quasar | 46bac1db5da211b56dd46d88afd80b378fa4cf47a75a3e05920db4fe9dd24fd5

Analysis

max time kernel
17s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked.exe
Size

207KB
MD5

6c206cadf297a02c0af977c65637a166
SHA1

7d382b1e6cefd120f9d87f894e14088e18d01c73
SHA256

f4f78f44719af71a363bd50107840f53f8eebf3190505c10bac2cf7be3c29e59
SHA512

2672ae02fb6b768861f469556f9818fd84866d62122f243309b5f2d13c4c907b6555e968bfb4b10cd48188fe3b2182b15ee7f425ddd14835b483d0dfe721b515
SSDEEP

3072:a4lci2Fg23Ii0qLTqBGsx/2JNRnvcXCevyLNgtlr:a6ci8giNLZW2HRnvKClg

Score

10^/10

quasar office04 discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

192.168.1.11:4782

Mutex

QSR_MUTEX_f39lWqYnYtP5YngtM5

Attributes

encryption_key
c5q7P5jsfrwN6nB5c3mG
install_name
SystemUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

Processes:

Dox Tool V3 Cracked.exe

flow	ioc
20	ip-api.com
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Dox Tool V3 Cracked.exe
31	icanhazip.com

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe	family_quasar
behavioral1/memory/1132-209-0x0000000000E60000-0x0000000000EBE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe	family_quasar
C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	family_quasar
C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	family_quasar

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Dox Tool V3 Cracked.exeDox Tool V3 Cracked.exesvchost.exeWindows Services.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Dox Tool V3 Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Dox Tool V3 Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Windows Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 1 IoCs

Processes:

Launcher.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk Launcher.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Launcher.exe

Executes dropped EXE 11 IoCs

Processes:

svchost.exeDox Tool V3 Cracked.exeWindowsUpdate.exeDOX.exeWindows Services.exeHQUHlwGxWA.exeSecure System Shell.exeRuntime Explorer.exeSystemUpdate.exesvchost.exeHQUHlwGxWA.exe

pid	process
4368	svchost.exe
2412	Dox Tool V3 Cracked.exe
1132	WindowsUpdate.exe
1560	DOX.exe
1544	Windows Services.exe
1756	HQUHlwGxWA.exe
1876	Secure System Shell.exe
4072	Runtime Explorer.exe
2856	SystemUpdate.exe
1984	svchost.exe
1956	HQUHlwGxWA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Launcher.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe"	Launcher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
31 icanhazip.com

flow	ioc
20	ip-api.com
31	icanhazip.com

Drops file in System32 directory 4 IoCs

Processes:

SystemUpdate.exeWindowsUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SubDir	SystemUpdate.exe
File created	C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\SystemUpdate.exe	SystemUpdate.exe

Drops file in Windows directory 9 IoCs

Processes:

Launcher.exe

description	ioc	process
File created	C:\Windows\IMF\LICENCE.dat	Launcher.exe
File created	C:\Windows\IMF\Runtime Explorer.exe.tmp	Launcher.exe
File created	C:\Windows\IMF\Windows Services.exe.tmp	Launcher.exe
File created	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File opened for modification	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File opened for modification	C:\Windows\IMF\Runtime Explorer.exe	Launcher.exe
File created	C:\Windows\IMF\Secure System Shell.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Secure System Shell.exe	Launcher.exe
File opened for modification	C:\Windows\IMF\Windows Services.exe	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

832 schtasks.exe
4736 schtasks.exe

pid	process
832	schtasks.exe
4736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Launcher.exepowershell.exeWindows Services.exeSecure System Shell.exe

pid	process
1808	Launcher.exe
2040	powershell.exe
2040	powershell.exe
1544	Windows Services.exe
1544	Windows Services.exe
1544	Windows Services.exe
1544	Windows Services.exe
1876	Secure System Shell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Launcher.exepowershell.exesvchost.exeWindows Services.exeWindowsUpdate.exeSecure System Shell.exeDOX.exeSystemUpdate.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1808	Launcher.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	4368	svchost.exe
Token: SeDebugPrivilege	1544	Windows Services.exe
Token: SeDebugPrivilege	1132	WindowsUpdate.exe
Token: SeDebugPrivilege	1876	Secure System Shell.exe
Token: SeDebugPrivilege	1560	DOX.exe
Token: SeDebugPrivilege	2856	SystemUpdate.exe
Token: SeDebugPrivilege	1984	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Runtime Explorer.exeSystemUpdate.exe

pid process

4072 Runtime Explorer.exe
2856 SystemUpdate.exe

pid	process
4072	Runtime Explorer.exe
2856	SystemUpdate.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Dox Tool V3 Cracked.exeLauncher.exedoxsys.exeDox Tool V3 Cracked.exesvchost.exeWindows Services.exeWindowsUpdate.exeSystemUpdate.exesvchost.exe

description	pid	process	target process
PID 2668 wrote to memory of 1808	2668	Dox Tool V3 Cracked.exe	Launcher.exe
PID 2668 wrote to memory of 1808	2668	Dox Tool V3 Cracked.exe	Launcher.exe
PID 2668 wrote to memory of 1808	2668	Dox Tool V3 Cracked.exe	Launcher.exe
PID 1808 wrote to memory of 2040	1808	Launcher.exe	powershell.exe
PID 1808 wrote to memory of 2040	1808	Launcher.exe	powershell.exe
PID 1808 wrote to memory of 2040	1808	Launcher.exe	powershell.exe
PID 2668 wrote to memory of 1740	2668	Dox Tool V3 Cracked.exe	doxsys.exe
PID 2668 wrote to memory of 1740	2668	Dox Tool V3 Cracked.exe	doxsys.exe
PID 2668 wrote to memory of 1740	2668	Dox Tool V3 Cracked.exe	doxsys.exe
PID 1740 wrote to memory of 4368	1740	doxsys.exe	svchost.exe
PID 1740 wrote to memory of 4368	1740	doxsys.exe	svchost.exe
PID 1740 wrote to memory of 2412	1740	doxsys.exe	Dox Tool V3 Cracked.exe
PID 1740 wrote to memory of 2412	1740	doxsys.exe	Dox Tool V3 Cracked.exe
PID 1740 wrote to memory of 2412	1740	doxsys.exe	Dox Tool V3 Cracked.exe
PID 2412 wrote to memory of 1132	2412	Dox Tool V3 Cracked.exe	WindowsUpdate.exe
PID 2412 wrote to memory of 1132	2412	Dox Tool V3 Cracked.exe	WindowsUpdate.exe
PID 2412 wrote to memory of 1132	2412	Dox Tool V3 Cracked.exe	WindowsUpdate.exe
PID 2412 wrote to memory of 1560	2412	Dox Tool V3 Cracked.exe	DOX.exe
PID 2412 wrote to memory of 1560	2412	Dox Tool V3 Cracked.exe	DOX.exe
PID 2412 wrote to memory of 1560	2412	Dox Tool V3 Cracked.exe	DOX.exe
PID 1808 wrote to memory of 1544	1808	Launcher.exe	Windows Services.exe
PID 1808 wrote to memory of 1544	1808	Launcher.exe	Windows Services.exe
PID 1808 wrote to memory of 1544	1808	Launcher.exe	Windows Services.exe
PID 4368 wrote to memory of 1756	4368	svchost.exe	HQUHlwGxWA.exe
PID 4368 wrote to memory of 1756	4368	svchost.exe	HQUHlwGxWA.exe
PID 1544 wrote to memory of 1876	1544	Windows Services.exe	Secure System Shell.exe
PID 1544 wrote to memory of 1876	1544	Windows Services.exe	Secure System Shell.exe
PID 1544 wrote to memory of 1876	1544	Windows Services.exe	Secure System Shell.exe
PID 1544 wrote to memory of 4072	1544	Windows Services.exe	Runtime Explorer.exe
PID 1544 wrote to memory of 4072	1544	Windows Services.exe	Runtime Explorer.exe
PID 1544 wrote to memory of 4072	1544	Windows Services.exe	Runtime Explorer.exe
PID 1132 wrote to memory of 832	1132	WindowsUpdate.exe	schtasks.exe
PID 1132 wrote to memory of 832	1132	WindowsUpdate.exe	schtasks.exe
PID 1132 wrote to memory of 832	1132	WindowsUpdate.exe	schtasks.exe
PID 1132 wrote to memory of 2856	1132	WindowsUpdate.exe	SystemUpdate.exe
PID 1132 wrote to memory of 2856	1132	WindowsUpdate.exe	SystemUpdate.exe
PID 1132 wrote to memory of 2856	1132	WindowsUpdate.exe	SystemUpdate.exe
PID 2856 wrote to memory of 4736	2856	SystemUpdate.exe	schtasks.exe
PID 2856 wrote to memory of 4736	2856	SystemUpdate.exe	schtasks.exe
PID 2856 wrote to memory of 4736	2856	SystemUpdate.exe	schtasks.exe
PID 4368 wrote to memory of 1984	4368	svchost.exe	svchost.exe
PID 4368 wrote to memory of 1984	4368	svchost.exe	svchost.exe
PID 1984 wrote to memory of 1956	1984	svchost.exe	HQUHlwGxWA.exe
PID 1984 wrote to memory of 1956	1984	svchost.exe	HQUHlwGxWA.exe

C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked\data\Launcher.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked\data\doxsys.exe
"C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked\data\doxsys.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
"C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
4⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
"C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
5⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\SubDir\SystemUpdate.exe
"C:\Windows\SysWOW64\SubDir\SystemUpdate.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\SystemUpdate.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4736

C:\Users\Admin\AppData\Local\Temp\DOX.exe
"C:\Users\Admin\AppData\Local\Temp\DOX.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DOX.exe
Filesize
154KB

MD5
670f75850165e3c3ef0df41e1565ff58

SHA1
784ae13c951ac390d7dea0071c97aded6800b708

SHA256
fb128eba50fac8bc22faac39de602c306809cb37167b950bd194eb0bd9832812

SHA512
c0355235fbce7829dbcd3fac26ec5663b09c880826a014599127f330ddd3c16a95a0ab973fa75ddbb4ce0f8756ab2494739b04d1fda0bb799d577e493c9ca9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOX.exe
Filesize
154KB

MD5
670f75850165e3c3ef0df41e1565ff58

SHA1
784ae13c951ac390d7dea0071c97aded6800b708

SHA256
fb128eba50fac8bc22faac39de602c306809cb37167b950bd194eb0bd9832812

SHA512
c0355235fbce7829dbcd3fac26ec5663b09c880826a014599127f330ddd3c16a95a0ab973fa75ddbb4ce0f8756ab2494739b04d1fda0bb799d577e493c9ca9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOX.exe
Filesize
154KB

MD5
670f75850165e3c3ef0df41e1565ff58

SHA1
784ae13c951ac390d7dea0071c97aded6800b708

SHA256
fb128eba50fac8bc22faac39de602c306809cb37167b950bd194eb0bd9832812

SHA512
c0355235fbce7829dbcd3fac26ec5663b09c880826a014599127f330ddd3c16a95a0ab973fa75ddbb4ce0f8756ab2494739b04d1fda0bb799d577e493c9ca9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe
Filesize
688KB

MD5
19d55f26a6237985cb72c59c08d4828f

SHA1
8bc51ad39e35f9be7d46e9e90e754e07d9c88b80

SHA256
317f9d304aea7c5a4b3516f5379a63e2a4fec91578f3c3f69507c8167798062e

SHA512
7a9de012783f9323264fb59739b76195acedd846ea15382d67e5ab19325269a37647865aaa44da9a97fb8eacdf365c1b6c55c0920c46a6cdca6a7c73b09e19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe
Filesize
688KB

MD5
19d55f26a6237985cb72c59c08d4828f

SHA1
8bc51ad39e35f9be7d46e9e90e754e07d9c88b80

SHA256
317f9d304aea7c5a4b3516f5379a63e2a4fec91578f3c3f69507c8167798062e

SHA512
7a9de012783f9323264fb59739b76195acedd846ea15382d67e5ab19325269a37647865aaa44da9a97fb8eacdf365c1b6c55c0920c46a6cdca6a7c73b09e19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe
Filesize
688KB

MD5
19d55f26a6237985cb72c59c08d4828f

SHA1
8bc51ad39e35f9be7d46e9e90e754e07d9c88b80

SHA256
317f9d304aea7c5a4b3516f5379a63e2a4fec91578f3c3f69507c8167798062e

SHA512
7a9de012783f9323264fb59739b76195acedd846ea15382d67e5ab19325269a37647865aaa44da9a97fb8eacdf365c1b6c55c0920c46a6cdca6a7c73b09e19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
Filesize
20KB

MD5
0d282d4eb8db6d5152b4e5fd3e2064b5

SHA1
72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

SHA256
8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

SHA512
16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
Filesize
20KB

MD5
0d282d4eb8db6d5152b4e5fd3e2064b5

SHA1
72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

SHA256
8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

SHA512
16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
Filesize
20KB

MD5
0d282d4eb8db6d5152b4e5fd3e2064b5

SHA1
72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

SHA256
8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

SHA512
16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
Filesize
20KB

MD5
0d282d4eb8db6d5152b4e5fd3e2064b5

SHA1
72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

SHA256
8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

SHA512
16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
Filesize
20KB

MD5
0d282d4eb8db6d5152b4e5fd3e2064b5

SHA1
72cec747647d5d0f6ef2e5ddb34f1db68fc183e5

SHA256
8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061

SHA512
16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebCam_Capture.dll
Filesize
20KB

MD5
94306f6cf69f7e7c0b4f10ea499f73dd

SHA1
3228b4c2ca9109aa86f2810afc3d528947501c92

SHA256
ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e

SHA512
d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebCam_Capture.dll
Filesize
20KB

MD5
94306f6cf69f7e7c0b4f10ea499f73dd

SHA1
3228b4c2ca9109aa86f2810afc3d528947501c92

SHA256
ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e

SHA512
d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
Filesize
348KB

MD5
a59f7fb8ac2dc166432a86eb8e2179ff

SHA1
9c8b24bda935e397e1c0cb33752331fe1f773b45

SHA256
82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

SHA512
ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
Filesize
348KB

MD5
a59f7fb8ac2dc166432a86eb8e2179ff

SHA1
9c8b24bda935e397e1c0cb33752331fe1f773b45

SHA256
82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

SHA512
ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
Filesize
348KB

MD5
a59f7fb8ac2dc166432a86eb8e2179ff

SHA1
9c8b24bda935e397e1c0cb33752331fe1f773b45

SHA256
82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

SHA512
ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ujpxe0u.i5o.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
76KB

MD5
a57d275fcac1be0b9aad189223a313df

SHA1
0762b222741fa30751dce16e7dae2bcd191adaea

SHA256
1c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b

SHA512
41d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
76KB

MD5
a57d275fcac1be0b9aad189223a313df

SHA1
0762b222741fa30751dce16e7dae2bcd191adaea

SHA256
1c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b

SHA512
41d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
76KB

MD5
a57d275fcac1be0b9aad189223a313df

SHA1
0762b222741fa30751dce16e7dae2bcd191adaea

SHA256
1c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b

SHA512
41d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
76KB

MD5
a57d275fcac1be0b9aad189223a313df

SHA1
0762b222741fa30751dce16e7dae2bcd191adaea

SHA256
1c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b

SHA512
41d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8

Download Submit
C:\Windows\IMF\Runtime Explorer.exe
Filesize
144KB

MD5
4ba07be2ec317b44d19a4f6174d7a62a

SHA1
6d428270ee7d27781321d68387e2b6490fd1b59c

SHA256
d012c4325f27ad7d13fdb4f29a023e4a32f1105c6e5028ea3fbb1e91279e0be6

SHA512
e0b38cc32421b64721dc2968fa8499837822bb77523c51e253b1c49131d6b3efdddda604db83c81c44d7b3528b2afed0bdc7ceeceeff738d21a7d041ed5410ce

Download Submit
C:\Windows\IMF\Runtime Explorer.exe
Filesize
144KB

MD5
4ba07be2ec317b44d19a4f6174d7a62a

SHA1
6d428270ee7d27781321d68387e2b6490fd1b59c

SHA256
d012c4325f27ad7d13fdb4f29a023e4a32f1105c6e5028ea3fbb1e91279e0be6

SHA512
e0b38cc32421b64721dc2968fa8499837822bb77523c51e253b1c49131d6b3efdddda604db83c81c44d7b3528b2afed0bdc7ceeceeff738d21a7d041ed5410ce

Download Submit
C:\Windows\IMF\Runtime Explorer.exe
Filesize
144KB

MD5
4ba07be2ec317b44d19a4f6174d7a62a

SHA1
6d428270ee7d27781321d68387e2b6490fd1b59c

SHA256
d012c4325f27ad7d13fdb4f29a023e4a32f1105c6e5028ea3fbb1e91279e0be6

SHA512
e0b38cc32421b64721dc2968fa8499837822bb77523c51e253b1c49131d6b3efdddda604db83c81c44d7b3528b2afed0bdc7ceeceeff738d21a7d041ed5410ce

Download Submit
C:\Windows\IMF\Secure System Shell.exe
Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Secure System Shell.exe
Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Secure System Shell.exe
Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Windows Services.exe
Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
C:\Windows\IMF\Windows Services.exe
Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
C:\Windows\IMF\Windows Services.exe
Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
C:\Windows\SysWOW64\SubDir\SystemUpdate.exe
Filesize
348KB

MD5
a59f7fb8ac2dc166432a86eb8e2179ff

SHA1
9c8b24bda935e397e1c0cb33752331fe1f773b45

SHA256
82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

SHA512
ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

Download Submit
C:\Windows\SysWOW64\SubDir\SystemUpdate.exe
Filesize
348KB

MD5
a59f7fb8ac2dc166432a86eb8e2179ff

SHA1
9c8b24bda935e397e1c0cb33752331fe1f773b45

SHA256
82d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc

SHA512
ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be

Download Submit
memory/1132-238-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/1132-301-0x0000000006CE0000-0x0000000006D1C000-memory.dmp

Filesize
240KB

Download
memory/1132-209-0x0000000000E60000-0x0000000000EBE000-memory.dmp

Filesize
376KB

Download
memory/1132-295-0x00000000068C0000-0x00000000068D2000-memory.dmp

Filesize
72KB

Download
memory/1544-262-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/1544-335-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1560-334-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1560-281-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1560-210-0x0000000000BD0000-0x0000000000BFC000-memory.dmp

Filesize
176KB

Download
memory/1560-239-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1560-332-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1740-144-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/1756-267-0x000000001BCB0000-0x000000001BD4C000-memory.dmp

Filesize
624KB

Download
memory/1756-282-0x0000000001840000-0x0000000001848000-memory.dmp

Filesize
32KB

Download
memory/1756-285-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/1756-298-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download
memory/1756-265-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/1756-266-0x000000001C270000-0x000000001C73E000-memory.dmp

Filesize
4.8MB

Download
memory/1756-280-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download
memory/1756-300-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download
memory/1808-145-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/1808-141-0x0000000006970000-0x00000000069EE000-memory.dmp

Filesize
504KB

Download
memory/1808-236-0x00000000065D0000-0x0000000006646000-memory.dmp

Filesize
472KB

Download
memory/1808-237-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/1808-140-0x0000000000A50000-0x0000000000A64000-memory.dmp

Filesize
80KB

Download
memory/1876-299-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1876-292-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/1876-336-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1956-333-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1956-331-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/2040-155-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2040-287-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/2040-143-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

Filesize
216KB

Download
memory/2040-184-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/2040-146-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/2040-291-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/2040-154-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/2040-297-0x0000000007B20000-0x0000000007BB6000-memory.dmp

Filesize
600KB

Download
memory/2040-268-0x0000000006B60000-0x0000000006B92000-memory.dmp

Filesize
200KB

Download
memory/2040-279-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

Filesize
120KB

Download
memory/2040-269-0x000000006D960000-0x000000006D9AC000-memory.dmp

Filesize
304KB

Download
memory/2040-148-0x0000000005E00000-0x0000000005E22000-memory.dmp

Filesize
136KB

Download
memory/2040-286-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/2040-170-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/2040-308-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/2040-283-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

Filesize
64KB

Download
memory/2040-310-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/2040-311-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/2412-185-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/2668-137-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/2668-136-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/2668-135-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/2668-134-0x0000000004D30000-0x0000000004DCC000-memory.dmp

Filesize
624KB

Download
memory/2668-133-0x0000000000460000-0x000000000049A000-memory.dmp

Filesize
232KB

Download
memory/2668-138-0x0000000004F10000-0x0000000004F66000-memory.dmp

Filesize
344KB

Download
memory/2668-139-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2856-309-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/2856-337-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4368-171-0x0000000000A90000-0x0000000000AAA000-memory.dmp

Filesize
104KB

Download