Malware Analysis Report

2025-01-18 04:25

Sample ID 231203-den6sahb39
Target LethalCumpany-LethalCumpany-1.1.0.zip
SHA256 17d3c427c27e9fe420fba45c21d52c2df2042284751364053bb34d0b48278acc
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17d3c427c27e9fe420fba45c21d52c2df2042284751364053bb34d0b48278acc

Threat Level: Known bad

The file LethalCumpany-LethalCumpany-1.1.0.zip was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-03 02:55

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-03 02:55

Reported

2023-12-03 02:58

Platform

win11-20231128-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4456 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4456 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4456 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 3776 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3776 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 3776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2876 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2876 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2876 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 440 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 440 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 440 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 440 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4972 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4972 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4972 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4972 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4972 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 4820 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4820 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4820 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 4820 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 780 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 780 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 780 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 780 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 780 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 780 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 3388 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3388 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3388 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 3388 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 3904 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3904 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3904 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3904 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3904 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 3904 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 1668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1668 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5060 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5060 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5060 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5060 wrote to memory of 128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 5060 wrote to memory of 128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 128 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 128 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\SYSTEM32\schtasks.exe
PID 128 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 128 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe C:\Windows\system32\cmd.exe
PID 2732 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2732 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2732 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2732 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2732 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe
PID 2732 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe

"C:\Users\Admin\AppData\Local\Temp\LethalCumpanyExternalModLoader.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uw5EE4Aouya2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Grbd1uYUTGOa.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GfsPMktqeWYU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\df4LOwrzzPY8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u7l9x78wLOGL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KXQf5oBinTla.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OhDakuhJE1ip.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YudsjW7OK4Ss.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w3xqnYZqJ75L.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4vhmLGKfBkN1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BRjyrpv9ekdd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1umMTDxBAWP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

"C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "LethalCumpanyModLoader" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gbj9hOXkcyEv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Files

memory/4456-0-0x00000000007E0000-0x0000000000B04000-memory.dmp

memory/4456-1-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/4456-2-0x000000001B870000-0x000000001B880000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4456-8-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/3776-9-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/3776-10-0x000000001B700000-0x000000001B710000-memory.dmp

memory/3776-11-0x000000001B5B0000-0x000000001B600000-memory.dmp

memory/3776-12-0x000000001C200000-0x000000001C2B2000-memory.dmp

memory/3776-17-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uw5EE4Aouya2.bat

MD5 371a6c199fae81da51e21c6a9f9e8440
SHA1 0f9fe39e484ef836648c6d40d62e9bb348188e68
SHA256 5d8130259356e156e6adc2229066e5bfa12e747ff5916b212b670edac88b8bdd
SHA512 725f23fbbdd2cdb3831845e25d50f992c3cb3358bca5390b4552ac5c6692ca21096bfdc381a48360f144975a14e7ae5964d9e512bfd55127b3c7d652cba6edfc

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LethalCumpany.exe.log

MD5 15eab799098760706ed95d314e75449d
SHA1 273fb07e40148d5c267ca53f958c5075d24c4444
SHA256 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA512 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

memory/440-21-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/440-22-0x0000000001350000-0x0000000001360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Grbd1uYUTGOa.bat

MD5 bebc3f93fc1da9aea16dc133f56c8fac
SHA1 904a37de6cba2b1837364f191dc985ffbb989f75
SHA256 578292c4474ed143bf1155a62b00412a7acfe0411975b6870fb8bcce1303e396
SHA512 b13d3b3eb5a7ac283c3fd6e8a42328028c787f2d558714cc759edca1d60b432a19e84ad6ecdadb131f8b42962eb74edd0ae4d75039297bdf8aa19c7f59bdc2b8

memory/440-26-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4820-29-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/4820-30-0x000000001B820000-0x000000001B830000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GfsPMktqeWYU.bat

MD5 c35779a03e2fab171050e233d95bfa02
SHA1 3a1c17bafba12b77965260744f0ee665c97fbd92
SHA256 01535a7ce2a0838d63a4500d3dae8e1cc096bc8e880991cdc83cd2adebebd45d
SHA512 f8f8602b8154a0e3610f10fdbb43b8360a12e131816b9da15b4795546f78f914c84dd765c64aadae2a19921e4454e6f9539bdf6e4f7d7822c6185e618d39fb4b

memory/4820-35-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3388-37-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/3388-38-0x0000000001910000-0x0000000001920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df4LOwrzzPY8.bat

MD5 dff4861e94dea45e675f1c74cae1e090
SHA1 f269bb43a5efe3500a1907e807b54b9dbb87db56
SHA256 f84f4612e92261aad9653ec5bd9e0e876acb22c4fd10ddbf5c2c984c0bf7d652
SHA512 89d2fbb3f5b08a7bb9bd392021414e36ae8602e3557907c4176f8081325464ee1c311b514e4498040cfe9d8a695ea6a9bc90a6cb602cca57a9a6e5a89ad44b04

memory/3388-43-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1668-45-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/1668-46-0x000000001BB30000-0x000000001BB40000-memory.dmp

memory/1668-50-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u7l9x78wLOGL.bat

MD5 bc87c194ebe4b442c3c8578cb890331a
SHA1 e7b4ecf0a0f065e44a9f0bdf8e22009a971918a8
SHA256 9099ff37fc4c7848a6517331856f5fe3366aac191f8cd86a5a3b13dc422dad14
SHA512 7b03039d42807c747256d25560f1b97cb66f4d4d9f8c5b9fb6dd9cd869e40c58fa04aa544f1184bb1ce125dfa0fe6088da0c7b505bac05b21d3a0e35cc3dcd22

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/128-53-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/128-54-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

memory/128-58-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KXQf5oBinTla.bat

MD5 df7fac193a4760b19b86bfb7b1226a95
SHA1 28d92e5893c4b741e0af93e181ce247621b08914
SHA256 960f3d43dc10faadba45dd2148be738274bd36da4b157ddc90f2badf695d17cb
SHA512 453d0c09b5428df0f2539c33b9ce7adb24c5aaa5b2e6dd2319ca0b314263ccd9dc2027ef3fdb0d2289c68db2aa4b480cc0fc54b63f982c56f69f1d43812e5ef9

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/2944-61-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/2944-62-0x000000001B520000-0x000000001B530000-memory.dmp

memory/2944-66-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OhDakuhJE1ip.bat

MD5 9f6298d9877ad015cdff024e246a16fa
SHA1 71a1f402d22282d2950957ba9f3905c79181a191
SHA256 cccba96833466fbe16dd5c886662469fd1cc51773b4db850574283f7dd9c2777
SHA512 74d986611bbc430007254229ffde55a084dc4a9c31094a911ff6342ae3b3cd7901de8531a99b0871719bc693ce6b03a6d01672f33eb43721f71c61c90cfdb301

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4340-69-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/4340-70-0x000000001BEF0000-0x000000001BF00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YudsjW7OK4Ss.bat

MD5 3f1164e4e7937e6573075372d664259e
SHA1 d34500e9fa0d6bb3307af98a0633b4bbea31ba57
SHA256 50656f1010ab88ab6acc4035f614e675081ff9baffb9cc596be83bdc7135ea71
SHA512 e5743ef44a97ce03957e5d24a6b4aadb6eb17777cbcf8b1ccfc0ac7055f839041fada52ef7a9bf56213ade3c8ddec1153bb1dfdd677f81505f207a723efe5962

memory/4340-75-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/1496-77-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w3xqnYZqJ75L.bat

MD5 aed1f168e68310c559dbbf448ce72ae6
SHA1 3e9bc52fcd1fd3585c57c8690a017d8f6bedefe4
SHA256 202ff4545306c082a82525a138489587accc9ad0353f90afa8cf47f9de74ba4a
SHA512 60d6e20281fdd0327d01032966302a71b0f54ad6518fd4c68283bad83a3b48460dcd03c6fb8f1d9bc2e48757bf67373f87ed626ee634d789134c7ce0e79f76d2

memory/1496-82-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/4256-84-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/4256-85-0x000000001BD20000-0x000000001BD30000-memory.dmp

memory/4256-89-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4vhmLGKfBkN1.bat

MD5 67a3502311e8feb9098fa3c163c8e98b
SHA1 78dc05f307ec8bb7eb162681958f2e6e3e587940
SHA256 ae7c8d2935d548cd70ee26faa15ab5b759b2d95354dd815f1ad0332cab8cf3c5
SHA512 a660d70ea87e246a24e3294a6bd5a6272be937a918b92ec8a486466a07f4b8414188b5b523a75d20c1858a6058570cb2df4bf63b66819cc6145ce394b7c5e030

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/3024-92-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BRjyrpv9ekdd.bat

MD5 0ce7c0015dcf99d518b49e50a2b5c9eb
SHA1 32c3e52250b063048b0730ca67f19215e24dcf27
SHA256 1a2f0430b3222a99943aaf23afe639b3166666d6ec746922a6483f0f2cab761e
SHA512 a28e6a0d3025267576eb395e2716a877dbfcb676b74314e80ed271482dcb48f3fef975cc15d644d02c12c85e52e3bdaf1138b365e61d80f84f9f79d7a9eedaa8

memory/3024-97-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/760-99-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/760-100-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

memory/760-104-0x00007FF998380000-0x00007FF998E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s1umMTDxBAWP.bat

MD5 9f6b508c458a38e977b0236deb58d189
SHA1 6e44b7bc6cefd372fbd16cb6ebc45e267db71f12
SHA256 249a72e8b9b1566914e4c69217720baef95be1151dc1de04e0d4e9dbc4eee73a
SHA512 56bcdc39586adef3589edcdfa085ed7f8f2ea20d9fb0084c80e5ecb4004e3d1c174f2ef272fc140792080ecaf12049a87c6deef97a6d002723d88434aaef2cb9

C:\Users\Admin\AppData\Roaming\SubDir\LethalCumpany.exe

MD5 3c4b297ab9e22cbe51307529e6c7d17d
SHA1 b63b9e36ec2090fb2b5e8c30d8a7cebd7c7b7632
SHA256 be1c5c962b13534ca1c19163aa20162afc9dbd92f34b9cf5b58d56aca5bab352
SHA512 68f5c26f9c61ca71f727e23ad933ffa5f8c677251bd68374270c3a1dbc363214fa26523cadff50b8090da1a71f7fe60974e5d274c513e0e6b5fa5e379506bbae

memory/256-107-0x00007FF998380000-0x00007FF998E42000-memory.dmp

memory/256-108-0x000000001B880000-0x000000001B890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbj9hOXkcyEv.bat

MD5 c29698cdda048943935af9d4c949bd97
SHA1 46a7492817e4a4f35610526bc9fdc979ed35e9b1
SHA256 bff75ec9ef22b953373cf6722a6a506c9982b609af8ff247a01c23eae2ff1739
SHA512 7b56559adc5213af18e483e01890697f68314cdb404250851be53b4aaae06db36f4144cd91ec97501fa98fceb5070fc2c029bb6aa4e6d106202282fdd203d4f2

memory/256-113-0x00007FF998380000-0x00007FF998E42000-memory.dmp