8aac44c0d19501f07aa0

SHA1
3e6b2d2e08e70179a6bf42ba7103e12ddbaa70fc

SHA256
41df24b22a3a1a5b4b058a05b09e7ea18f09c7f9e3ad2525ae524a8f89f4ca78

SHA512
c2d8b7418c6fcfbd4be0583a56c63b80f44013b199ac2fa46d51e6f5d2ead9d0d61816e148c554db3f6d94446858566e608aa78668771a3d02a8b460567aa9b3

Download Submit
C:\autorun.inf
Filesize
31B

MD5
cbefdfb6579e8aac44c0d19501f07aa0

SHA1
3e6b2d2e08e70179a6bf42ba7103e12ddbaa70fc

SHA256
41df24b22a3a1a5b4b058a05b09e7ea18f09c7f9e3ad2525ae524a8f89f4ca78

SHA512
c2d8b7418c6fcfbd4be0583a56c63b80f44013b199ac2fa46d51e6f5d2ead9d0d61816e148c554db3f6d94446858566e608aa78668771a3d02a8b460567aa9b3

Download Submit
C:\autorun.inf
Filesize
31B

MD5
cbefdfb6579e8aac44c0d19501f07aa0

SHA1
3e6b2d2e08e70179a6bf42ba7103e12ddbaa70fc

SHA256
41df24b22a3a1a5b4b058a05b09e7ea18f09c7f9e3ad2525ae524a8f89f4ca78

SHA512
c2d8b7418c6fcfbd4be0583a56c63b80f44013b199ac2fa46d51e6f5d2ead9d0d61816e148c554db3f6d94446858566e608aa78668771a3d02a8b460567aa9b3

Download Submit
memory/368-218-0x0000000000000000-mapping.dmp

Download
memory/536-183-0x0000000000000000-mapping.dmp

Download
memory/712-163-0x0000000000000000-mapping.dmp

Download
memory/956-234-0x0000000000000000-mapping.dmp

Download
memory/1092-221-0x0000000000000000-mapping.dmp

Download
memory/1152-171-0x0000000000000000-mapping.dmp

Download
memory/1196-131-0x0000000000000000-mapping.dmp

Download
memory/1220-167-0x0000000000000000-mapping.dmp

Download
memory/1312-166-0x0000000000000000-mapping.dmp

Download
memory/1316-227-0x0000000000000000-mapping.dmp

Download
memory/1356-139-0x0000000000920000-0x000000000096E000-memory.dmp

Filesize
312KB

Download
memory/1356-140-0x0000000000920000-0x000000000096E000-memory.dmp

Filesize
312KB

Download
memory/1356-141-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/1356-142-0x00000000049F0000-0x0000000004A82000-memory.dmp

Filesize
584KB

Download
memory/1356-143-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/1356-144-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/1356-145-0x0000000005FE0000-0x000000000601C000-memory.dmp

Filesize
240KB

Download
memory/1356-146-0x0000000006390000-0x000000000639A000-memory.dmp

Filesize
40KB

Download
memory/1356-135-0x0000000000000000-mapping.dmp

Download
memory/1536-219-0x0000000000000000-mapping.dmp

Download
memory/1548-181-0x0000000000000000-mapping.dmp

Download
memory/1680-165-0x0000000000000000-mapping.dmp

Download
memory/1728-130-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/1728-207-0x0000000000000000-mapping.dmp

Download
memory/1888-203-0x0000000000000000-mapping.dmp

Download
memory/1900-179-0x0000000000000000-mapping.dmp

Download
memory/2072-155-0x0000000000000000-mapping.dmp

Download
memory/2072-159-0x00000000008E0000-0x000000000092E000-memory.dmp

Filesize
312KB

Download
memory/2072-158-0x00000000008E0000-0x000000000092E000-memory.dmp

Filesize
312KB

Download
memory/2336-132-0x0000000000000000-mapping.dmp

Download
memory/2600-147-0x0000000000000000-mapping.dmp

Download
memory/2796-217-0x0000000000000000-mapping.dmp

Download
memory/2940-185-0x0000000000000000-mapping.dmp

Download
memory/2980-150-0x0000000000000000-mapping.dmp

Download
memory/3080-197-0x0000000000000000-mapping.dmp

Download
memory/3180-199-0x0000000000000000-mapping.dmp

Download
memory/3408-157-0x0000000000000000-mapping.dmp

Download
memory/3488-223-0x0000000000000000-mapping.dmp

Download
memory/3512-177-0x0000000000000000-mapping.dmp

Download
memory/3728-237-0x0000000000000000-mapping.dmp

Download
memory/4080-149-0x0000000000000000-mapping.dmp

Download
memory/4228-210-0x0000000000000000-mapping.dmp

Download
memory/4248-215-0x0000000000000000-mapping.dmp

Download
memory/4320-198-0x0000000000000000-mapping.dmp

Download
memory/4432-180-0x0000000000000000-mapping.dmp

Download
memory/4652-205-0x00000000008D0000-0x000000000091E000-memory.dmp

Filesize
312KB

Download
memory/4652-201-0x0000000000000000-mapping.dmp

Download
memory/4732-137-0x0000000000000000-mapping.dmp

Download
memory/4748-195-0x0000000000000000-mapping.dmp

Download
memory/4800-169-0x0000000000000000-mapping.dmp

Download
memory/4800-174-0x0000000000860000-0x00000000008AE000-memory.dmp

Filesize
312KB

Download
memory/4812-153-0x0000000000000000-mapping.dmp

Download
memory/4868-189-0x0000000000000000-mapping.dmp

Download
memory/4964-225-0x0000000000000000-mapping.dmp

Download
memory/4964-229-0x0000000000870000-0x00000000008BE000-memory.dmp

Filesize
312KB

Download
memory/4996-236-0x0000000000000000-mapping.dmp

Download
memory/5096-151-0x0000000000000000-mapping.dmp

Download
memory/5108-187-0x0000000000000000-mapping.dmp

Download
memory/5108-191-0x00000000008A0000-0x00000000008EE000-memory.dmp

Filesize
312KB

Download