Malware Analysis Report

2025-01-18 04:26

Sample ID 231205-cpybrsha95
Target aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c
SHA256 aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c
Tags
quasar office04 discovery persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c

Threat Level: Known bad

The file aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c was found to be: Known bad.

Malicious Activity Summary

quasar office04 discovery persistence spyware trojan

Quasar payload

Quasar RAT

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 02:15

Reported

2023-12-05 02:18

Platform

win7-20231023-en

Max time kernel

137s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0f39db03-9030-48f3-82ef-5384bed81d85} = "\"C:\\ProgramData\\Package Cache\\{0f39db03-9030-48f3-82ef-5384bed81d85}\\windowsdesktop-runtime-6.0.21-win-x64.exe\" /burn.runonce" C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\System32.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
File opened for modification C:\Windows\system32\SubDir\System32.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
File opened for modification C:\Windows\system32\SubDir\System32.exe C:\Windows\system32\SubDir\System32.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\System32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.21 (x64).swidtag C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Version = "6.0.21.32717" C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.21 (x64)" C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Dependents\{0f39db03-9030-48f3-82ef-5384bed81d85} C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Dependents C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85} C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\ = "{0f39db03-9030-48f3-82ef-5384bed81d85}" C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\System32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\System32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\System32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe
PID 2852 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe
PID 2852 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe
PID 2700 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe C:\Windows\system32\SubDir\System32.exe
PID 2700 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe C:\Windows\system32\SubDir\System32.exe
PID 2700 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe C:\Windows\system32\SubDir\System32.exe
PID 2852 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
PID 2852 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
PID 2852 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2568 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
PID 2056 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe

"C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

"C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"

C:\Windows\system32\SubDir\System32.exe

"C:\Windows\system32\SubDir\System32.exe"

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

"windowsdesktop-runtime-6.0.15-win-x64.exe" /S

C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

"C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192 /S

C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe

"C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe" -q -burn.elevated BurnPipe.{BFD06905-3FC7-41AE-8DDF-8872F31DDB7D} {607D96EA-69A2-43BE-AFEF-AA2E8D611217} 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 332

Network

Country Destination Domain Proto
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
US 172.67.142.95:80 apiv2.projectnovafn.com tcp
US 8.8.8.8:53 nova.blksservers.com udp
US 188.114.97.0:443 nova.blksservers.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
N/A 192.168.10.145:4782 tcp
N/A 192.168.10.145:4782 tcp
N/A 192.168.10.145:4782 tcp
N/A 192.168.10.145:4782 tcp
N/A 192.168.10.145:4782 tcp

Files

memory/2852-0-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/2852-1-0x000000013FB50000-0x0000000143B5C000-memory.dmp

memory/2852-2-0x000000001C0C0000-0x000000001C140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

memory/2700-9-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/2700-8-0x0000000000F60000-0x0000000001284000-memory.dmp

memory/2700-10-0x000000001B460000-0x000000001B4E0000-memory.dmp

C:\Windows\System32\SubDir\System32.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

C:\Windows\System32\SubDir\System32.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

C:\Windows\system32\SubDir\System32.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

memory/2580-16-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/2580-17-0x00000000001F0000-0x0000000000514000-memory.dmp

memory/2580-18-0x000000001B470000-0x000000001B4F0000-memory.dmp

memory/2700-19-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

memory/2852-28-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/2568-32-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/2568-36-0x000000013FA20000-0x000000014034D000-memory.dmp

memory/2568-35-0x0000000023F90000-0x0000000024F18000-memory.dmp

memory/2568-39-0x0000000023060000-0x0000000023288000-memory.dmp

memory/2568-42-0x0000000023290000-0x00000000233EE000-memory.dmp

memory/2568-45-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2568-48-0x00000000022F0000-0x000000000232E000-memory.dmp

memory/2568-51-0x0000000024F20000-0x0000000025762000-memory.dmp

memory/2568-54-0x0000000022980000-0x00000000229FF000-memory.dmp

memory/2568-57-0x0000000000610000-0x000000000061D000-memory.dmp

memory/2568-60-0x0000000000620000-0x0000000000625000-memory.dmp

memory/2568-63-0x0000000001D90000-0x0000000001DA3000-memory.dmp

memory/2568-66-0x0000000000630000-0x0000000000637000-memory.dmp

memory/2568-69-0x0000000001D70000-0x0000000001D89000-memory.dmp

memory/2568-72-0x0000000001EB0000-0x0000000001EC6000-memory.dmp

memory/2568-78-0x0000000002160000-0x0000000002178000-memory.dmp

memory/2568-81-0x0000000002330000-0x0000000002342000-memory.dmp

memory/2568-75-0x0000000022BD0000-0x0000000022C10000-memory.dmp

\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll

MD5 c7bcc68b81e965fe74ef58d503c58deb
SHA1 99990f204f7318eeb8de6f9664ebcd0d42ea81b7
SHA256 06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e
SHA512 cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

memory/2568-87-0x00000000235F0000-0x00000000236E4000-memory.dmp

memory/2568-90-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

memory/2568-93-0x0000000022B80000-0x0000000022BC7000-memory.dmp

memory/2568-96-0x0000000022C50000-0x0000000022C7A000-memory.dmp

memory/2568-99-0x0000000025F90000-0x00000000267AC000-memory.dmp

\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\wpfgfx_cor3.dll

MD5 1b01746fe61beb761a643050823190b0
SHA1 927b12e4a733bcc51545c6a005838a24b8dc4dda
SHA256 f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8
SHA512 83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

memory/2568-152-0x0000000022EB0000-0x0000000022EBA000-memory.dmp

memory/2568-155-0x0000000022EB0000-0x0000000022EBA000-memory.dmp

\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

memory/2580-200-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/2580-201-0x000000001B470000-0x000000001B4F0000-memory.dmp

memory/2568-202-0x000000013FA20000-0x000000014034D000-memory.dmp

memory/2568-203-0x0000000022EB0000-0x0000000022EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4472.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4524.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8607a9247810ad6029d0dca93c2b76aa
SHA1 e56cd3223c14833400c81afeac451d1558cd7249
SHA256 e6953f66a991dcb92d77640475077318dc9da139d4ecc821c1a6bc9f4622af82
SHA512 7ba98b07247d084ebb21ca0641fdfbdb5291e98752d1f5354df951a48e0b70e9abd19b620ad57703eb33987b19a3ec85721a074ff9f83219a0fe8854384fd2ec

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 1a6d60add2d112dd73e83fb46dca474d
SHA1 8b374a54f508cfdb8c8176bfaef96f37edf7170b
SHA256 aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545
SHA512 49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 1a6d60add2d112dd73e83fb46dca474d
SHA1 8b374a54f508cfdb8c8176bfaef96f37edf7170b
SHA256 aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545
SHA512 49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79

\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

C:\ProgramData\Package Cache\{0f39db03-9030-48f3-82ef-5384bed81d85}\windowsdesktop-runtime-6.0.21-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

MD5 ff67a2a55ed6998ab527273d547fc00f
SHA1 852712b95ca05de8f336f07ff9ac672281b91215
SHA256 71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA512 48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 02:15

Reported

2023-12-05 02:18

Platform

win10v2004-20231201-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\System32.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
File opened for modification C:\Windows\system32\SubDir\System32.exe C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
File opened for modification C:\Windows\system32\SubDir\System32.exe C:\Windows\system32\SubDir\System32.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\System32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\System32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\System32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\System32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe

"C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

"C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"

C:\Windows\system32\SubDir\System32.exe

"C:\Windows\system32\SubDir\System32.exe"

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"

Network

Country Destination Domain Proto
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp
N/A 192.168.10.145:4782 tcp
US 8.8.8.8:53 apiv2.projectnovafn.com udp

Files

memory/4640-0-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

memory/4640-1-0x0000000000070000-0x000000000407C000-memory.dmp

memory/4640-2-0x000000001FE80000-0x000000001FE90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

memory/5112-15-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

memory/5112-14-0x0000000000810000-0x0000000000B34000-memory.dmp

memory/5112-16-0x000000001B8F0000-0x000000001B900000-memory.dmp

C:\Windows\system32\SubDir\System32.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

C:\Windows\System32\SubDir\System32.exe

MD5 7404ded83ef64d354248abcd89e798ef
SHA1 56c2b966dba0daf00f52c6d23a2cdb105709c96c
SHA256 57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff
SHA512 f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

memory/3976-23-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

memory/5112-24-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

memory/3976-25-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/3976-26-0x000000001BCE0000-0x000000001BD30000-memory.dmp

memory/3976-27-0x000000001BDF0000-0x000000001BEA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

MD5 6196a6ac54713dc0d11c7ebab96bc6d0
SHA1 594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256 74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512 613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

memory/4640-45-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

memory/1996-46-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/1996-50-0x00007FF7F96C0000-0x00007FF7F9FED000-memory.dmp

memory/1996-49-0x0000029F6FDD0000-0x0000029F70D58000-memory.dmp

memory/1996-53-0x0000029F6F080000-0x0000029F6F2A8000-memory.dmp

memory/1996-56-0x0000029F6F2B0000-0x0000029F6F40E000-memory.dmp

memory/1996-59-0x0000029F4E7D0000-0x0000029F4E814000-memory.dmp

memory/1996-62-0x0000029F4E820000-0x0000029F4E85E000-memory.dmp

memory/1996-65-0x0000029F70D60000-0x0000029F715A2000-memory.dmp

memory/1996-68-0x0000029F6EED0000-0x0000029F6EF4F000-memory.dmp

memory/1996-71-0x0000029F4CED0000-0x0000029F4CEDD000-memory.dmp

memory/1996-74-0x0000029F4CEE0000-0x0000029F4CEE5000-memory.dmp

memory/1996-83-0x0000029F6EE70000-0x0000029F6EE89000-memory.dmp

memory/1996-80-0x0000029F4CEF0000-0x0000029F4CEF7000-memory.dmp

memory/1996-86-0x0000029F6EE90000-0x0000029F6EEA6000-memory.dmp

memory/1996-77-0x0000029F4E860000-0x0000029F4E873000-memory.dmp

memory/1996-95-0x0000029F6EF50000-0x0000029F6EF62000-memory.dmp

memory/1996-92-0x0000029F6EEB0000-0x0000029F6EEC8000-memory.dmp

memory/1996-101-0x0000029F6F510000-0x0000029F6F604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll

MD5 c7bcc68b81e965fe74ef58d503c58deb
SHA1 99990f204f7318eeb8de6f9664ebcd0d42ea81b7
SHA256 06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e
SHA512 cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

memory/1996-89-0x0000029F6EFA0000-0x0000029F6EFE0000-memory.dmp

memory/1996-107-0x0000029F6F410000-0x0000029F6F457000-memory.dmp

memory/1996-104-0x0000029F6EE60000-0x0000029F6EE68000-memory.dmp

memory/1996-110-0x0000029F6EF70000-0x0000029F6EF9A000-memory.dmp

memory/1996-113-0x0000029F737E0000-0x0000029F73FFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\wpfgfx_cor3.dll

MD5 1b01746fe61beb761a643050823190b0
SHA1 927b12e4a733bcc51545c6a005838a24b8dc4dda
SHA256 f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8
SHA512 83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

memory/3976-220-0x00007FFFA7A10000-0x00007FFFA84D1000-memory.dmp

memory/3976-221-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/1996-222-0x00007FF7F96C0000-0x00007FF7F9FED000-memory.dmp