quasar | ddea59e0fb05fcb26243ecca3be6f8e3bac329ef32b774a66420439d609c3e52

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
Size

37.8MB
MD5

719fd2b752f99f9ad1da3e2f439ec717
SHA1

900a578b55324712b3fc2edc8b44c6f336932849
SHA256

a12504ad741383782b4e0ef4cc808903195484080f5770966aceb1d117b09697
SHA512

b1822f059810e50a072fcd871e81b2c5d83eaf343f7322384ad34013bed3f4d6a98ed6d37c1840dfc03a925eb334981911b86de534903a941346fcac3b820601
SSDEEP

786432:SulzfQX0ZlAime/FtbB9lNdnl8/A539IyPA:bQXknme/FhB9PtgA539IyPA

Score

10^/10

quasar office04 persistence pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.78:4782

Mutex

4616ad00-4709-44bd-a2b4-9a61d621574d

Attributes

encryption_key
DDE23047BCC4F649ACA444E89F2DBB5D52A3004D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral4/files/0x00070000000234a6-184.dat	family_quasar
behavioral4/memory/4216-310-0x0000000000F40000-0x0000000001264000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Chaos Launcher V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Chaos Launcher V3.exe

Executes dropped EXE 7 IoCs

pid	Process
1316	Chaos Launcher V3.exe
1480	Loader.exe
836	Loader.exe
1760	main.exe
4216	ChaosUPD.exe
1428	main.exe
4404	Client.exe

Loads dropped DLL 64 IoCs

pid	Process
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
1428	main.exe
1428	main.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
1428	main.exe
1428	main.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/836-138-0x00007FFE26E30000-0x00007FFE2729E000-memory.dmp	upx
behavioral4/files/0x0007000000023465-145.dat	upx
behavioral4/memory/836-151-0x00007FFE2C490000-0x00007FFE2C4B4000-memory.dmp	upx
behavioral4/memory/836-182-0x00007FFE2C470000-0x00007FFE2C489000-memory.dmp	upx
behavioral4/memory/836-261-0x00007FFE29950000-0x00007FFE29984000-memory.dmp	upx
behavioral4/memory/836-243-0x00007FFE2C420000-0x00007FFE2C44D000-memory.dmp	upx
behavioral4/memory/836-278-0x00007FFE39A00000-0x00007FFE39A0D000-memory.dmp	upx
behavioral4/files/0x000700000002346a-306.dat	upx
behavioral4/memory/836-335-0x00007FFE2C450000-0x00007FFE2C469000-memory.dmp	upx
behavioral4/files/0x0007000000023466-347.dat	upx
behavioral4/memory/836-349-0x00007FFE298D0000-0x00007FFE298EF000-memory.dmp	upx
behavioral4/files/0x00070000000234d9-353.dat	upx
behavioral4/files/0x0007000000023454-352.dat	upx
behavioral4/memory/836-358-0x00007FFE29730000-0x00007FFE2974C000-memory.dmp	upx
behavioral4/memory/836-359-0x00007FFE29440000-0x00007FFE2946E000-memory.dmp	upx
behavioral4/memory/836-362-0x00007FFE25010000-0x00007FFE25385000-memory.dmp	upx
behavioral4/memory/836-363-0x00007FFE24F50000-0x00007FFE25008000-memory.dmp	upx
behavioral4/memory/1428-364-0x00007FFE293F0000-0x00007FFE29414000-memory.dmp	upx
behavioral4/memory/1428-365-0x00007FFE36830000-0x00007FFE3683F000-memory.dmp	upx
behavioral4/memory/1428-366-0x00007FFE293D0000-0x00007FFE293E9000-memory.dmp	upx
behavioral4/memory/836-370-0x00007FFE24D70000-0x00007FFE24E88000-memory.dmp	upx
behavioral4/memory/1428-372-0x00007FFE24EC0000-0x00007FFE24ED9000-memory.dmp	upx
behavioral4/memory/1428-374-0x00007FFE33EA0000-0x00007FFE33EAD000-memory.dmp	upx
behavioral4/memory/1428-375-0x00007FFE24D40000-0x00007FFE24D6E000-memory.dmp	upx
behavioral4/memory/1428-376-0x00007FFE24C80000-0x00007FFE24D3C000-memory.dmp	upx
behavioral4/memory/836-378-0x00007FFE2C410000-0x00007FFE2C41B000-memory.dmp	upx
behavioral4/memory/836-379-0x00007FFE24C30000-0x00007FFE24C3B000-memory.dmp	upx
behavioral4/memory/836-381-0x00007FFE24C10000-0x00007FFE24C1B000-memory.dmp	upx
behavioral4/memory/836-382-0x00007FFE24C00000-0x00007FFE24C0C000-memory.dmp	upx
behavioral4/memory/836-384-0x00007FFE24BE0000-0x00007FFE24BEC000-memory.dmp	upx
behavioral4/memory/836-385-0x00007FFE24BD0000-0x00007FFE24BDC000-memory.dmp	upx
behavioral4/memory/836-387-0x00007FFE24BB0000-0x00007FFE24BBC000-memory.dmp	upx
behavioral4/memory/836-388-0x00007FFE24BA0000-0x00007FFE24BAB000-memory.dmp	upx
behavioral4/memory/836-389-0x00007FFE24B90000-0x00007FFE24B9B000-memory.dmp	upx
behavioral4/memory/836-391-0x00007FFE24B70000-0x00007FFE24B7C000-memory.dmp	upx
behavioral4/memory/836-392-0x00007FFE24B60000-0x00007FFE24B6D000-memory.dmp	upx
behavioral4/memory/836-393-0x00007FFE24B40000-0x00007FFE24B52000-memory.dmp	upx
behavioral4/memory/836-394-0x00007FFE244E0000-0x00007FFE244EC000-memory.dmp	upx
behavioral4/memory/836-396-0x00007FFE24270000-0x00007FFE2427A000-memory.dmp	upx
behavioral4/memory/836-397-0x00007FFE24240000-0x00007FFE24269000-memory.dmp	upx
behavioral4/memory/1428-398-0x00007FFE24210000-0x00007FFE2423B000-memory.dmp	upx
behavioral4/memory/836-395-0x00007FFE24280000-0x00007FFE244D2000-memory.dmp	upx
behavioral4/memory/4216-400-0x000000001BE50000-0x000000001BE60000-memory.dmp	upx
behavioral4/memory/836-401-0x00007FFE29420000-0x00007FFE29434000-memory.dmp	upx
behavioral4/memory/836-402-0x00007FFE36350000-0x00007FFE3635B000-memory.dmp	upx
behavioral4/memory/1428-399-0x00007FFE26580000-0x00007FFE269EE000-memory.dmp	upx
behavioral4/memory/836-390-0x00007FFE24B80000-0x00007FFE24B8C000-memory.dmp	upx
behavioral4/memory/836-386-0x00007FFE24BC0000-0x00007FFE24BCE000-memory.dmp	upx
behavioral4/memory/836-383-0x00007FFE24BF0000-0x00007FFE24BFB000-memory.dmp	upx
behavioral4/memory/836-380-0x00007FFE24C20000-0x00007FFE24C2C000-memory.dmp	upx
behavioral4/memory/836-377-0x00007FFE24C40000-0x00007FFE24C78000-memory.dmp	upx
behavioral4/memory/1428-373-0x00007FFE35EC0000-0x00007FFE35ECD000-memory.dmp	upx
behavioral4/memory/836-369-0x00007FFE24E90000-0x00007FFE24EB6000-memory.dmp	upx
behavioral4/memory/1428-368-0x00007FFE24EE0000-0x00007FFE24F14000-memory.dmp	upx
behavioral4/memory/1428-367-0x00007FFE24F20000-0x00007FFE24F4D000-memory.dmp	upx
behavioral4/files/0x0007000000023464-345.dat	upx
behavioral4/files/0x000700000002345a-343.dat	upx
behavioral4/memory/836-348-0x00007FFE298F0000-0x00007FFE2991B000-memory.dmp	upx
behavioral4/files/0x0007000000023500-339.dat	upx
behavioral4/memory/836-338-0x00007FFE29920000-0x00007FFE2994E000-memory.dmp	upx
behavioral4/memory/836-311-0x00007FFE26BF0000-0x00007FFE26D61000-memory.dmp	upx
behavioral4/memory/836-307-0x00007FFE26D70000-0x00007FFE26E2C000-memory.dmp	upx
behavioral4/files/0x0007000000023471-276.dat	upx
behavioral4/files/0x0007000000023459-265.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
40	discord.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
85	discord.com
38	discord.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com
69	ipapi.co
72	ipapi.co
80	ipapi.co
25	api.ipify.org
26	api.ipify.org
28	ipapi.co
30	ipapi.co

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral4/files/0x0008000000023379-20.dat	pyinstaller
behavioral4/files/0x0007000000023468-110.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4112	schtasks.exe
3396	schtasks.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2380	reg.exe
1020	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
836	Loader.exe
836	Loader.exe
836	Loader.exe
836	Loader.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
4216	powershell.exe
4216	powershell.exe
4216	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	Loader.exe
Token: SeDebugPrivilege	4216	ChaosUPD.exe
Token: SeDebugPrivilege	1316	Chaos Launcher V3.exe
Token: SeDebugPrivilege	1428	main.exe
Token: SeDebugPrivilege	4404	Client.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: 36	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: 36	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5048	WMIC.exe
Token: SeSecurityPrivilege	5048	WMIC.exe
Token: SeTakeOwnershipPrivilege	5048	WMIC.exe
Token: SeLoadDriverPrivilege	5048	WMIC.exe
Token: SeSystemProfilePrivilege	5048	WMIC.exe
Token: SeSystemtimePrivilege	5048	WMIC.exe
Token: SeProfSingleProcessPrivilege	5048	WMIC.exe
Token: SeIncBasePriorityPrivilege	5048	WMIC.exe
Token: SeCreatePagefilePrivilege	5048	WMIC.exe
Token: SeBackupPrivilege	5048	WMIC.exe
Token: SeRestorePrivilege	5048	WMIC.exe
Token: SeShutdownPrivilege	5048	WMIC.exe
Token: SeDebugPrivilege	5048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5048	WMIC.exe
Token: SeRemoteShutdownPrivilege	5048	WMIC.exe
Token: SeUndockPrivilege	5048	WMIC.exe
Token: SeManageVolumePrivilege	5048	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4404	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4404	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4404	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1316	1048	Chaos Launcher V3.exe	90
PID 1048 wrote to memory of 1316	1048	Chaos Launcher V3.exe	90
PID 1048 wrote to memory of 1480	1048	Chaos Launcher V3.exe	91
PID 1048 wrote to memory of 1480	1048	Chaos Launcher V3.exe	91
PID 1480 wrote to memory of 836	1480	Loader.exe	93
PID 1480 wrote to memory of 836	1480	Loader.exe	93
PID 1048 wrote to memory of 1760	1048	Chaos Launcher V3.exe	92
PID 1048 wrote to memory of 1760	1048	Chaos Launcher V3.exe	92
PID 1048 wrote to memory of 4216	1048	Chaos Launcher V3.exe	114
PID 1048 wrote to memory of 4216	1048	Chaos Launcher V3.exe	114
PID 1760 wrote to memory of 1428	1760	main.exe	95
PID 1760 wrote to memory of 1428	1760	main.exe	95
PID 1428 wrote to memory of 2008	1428	main.exe	96
PID 1428 wrote to memory of 2008	1428	main.exe	96
PID 836 wrote to memory of 1280	836	Loader.exe	98
PID 836 wrote to memory of 1280	836	Loader.exe	98
PID 4216 wrote to memory of 4112	4216	ChaosUPD.exe	100
PID 4216 wrote to memory of 4112	4216	ChaosUPD.exe	100
PID 4216 wrote to memory of 4404	4216	ChaosUPD.exe	106
PID 4216 wrote to memory of 4404	4216	ChaosUPD.exe	106
PID 1280 wrote to memory of 2176	1280	cmd.exe	107
PID 1280 wrote to memory of 2176	1280	cmd.exe	107
PID 4404 wrote to memory of 3396	4404	Client.exe	108
PID 4404 wrote to memory of 3396	4404	Client.exe	108
PID 1428 wrote to memory of 2100	1428	main.exe	111
PID 1428 wrote to memory of 2100	1428	main.exe	111
PID 2100 wrote to memory of 5048	2100	cmd.exe	113
PID 2100 wrote to memory of 5048	2100	cmd.exe	113
PID 1316 wrote to memory of 4216	1316	Chaos Launcher V3.exe	114
PID 1316 wrote to memory of 4216	1316	Chaos Launcher V3.exe	114
PID 1316 wrote to memory of 2716	1316	Chaos Launcher V3.exe	116
PID 1316 wrote to memory of 2716	1316	Chaos Launcher V3.exe	116
PID 1428 wrote to memory of 3132	1428	main.exe	119
PID 1428 wrote to memory of 3132	1428	main.exe	119
PID 3132 wrote to memory of 2380	3132	cmd.exe	121
PID 3132 wrote to memory of 2380	3132	cmd.exe	121
PID 1428 wrote to memory of 2468	1428	main.exe	122
PID 1428 wrote to memory of 2468	1428	main.exe	122
PID 2468 wrote to memory of 1020	2468	cmd.exe	124
PID 2468 wrote to memory of 1020	2468	cmd.exe	124
PID 1428 wrote to memory of 4532	1428	main.exe	125
PID 1428 wrote to memory of 4532	1428	main.exe	125
PID 4532 wrote to memory of 2824	4532	cmd.exe	127
PID 4532 wrote to memory of 2824	4532	cmd.exe	127
PID 1428 wrote to memory of 3248	1428	main.exe	129
PID 1428 wrote to memory of 3248	1428	main.exe	129
PID 3248 wrote to memory of 4108	3248	cmd.exe	131
PID 3248 wrote to memory of 4108	3248	cmd.exe	131
PID 1428 wrote to memory of 3476	1428	main.exe	132
PID 1428 wrote to memory of 3476	1428	main.exe	132
PID 3476 wrote to memory of 4892	3476	cmd.exe	134
PID 3476 wrote to memory of 4892	3476	cmd.exe	134
PID 1428 wrote to memory of 4524	1428	main.exe	135
PID 1428 wrote to memory of 4524	1428	main.exe	135
PID 4524 wrote to memory of 4944	4524	cmd.exe	137
PID 4524 wrote to memory of 4944	4524	cmd.exe	137
PID 1428 wrote to memory of 4672	1428	main.exe	139
PID 1428 wrote to memory of 4672	1428	main.exe	139
PID 4672 wrote to memory of 3528	4672	cmd.exe	141
PID 4672 wrote to memory of 3528	4672	cmd.exe	141
PID 1428 wrote to memory of 3252	1428	main.exe	142
PID 1428 wrote to memory of 3252	1428	main.exe	142
PID 3252 wrote to memory of 2836	3252	cmd.exe	144
PID 3252 wrote to memory of 2836	3252	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe
  "C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chaos Launcher V3.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:2380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2836
- C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe
  "C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4112
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe

Filesize
265KB

MD5
5cc694e159b34a66c68512e333772427

SHA1
56a1167290c880b7c581e4ffe904865d443dd6b3

SHA256
1eaa491f5252f5e36c3e6f4955e42ce738f2ac11ab476efb4b9cbbf62982740e

SHA512
efe956122aa35c481422c3b0d33afa3ca5e6faecb5aa7e771320070d43c07fed141038754ca025ed703c066f8a5782330b82b263bca2afaa0f549c444a1ab87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe

Filesize
3.1MB

MD5
cf19f3097c3605dcb9fe14283b318622

SHA1
2300f90815b44685ea480622cdce31b82c0d429e

SHA256
b7438077689006b12262914245e04bc67e7c4cbacda3aa99f100a894d33fd43a

SHA512
12a9c62e0bf5ebeaa1f104979cf1a3477b4e0b455ff2cf413cdc43589f91c3bcccc1a3b54cd7cf463ff9aff481a870425c7b2e3738be27187a7cb71b38f0ef69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\downloads_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
16.1MB

MD5
137c2a6610b55f77004ff0bb52bb12e2

SHA1
202e8bce20e5b2b0341f5cc2c8767881717b7022

SHA256
0cb19bda3eafb8edae3d7902e8af0bf2a7896c225669c338565423f63558d841

SHA512
75fa9eb00ba2f8d49c606e9d508c0ec5e6d372edc31d56736a0a60e24454643e16709f0da915f066aaf42ea6d78163ff923ff5449d3e7549f44b7cf8dc1a83df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_bz2.pyd

Filesize
46KB

MD5
13f9af35bc2ca51e1a0d9f912280832b

SHA1
3b94ed1baa8c1dd1cc9ba73800127367f28177e6

SHA256
5cfa3e2d465614a5f7bdbfe8bbbae012d075bbe83d9561da3f93f4c19f9b94b3

SHA512
0234136e9944963d672bb45abb76540a3ca82dcbc16d6f6185195316f2280253f02173840ccee8db7601f08b08c753b4d46a206e5d2ffbaa40b62e7599e1c3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_ctypes.pyd

Filesize
56KB

MD5
34bc30cb64fb692589e6df7cf62f14af

SHA1
e42884b73090ee37ead7743f161491f04500cdb7

SHA256
5d5c80b2e8a1cf081aa41c35c48f73df384cf526f358e91f80ba2ad48b6e52f7

SHA512
69a6bb5689f33bfa13e5ef9532632a82cd26983d73e2d9ad920588840d7636c86f224553d3cc988e7500bbee9d67d15deb3382af03675e97043cd59707924c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_hashlib.pyd

Filesize
33KB

MD5
47552c83d1890ff91037eecd02b730a2

SHA1
e9ab5c304f0a2817eba6fdc758722600615c30be

SHA256
c3024b95f7f1757d9496c8171eaca5f8b9bb8c7cd7f6077077b5aaa1302b0ca4

SHA512
d9d42b253fddca0eff99ff47ef5ff05a8ef53966c79e040ebe22757b31d478f71709460a36c8dbde67a43bd992983d3e4ae7775e9d687295763ffd283d0746d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_lzma.pyd

Filesize
84KB

MD5
73eb1d56265f92ceef7948c5b74a11c1

SHA1
a1d60de9930fd9ed9be920c4d650d42fe07ebc22

SHA256
ee390c28c14e0c33a5601f12eb5d04bdff0ecfb334ce402f4380b8e0ebf7d4de

SHA512
ebc9bc622ad7ef27b16b85db2be7b1f68f2b5de9de5eb2684b5fb3a02e9e851a939f63459cc2eb911263e799ff2c4a918ae98141f61132eb3d110828741f833f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_queue.pyd

Filesize
24KB

MD5
d301ac14f79443990a227ec0aee1788c

SHA1
e6ba16b0ec6ac2ed63e3c2424bf92d4fe66405f9

SHA256
890d3522062a81f970a2c91acea9c68b91c9d77013afc34d5a950269b9e994b6

SHA512
2c2a3dda038309590965a6a2cb1ff86b6ba8a2fe9e97511c1e2a2cc63fda96ac7782b5eedfcf61479838249a064482b11657c0f4a6c3ed1f6338ebe0e0171ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_socket.pyd

Filesize
41KB

MD5
26a6147d9ffd545fd80c9ed664d66d06

SHA1
b17b5ec05c012210adb7f0408273d0a40ae4f755

SHA256
35f18dd2452642cefb6f883afc74d560e22aa71bdb6b26e63b076d7ea4246d38

SHA512
447c72662de5fcffa07da8682e4d08f8ced791bfba9a742529766527e5d41ccfef5fa694c8a88bb8798c53c9fc48c33f57dd6c74b5dc49e8f8b15832593e155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_sqlite3.pyd

Filesize
48KB

MD5
c528dc5f5e7d87c63f09f31d8e2e8b7a

SHA1
6d09a5c9266876d8e466059fa3c0ef6f71f59a74

SHA256
2ea4fe9500ee3669ac29a7451ee775b3bc7e2104fe9e840af563499e23867a46

SHA512
358fb50590b958dca4138b12f31f5b053b5c2a251958b68662390ddd761f02185b283f23801a2cc0a15f12dc0f7ec9a4213228af27e9988889ccb7d3727b9c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_ssl.pyd

Filesize
60KB

MD5
d3b40bb8131722d77dab6fd9bd135fca

SHA1
170143f91ebf1f1a41da05725f3d659d070e969e

SHA256
e33e96ee3e4135b92cbdb987337d3cf8e438f1cca96c87dec682b586b6807ce9

SHA512
b48730d8dd5c0dd43b300b3fc997b6a083d9d4c45816bbcf15428cd2ee8664b49bbfd9e645d9e27d707b243bfe061d12822accbe466822ba723fc23c13e41f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\base_library.zip

Filesize
812KB

MD5
524a85217dc9edc8c9efc73159ca955d

SHA1
a4238cbde50443262d00a843ffe814435fb0f4e2

SHA256
808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621

SHA512
f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
c702b01b9d16f58ad711bf53c0c73203

SHA1
dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b

SHA256
49363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1

SHA512
603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\libffi-7.dll

Filesize
23KB

MD5
ce7d4f152de90a24b0069e3c95fa2b58

SHA1
98e921d9dd396b86ae785d9f8d66f1dc612111c2

SHA256
85ac46f9d1fd15ab12f961e51ba281bff8c0141fa122bfa21a66e13dd4f943e7

SHA512
7b0a1bd9fb5666fe5388cabcef11e2e4038bbdb62bdca46f6e618555c90eb2e466cb5becd7773f1136ee929f10f74c35357b65b038f51967de5c2b62f7045b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\libssl-1_1.dll

Filesize
203KB

MD5
eed3b4ac7fca65d8681cf703c71ea8de

SHA1
d50358d55cd49623bf4267dbee154b0cdb796931

SHA256
45c7be6f6958db81d9c0dacf2b63a2c4345d178a367cd33bbbb8f72ac765e73f

SHA512
df85605bc9f535bd736cafc7be236895f0a3a99cf1b45c1f2961c855d161bcb530961073d0360a5e9f1e72f7f6a632ce58760b0a4111c74408e3fcc7bfa41edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\psutil\_psutil_windows.pyd

Filesize
34KB

MD5
7454e05b8b7b276bacbca3577f36a866

SHA1
3157ce432e7c2052fef149e5d6f94646814d8b02

SHA256
c4cccc0793f5b294752b8820b627c7d22b5bb9dfa82a1a5de9ada38a7596d059

SHA512
346a91d29a6e0b02c61aab4c43486091d9638126fb7f074c1c26457524fe7cb784efc6a5883822f07c20d006c93ceca24f4613b02e23a889cfd5565e66889810

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\pyexpat.pyd

Filesize
86KB

MD5
bca9783990260b2bc48475fb919c036b

SHA1
5e1d9c5250724906bfe92821544ddafcd11cdbd8

SHA256
6266dc31c5774e2ea835092cf3f5f80c06afb423cc18ef372c7cfec1596bda55

SHA512
5bb3c5fa7e4f8ff5fde2511dde40b45a7ce8dff38ad8a02e541bd2ac2e712f65635b0ce44643cc5d4c316874af47759da31c25dead5282ae3f370f3f57a498c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\python310.dll

Filesize
1.4MB

MD5
bbcb74867bd3f8a691b1f0a394336908

SHA1
aea4b231b9f09bedcd5ce02e1962911edd4b35ad

SHA256
800b5e9a08c3a0f95a2c6f4a3355df8bbbc416e716f95bd6d42b6f0d6fb92f41

SHA512
00745ddd468504b3652bdda757d42ebe756e419d6432ceb029ed3ccde3b99c8ae21b4fc004938bb0babaa169768db385374b29ac121608c5630047e55c40f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\pythoncom310.dll

Filesize
193KB

MD5
63c2e16fcd14f54b8c6165fef49d74e0

SHA1
3d00e9e6f2224c5808b5c2108234657d3bb42272

SHA256
a436ef349278d1efb223e86a4aee5332185363c0ac33468247a5dd8e6a4a61f1

SHA512
fdff546eb940a2c2bec00332d48aee8be06bcda11aee596d65d387462b8c3759ec174fdb5b11aaa18979ca59b7ac4f4aa98dff418b3e52629c92683c11e29b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\pywintypes310.dll

Filesize
62KB

MD5
51a19a965e387d0ceb64708a47149c9d

SHA1
f047a81b69c42f269f923c5f741a44613cbcb1d5

SHA256
b00a1a46c425ca266ea0080e5216bf00862dd3064e8c5ebd5fd3b6845b62f363

SHA512
5feab90c7f5c7156a7bf2bc41888d18cdf34c303d24402ae2e4c0a067c7fca1ff6d277df6b7533a3fd8bf158548badd34e99bdb948e129c5d3f7bacfb712300b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\select.pyd

Filesize
24KB

MD5
a3837dc2e2a80fd286c2b07f839738a2

SHA1
b80a20896de81beab905439013adb9e9421f1d2f

SHA256
eee7c64ef7de30dbda1d826bb3b1c3282602d9ef86e5e999a0cd6551287f29d8

SHA512
b14922e30b138401d7b301365644174c3a4b32872fc5688b22ffe759fdfd906f2fa91029f8f6ea235428f07519875aaeb2c4cdb786ca676d4f3ee9d81cddc96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\sqlite3.dll

Filesize
608KB

MD5
b23329381855b6520ff86cf42838f84e

SHA1
79667fd09bc8b3a1a13658fbb5b6237725426d08

SHA256
2a1d451b5c7003200e3314bd195b48d1093c7583a667a25b1b6473c6d50efa74

SHA512
35f2fb242b5381ebc2267301a6efbc3331dfb0d479d61275386c73195344377f784534cc330d6b5d9456fc8d398161ae0b21506a8a311608220efaf4d5707fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14802\win32api.pyd

Filesize
48KB

MD5
29532841da8544665cb1ad1a127e4296

SHA1
b8852f095cbd0029480dfdfc04702cd6dd409001

SHA256
f611b06669774e42bda967a11d4ec2990c327492d5bc0f8afb555c8501214c77

SHA512
2b4059b38fe5314798e7b7de6065f6f5f9746bc59937e8c8842d293588c6cabb8979736d7b4693753301997a4b283020c7dc5bec0d8a70627b92510e3d1ddd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_ctypes.pyd

Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\attrs-23.1.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5co5n3aq.vvl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
20.7MB

MD5
c6d3097d7f4377fdb93ed93e8453bb5c

SHA1
da30212e78d079ded3d68711ef8e1367958406c1

SHA256
ef5a50b9159ab00cee86e16962495beaf7f0c60f5464e8b7786abc5edeec3b2e

SHA512
903dc8441e1373862a24a7f55ceeb2b7d1ea71b098fff07e2b51218dbabae743cc71f1865fccdac49668ac913e384196476b4c294b8d267b33fd05f98caad604

Download Submit
memory/836-358-0x00007FFE29730000-0x00007FFE2974C000-memory.dmp

Filesize
112KB

Download
memory/836-243-0x00007FFE2C420000-0x00007FFE2C44D000-memory.dmp

Filesize
180KB

Download
memory/836-439-0x00007FFE29440000-0x00007FFE2946E000-memory.dmp

Filesize
184KB

Download
memory/836-427-0x00007FFE2C470000-0x00007FFE2C489000-memory.dmp

Filesize
100KB

Download
memory/836-424-0x00007FFE26E30000-0x00007FFE2729E000-memory.dmp

Filesize
4.4MB

Download
memory/836-378-0x00007FFE2C410000-0x00007FFE2C41B000-memory.dmp

Filesize
44KB

Download
memory/836-379-0x00007FFE24C30000-0x00007FFE24C3B000-memory.dmp

Filesize
44KB

Download
memory/836-381-0x00007FFE24C10000-0x00007FFE24C1B000-memory.dmp

Filesize
44KB

Download
memory/836-382-0x00007FFE24C00000-0x00007FFE24C0C000-memory.dmp

Filesize
48KB

Download
memory/836-384-0x00007FFE24BE0000-0x00007FFE24BEC000-memory.dmp

Filesize
48KB

Download
memory/836-385-0x00007FFE24BD0000-0x00007FFE24BDC000-memory.dmp

Filesize
48KB

Download
memory/836-387-0x00007FFE24BB0000-0x00007FFE24BBC000-memory.dmp

Filesize
48KB

Download
memory/836-388-0x00007FFE24BA0000-0x00007FFE24BAB000-memory.dmp

Filesize
44KB

Download
memory/836-389-0x00007FFE24B90000-0x00007FFE24B9B000-memory.dmp

Filesize
44KB

Download
memory/836-391-0x00007FFE24B70000-0x00007FFE24B7C000-memory.dmp

Filesize
48KB

Download
memory/836-392-0x00007FFE24B60000-0x00007FFE24B6D000-memory.dmp

Filesize
52KB

Download
memory/836-393-0x00007FFE24B40000-0x00007FFE24B52000-memory.dmp

Filesize
72KB

Download
memory/836-394-0x00007FFE244E0000-0x00007FFE244EC000-memory.dmp

Filesize
48KB

Download
memory/836-396-0x00007FFE24270000-0x00007FFE2427A000-memory.dmp

Filesize
40KB

Download
memory/836-397-0x00007FFE24240000-0x00007FFE24269000-memory.dmp

Filesize
164KB

Download
memory/836-138-0x00007FFE26E30000-0x00007FFE2729E000-memory.dmp

Filesize
4.4MB

Download
memory/836-395-0x00007FFE24280000-0x00007FFE244D2000-memory.dmp

Filesize
2.3MB

Download
memory/836-151-0x00007FFE2C490000-0x00007FFE2C4B4000-memory.dmp

Filesize
144KB

Download
memory/836-401-0x00007FFE29420000-0x00007FFE29434000-memory.dmp

Filesize
80KB

Download
memory/836-402-0x00007FFE36350000-0x00007FFE3635B000-memory.dmp

Filesize
44KB

Download
memory/836-182-0x00007FFE2C470000-0x00007FFE2C489000-memory.dmp

Filesize
100KB

Download
memory/836-390-0x00007FFE24B80000-0x00007FFE24B8C000-memory.dmp

Filesize
48KB

Download
memory/836-386-0x00007FFE24BC0000-0x00007FFE24BCE000-memory.dmp

Filesize
56KB

Download
memory/836-383-0x00007FFE24BF0000-0x00007FFE24BFB000-memory.dmp

Filesize
44KB

Download
memory/836-380-0x00007FFE24C20000-0x00007FFE24C2C000-memory.dmp

Filesize
48KB

Download
memory/836-377-0x00007FFE24C40000-0x00007FFE24C78000-memory.dmp

Filesize
224KB

Download
memory/836-261-0x00007FFE29950000-0x00007FFE29984000-memory.dmp

Filesize
208KB

Download
memory/836-369-0x00007FFE24E90000-0x00007FFE24EB6000-memory.dmp

Filesize
152KB

Download
memory/836-278-0x00007FFE39A00000-0x00007FFE39A0D000-memory.dmp

Filesize
52KB

Download
memory/836-162-0x00007FFE3A140000-0x00007FFE3A14F000-memory.dmp

Filesize
60KB

Download
memory/836-335-0x00007FFE2C450000-0x00007FFE2C469000-memory.dmp

Filesize
100KB

Download
memory/836-370-0x00007FFE24D70000-0x00007FFE24E88000-memory.dmp

Filesize
1.1MB

Download
memory/836-349-0x00007FFE298D0000-0x00007FFE298EF000-memory.dmp

Filesize
124KB

Download
memory/836-213-0x00007FFE39C40000-0x00007FFE39C4D000-memory.dmp

Filesize
52KB

Download
memory/836-348-0x00007FFE298F0000-0x00007FFE2991B000-memory.dmp

Filesize
172KB

Download
memory/836-359-0x00007FFE29440000-0x00007FFE2946E000-memory.dmp

Filesize
184KB

Download
memory/836-338-0x00007FFE29920000-0x00007FFE2994E000-memory.dmp

Filesize
184KB

Download
memory/836-311-0x00007FFE26BF0000-0x00007FFE26D61000-memory.dmp

Filesize
1.4MB

Download
memory/836-307-0x00007FFE26D70000-0x00007FFE26E2C000-memory.dmp

Filesize
752KB

Download
memory/836-363-0x00007FFE24F50000-0x00007FFE25008000-memory.dmp

Filesize
736KB

Download
memory/836-362-0x00007FFE25010000-0x00007FFE25385000-memory.dmp

Filesize
3.5MB

Download
memory/1048-3-0x000000001E050000-0x000000001E060000-memory.dmp

Filesize
64KB

Download
memory/1048-256-0x00007FFE2B130000-0x00007FFE2BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-0-0x00007FFE2B130000-0x00007FFE2BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-1-0x0000000000DF0000-0x00000000033C4000-memory.dmp

Filesize
37.8MB

Download
memory/1316-15-0x00007FFE2B130000-0x00007FFE2BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/1316-14-0x0000000000560000-0x00000000005AC000-memory.dmp

Filesize
304KB

Download
memory/1428-374-0x00007FFE33EA0000-0x00007FFE33EAD000-memory.dmp

Filesize
52KB

Download
memory/1428-523-0x00007FFE21720000-0x00007FFE21A95000-memory.dmp

Filesize
3.5MB

Download
memory/1428-368-0x00007FFE24EE0000-0x00007FFE24F14000-memory.dmp

Filesize
208KB

Download
memory/1428-372-0x00007FFE24EC0000-0x00007FFE24ED9000-memory.dmp

Filesize
100KB

Download
memory/1428-373-0x00007FFE35EC0000-0x00007FFE35ECD000-memory.dmp

Filesize
52KB

Download
memory/1428-399-0x00007FFE26580000-0x00007FFE269EE000-memory.dmp

Filesize
4.4MB

Download
memory/1428-375-0x00007FFE24D40000-0x00007FFE24D6E000-memory.dmp

Filesize
184KB

Download
memory/1428-398-0x00007FFE24210000-0x00007FFE2423B000-memory.dmp

Filesize
172KB

Download
memory/1428-364-0x00007FFE293F0000-0x00007FFE29414000-memory.dmp

Filesize
144KB

Download
memory/1428-376-0x00007FFE24C80000-0x00007FFE24D3C000-memory.dmp

Filesize
752KB

Download
memory/1428-365-0x00007FFE36830000-0x00007FFE3683F000-memory.dmp

Filesize
60KB

Download
memory/1428-522-0x00007FFE21AA0000-0x00007FFE21B58000-memory.dmp

Filesize
736KB

Download
memory/1428-512-0x00007FFE24EC0000-0x00007FFE24ED9000-memory.dmp

Filesize
100KB

Download
memory/1428-470-0x00007FFE293F0000-0x00007FFE29414000-memory.dmp

Filesize
144KB

Download
memory/1428-367-0x00007FFE24F20000-0x00007FFE24F4D000-memory.dmp

Filesize
180KB

Download
memory/1428-366-0x00007FFE293D0000-0x00007FFE293E9000-memory.dmp

Filesize
100KB

Download
memory/1428-469-0x00007FFE26580000-0x00007FFE269EE000-memory.dmp

Filesize
4.4MB

Download
memory/1428-515-0x00007FFE24D40000-0x00007FFE24D6E000-memory.dmp

Filesize
184KB

Download
memory/1428-516-0x00007FFE24C80000-0x00007FFE24D3C000-memory.dmp

Filesize
752KB

Download
memory/1428-519-0x00007FFE24020000-0x00007FFE2402A000-memory.dmp

Filesize
40KB

Download
memory/1428-521-0x00007FFE21B60000-0x00007FFE21B8E000-memory.dmp

Filesize
184KB

Download
memory/4216-357-0x00007FFE2B130000-0x00007FFE2BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-400-0x000000001BE50000-0x000000001BE60000-memory.dmp

Filesize
64KB

Download
memory/4216-310-0x0000000000F40000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download