Resubmissions

03-12-2023 02:55

231203-den6sahb39 10

03-12-2023 01:12

231203-bkpndsgg81 10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-12-2023 02:55

General

  • Target

    LethalCumpanyExternalModLoader.exe

  • Size

    3.1MB

  • MD5

    3c4b297ab9e22cbe51307529e6c7d17d

  • SHA1

    b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

  • SHA256

    be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

  • SHA512

    68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

  • SSDEEP

    49152:/v7lL26AaNeWgPhlmVqvMQ7XSKw8gEjhILoGdyTHHB72eh2NT:/vhL26AaNeWgPhlmVqkQ7XSKw8g/

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

*:25566

2.217.152.33:25566

Mutex

3e1fc3a8-4198-483c-8d47-29832529912b

Attributes
  • encryption_key

    53C519F96376EEC645919472EA31133F8FBA1D36

  • install_name

    LethalCumpany.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    LethalCumpanyModLoader

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 15 IoCs
  • Executes dropped EXE 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 14 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:764
    • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uw5EE4Aouya2.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1496
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:4156
          • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:440
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:3432
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Grbd1uYUTGOa.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4972
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3056
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:1940
                • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4820
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                    7⤵
                    • Creates scheduled task(s)
                    PID:3400
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GfsPMktqeWYU.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:780
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3232
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • Runs ping.exe
                        PID:1224
                      • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3388
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                          9⤵
                          • Creates scheduled task(s)
                          PID:572
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\df4LOwrzzPY8.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3904
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4948
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • Runs ping.exe
                              PID:2324
                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1668
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                11⤵
                                • Creates scheduled task(s)
                                PID:4792
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u7l9x78wLOGL.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5060
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4584
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • Runs ping.exe
                                    PID:5036
                                  • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:128
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                      13⤵
                                      • Creates scheduled task(s)
                                      PID:4304
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KXQf5oBinTla.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2732
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4892
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • Runs ping.exe
                                          PID:940
                                        • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2944
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                            15⤵
                                            • Creates scheduled task(s)
                                            PID:1400
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OhDakuhJE1ip.bat" "
                                            15⤵
                                              PID:5100
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:3172
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • Runs ping.exe
                                                  PID:1028
                                                • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4340
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Creates scheduled task(s)
                                                    PID:3848
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YudsjW7OK4Ss.bat" "
                                                    17⤵
                                                      PID:1360
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:1748
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • Runs ping.exe
                                                          PID:496
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1496
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Creates scheduled task(s)
                                                            PID:3924
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w3xqnYZqJ75L.bat" "
                                                            19⤵
                                                              PID:4160
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:1044
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • Runs ping.exe
                                                                  PID:2876
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4256
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:1756
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4vhmLGKfBkN1.bat" "
                                                                    21⤵
                                                                      PID:1640
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3672
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • Runs ping.exe
                                                                          PID:2564
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3024
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Creates scheduled task(s)
                                                                            PID:3344
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BRjyrpv9ekdd.bat" "
                                                                            23⤵
                                                                              PID:2156
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:1456
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • Runs ping.exe
                                                                                  PID:1656
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:760
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:5108
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1umMTDxBAWP.bat" "
                                                                                    25⤵
                                                                                      PID:4468
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:3064
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • Runs ping.exe
                                                                                          PID:2084
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"
                                                                                          26⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:256
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:4056
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gbj9hOXkcyEv.bat" "
                                                                                            27⤵
                                                                                              PID:2864
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:1384
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • Runs ping.exe
                                                                                                  PID:1844
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:4024

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LethalCumpany.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              15eab799098760706ed95d314e75449d

                                              SHA1

                                              273fb07e40148d5c267ca53f958c5075d24c4444

                                              SHA256

                                              45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

                                              SHA512

                                              50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

                                            • C:\Users\Admin\AppData\Local\Temp\4vhmLGKfBkN1.bat

                                              Filesize

                                              214B

                                              MD5

                                              67a3502311e8feb9098fa3c163c8e98b

                                              SHA1

                                              78dc05f307ec8bb7eb162681958f2e6e3e587940

                                              SHA256

                                              ae7c8d2935d548cd70ee26faa15ab5b759b2d95354dd815f1ad0332cab8cf3c5

                                              SHA512

                                              a660d70ea87e246a24e3294a6bd5a6272be937a918b92ec8a486466a07f4b8414188b5b523a75d20c1858a6058570cb2df4bf63b66819cc6145ce394b7c5e030

                                            • C:\Users\Admin\AppData\Local\Temp\BRjyrpv9ekdd.bat

                                              Filesize

                                              214B

                                              MD5

                                              0ce7c0015dcf99d518b49e50a2b5c9eb

                                              SHA1

                                              32c3e52250b063048b0730ca67f19215e24dcf27

                                              SHA256

                                              1a2f0430b3222a99943aaf23afe639b3166666d6ec746922a6483f0f2cab761e

                                              SHA512

                                              a28e6a0d3025267576eb395e2716a877dbfcb676b74314e80ed271482dcb48f3fef975cc15d644d02c12c85e52e3bdaf1138b365e61d80f84f9f79d7a9eedaa8

                                            • C:\Users\Admin\AppData\Local\Temp\GfsPMktqeWYU.bat

                                              Filesize

                                              214B

                                              MD5

                                              c35779a03e2fab171050e233d95bfa02

                                              SHA1

                                              3a1c17bafba12b77965260744f0ee665c97fbd92

                                              SHA256

                                              01535a7ce2a0838d63a4500d3dae8e1cc096bc8e880991cdc83cd2adebebd45d

                                              SHA512

                                              f8f8602b8154a0e3610f10fdbb43b8360a12e131816b9da15b4795546f78f914c84dd765c64aadae2a19921e4454e6f9539bdf6e4f7d7822c6185e618d39fb4b

                                            • C:\Users\Admin\AppData\Local\Temp\Grbd1uYUTGOa.bat

                                              Filesize

                                              214B

                                              MD5

                                              bebc3f93fc1da9aea16dc133f56c8fac

                                              SHA1

                                              904a37de6cba2b1837364f191dc985ffbb989f75

                                              SHA256

                                              578292c4474ed143bf1155a62b00412a7acfe0411975b6870fb8bcce1303e396

                                              SHA512

                                              b13d3b3eb5a7ac283c3fd6e8a42328028c787f2d558714cc759edca1d60b432a19e84ad6ecdadb131f8b42962eb74edd0ae4d75039297bdf8aa19c7f59bdc2b8

                                            • C:\Users\Admin\AppData\Local\Temp\KXQf5oBinTla.bat

                                              Filesize

                                              214B

                                              MD5

                                              df7fac193a4760b19b86bfb7b1226a95

                                              SHA1

                                              28d92e5893c4b741e0af93e181ce247621b08914

                                              SHA256

                                              960f3d43dc10faadba45dd2148be738274bd36da4b157ddc90f2badf695d17cb

                                              SHA512

                                              453d0c09b5428df0f2539c33b9ce7adb24c5aaa5b2e6dd2319ca0b314263ccd9dc2027ef3fdb0d2289c68db2aa4b480cc0fc54b63f982c56f69f1d43812e5ef9

                                            • C:\Users\Admin\AppData\Local\Temp\OhDakuhJE1ip.bat

                                              Filesize

                                              214B

                                              MD5

                                              9f6298d9877ad015cdff024e246a16fa

                                              SHA1

                                              71a1f402d22282d2950957ba9f3905c79181a191

                                              SHA256

                                              cccba96833466fbe16dd5c886662469fd1cc51773b4db850574283f7dd9c2777

                                              SHA512

                                              74d986611bbc430007254229ffde55a084dc4a9c31094a911ff6342ae3b3cd7901de8531a99b0871719bc693ce6b03a6d01672f33eb43721f71c61c90cfdb301

                                            • C:\Users\Admin\AppData\Local\Temp\Uw5EE4Aouya2.bat

                                              Filesize

                                              214B

                                              MD5

                                              371a6c199fae81da51e21c6a9f9e8440

                                              SHA1

                                              0f9fe39e484ef836648c6d40d62e9bb348188e68

                                              SHA256

                                              5d8130259356e156e6adc2229066e5bfa12e747ff5916b212b670edac88b8bdd

                                              SHA512

                                              725f23fbbdd2cdb3831845e25d50f992c3cb3358bca5390b4552ac5c6692ca21096bfdc381a48360f144975a14e7ae5964d9e512bfd55127b3c7d652cba6edfc

                                            • C:\Users\Admin\AppData\Local\Temp\YudsjW7OK4Ss.bat

                                              Filesize

                                              214B

                                              MD5

                                              3f1164e4e7937e6573075372d664259e

                                              SHA1

                                              d34500e9fa0d6bb3307af98a0633b4bbea31ba57

                                              SHA256

                                              50656f1010ab88ab6acc4035f614e675081ff9baffb9cc596be83bdc7135ea71

                                              SHA512

                                              e5743ef44a97ce03957e5d24a6b4aadb6eb17777cbcf8b1ccfc0ac7055f839041fada52ef7a9bf56213ade3c8ddec1153bb1dfdd677f81505f207a723efe5962

                                            • C:\Users\Admin\AppData\Local\Temp\df4LOwrzzPY8.bat

                                              Filesize

                                              214B

                                              MD5

                                              dff4861e94dea45e675f1c74cae1e090

                                              SHA1

                                              f269bb43a5efe3500a1907e807b54b9dbb87db56

                                              SHA256

                                              f84f4612e92261aad9653ec5bd9e0e876acb22c4fd10ddbf5c2c984c0bf7d652

                                              SHA512

                                              89d2fbb3f5b08a7bb9bd392021414e36ae8602e3557907c4176f8081325464ee1c311b514e4498040cfe9d8a695ea6a9bc90a6cb602cca57a9a6e5a89ad44b04

                                            • C:\Users\Admin\AppData\Local\Temp\gbj9hOXkcyEv.bat

                                              Filesize

                                              214B

                                              MD5

                                              c29698cdda048943935af9d4c949bd97

                                              SHA1

                                              46a7492817e4a4f35610526bc9fdc979ed35e9b1

                                              SHA256

                                              bff75ec9ef22b953373cf6722a6a506c9982b609af8ff247a01c23eae2ff1739

                                              SHA512

                                              7b56559adc5213af18e483e01890697f68314cdb404250851be53b4aaae06db36f4144cd91ec97501fa98fceb5070fc2c029bb6aa4e6d106202282fdd203d4f2

                                            • C:\Users\Admin\AppData\Local\Temp\s1umMTDxBAWP.bat

                                              Filesize

                                              214B

                                              MD5

                                              9f6b508c458a38e977b0236deb58d189

                                              SHA1

                                              6e44b7bc6cefd372fbd16cb6ebc45e267db71f12

                                              SHA256

                                              249a72e8b9b1566914e4c69217720baef95be1151dc1de04e0d4e9dbc4eee73a

                                              SHA512

                                              56bcdc39586adef3589edcdfa085ed7f8f2ea20d9fb0084c80e5ecb4004e3d1c174f2ef272fc140792080ecaf12049a87c6deef97a6d002723d88434aaef2cb9

                                            • C:\Users\Admin\AppData\Local\Temp\u7l9x78wLOGL.bat

                                              Filesize

                                              214B

                                              MD5

                                              bc87c194ebe4b442c3c8578cb890331a

                                              SHA1

                                              e7b4ecf0a0f065e44a9f0bdf8e22009a971918a8

                                              SHA256

                                              9099ff37fc4c7848a6517331856f5fe3366aac191f8cd86a5a3b13dc422dad14

                                              SHA512

                                              7b03039d42807c747256d25560f1b97cb66f4d4d9f8c5b9fb6dd9cd869e40c58fa04aa544f1184bb1ce125dfa0fe6088da0c7b505bac05b21d3a0e35cc3dcd22

                                            • C:\Users\Admin\AppData\Local\Temp\w3xqnYZqJ75L.bat

                                              Filesize

                                              214B

                                              MD5

                                              aed1f168e68310c559dbbf448ce72ae6

                                              SHA1

                                              3e9bc52fcd1fd3585c57c8690a017d8f6bedefe4

                                              SHA256

                                              202ff4545306c082a82525a138489587accc9ad0353f90afa8cf47f9de74ba4a

                                              SHA512

                                              60d6e20281fdd0327d01032966302a71b0f54ad6518fd4c68283bad83a3b48460dcd03c6fb8f1d9bc2e48757bf67373f87ed626ee634d789134c7ce0e79f76d2

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

                                              Filesize

                                              3.1MB

                                              MD5

                                              3c4b297ab9e22cbe51307529e6c7d17d

                                              SHA1

                                              b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632

                                              SHA256

                                              be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352

                                              SHA512

                                              68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

                                            • memory/128-53-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/128-58-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/128-54-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/256-107-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/256-113-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/256-108-0x000000001B880000-0x000000001B890000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/440-26-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/440-22-0x0000000001350000-0x0000000001360000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/440-21-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/760-100-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/760-99-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/760-104-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/1496-82-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/1496-77-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/1668-46-0x000000001BB30000-0x000000001BB40000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1668-45-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/1668-50-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/2944-61-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/2944-66-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/2944-62-0x000000001B520000-0x000000001B530000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3024-97-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3024-92-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3388-43-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3388-38-0x0000000001910000-0x0000000001920000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3388-37-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3776-9-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3776-10-0x000000001B700000-0x000000001B710000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3776-11-0x000000001B5B0000-0x000000001B600000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/3776-12-0x000000001C200000-0x000000001C2B2000-memory.dmp

                                              Filesize

                                              712KB

                                            • memory/3776-17-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4256-89-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4256-84-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4256-85-0x000000001BD20000-0x000000001BD30000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4340-69-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4340-75-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4340-70-0x000000001BEF0000-0x000000001BF00000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4456-0-0x00000000007E0000-0x0000000000B04000-memory.dmp

                                              Filesize

                                              3.1MB

                                            • memory/4456-8-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4456-2-0x000000001B870000-0x000000001B880000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4456-1-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4820-29-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/4820-30-0x000000001B820000-0x000000001B830000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4820-35-0x00007FF998380000-0x00007FF998E42000-memory.dmp

                                              Filesize

                                              10.8MB