quasar | 6d6831eb5e141890de5963fdeb0444fadc89bf15d48aeccbc2c14f9ce72c47b2

Analysis

max time kernel
117s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Size

598KB
MD5

164cc91241694bba1ddee440c96530c1
SHA1

0354ca6a88e4e97d92366b119bb06c78ecb4f1d7
SHA256

6d6831eb5e141890de5963fdeb0444fadc89bf15d48aeccbc2c14f9ce72c47b2
SHA512

223294d6ccb00ef6a2c25d972729f3226eff96647ec769fa0364500f4d145750d4913df6b9d03ddb4a20a2252fb5fa84a4d88d42b4de1e664295f2015b867f0a
SSDEEP

12288:GBU27je2sGbV7LsAlhgLTj9BBnWobokcoyhUvqA2UdpT3:GBUYje21R0b9BBnWooXhQqANpr

Score

10^/10

quasar venomrat windows security evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_XaCO2YtLAsadylDHBP

Attributes

encryption_key
eKgGUbCubcSIafuOAN5V
install_name
windows security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows security
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2172-14-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2172-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2172-12-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2172-16-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2172-9-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-14-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2172-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2172-12-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2172-16-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2172-9-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 2 IoCs

Processes:

windows security.exewindows security.exe

pid	Process
2696	windows security.exe
2676	windows security.exe

Loads dropped DLL 7 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exewindows security.exeWerFault.exe

pid	Process
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2696	windows security.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exewindows security.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1972 set thread context of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 2696 set thread context of 2676	2696	windows security.exe	36
PID 1880 set thread context of 2044	1880	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1920	2676	WerFault.exe	36

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
764	schtasks.exe
2628	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
2692	PING.EXE
1816	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exepowershell.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

pid	Process
1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2800	powershell.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
2044	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exepowershell.exewindows security.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2676	windows security.exe
Token: SeDebugPrivilege	2676	windows security.exe
Token: SeDebugPrivilege	2044	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windows security.exe

pid	Process
2676	windows security.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe164cc91241694bba1ddee440c96530c1_JaffaCakes118.exewindows security.exewindows security.execmd.execmd.exe

description	pid	Process	procid_target
PID 1972 wrote to memory of 2348	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2348	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2348	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2348	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	29
PID 2172 wrote to memory of 2628	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2628	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2628	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2628	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2696	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2696	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2696	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2696	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2800	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	34
PID 2172 wrote to memory of 2800	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	34
PID 2172 wrote to memory of 2800	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	34
PID 2172 wrote to memory of 2800	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	34
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2696 wrote to memory of 2676	2696	windows security.exe	36
PID 2676 wrote to memory of 764	2676	windows security.exe	37
PID 2676 wrote to memory of 764	2676	windows security.exe	37
PID 2676 wrote to memory of 764	2676	windows security.exe	37
PID 2676 wrote to memory of 764	2676	windows security.exe	37
PID 2676 wrote to memory of 1996	2676	windows security.exe	39
PID 2676 wrote to memory of 1996	2676	windows security.exe	39
PID 2676 wrote to memory of 1996	2676	windows security.exe	39
PID 2676 wrote to memory of 1996	2676	windows security.exe	39
PID 2676 wrote to memory of 1920	2676	windows security.exe	41
PID 2676 wrote to memory of 1920	2676	windows security.exe	41
PID 2676 wrote to memory of 1920	2676	windows security.exe	41
PID 2676 wrote to memory of 1920	2676	windows security.exe	41
PID 1996 wrote to memory of 1904	1996	cmd.exe	42
PID 1996 wrote to memory of 1904	1996	cmd.exe	42
PID 1996 wrote to memory of 1904	1996	cmd.exe	42
PID 1996 wrote to memory of 1904	1996	cmd.exe	42
PID 1996 wrote to memory of 2692	1996	cmd.exe	43
PID 1996 wrote to memory of 2692	1996	cmd.exe	43
PID 1996 wrote to memory of 2692	1996	cmd.exe	43
PID 1996 wrote to memory of 2692	1996	cmd.exe	43
PID 2172 wrote to memory of 1444	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	44
PID 2172 wrote to memory of 1444	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	44
PID 2172 wrote to memory of 1444	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	44
PID 2172 wrote to memory of 1444	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	44
PID 1444 wrote to memory of 828	1444	cmd.exe	46
PID 1444 wrote to memory of 828	1444	cmd.exe	46
PID 1444 wrote to memory of 828	1444	cmd.exe	46
PID 1444 wrote to memory of 828	1444	cmd.exe	46
PID 2172 wrote to memory of 2292	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	47
PID 2172 wrote to memory of 2292	2172	164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe	47

C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2628
- - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "windows security" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows security.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\A9f4DCf1DWHD.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1904
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1468
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\G1VQf1XYYO0l.bat" "
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1148
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\164cc91241694bba1ddee440c96530c1_JaffaCakes118.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a1e9cbfb5407c84d0b52a80157f973bc

SHA1
66771c9aa6fcaa3612fedbe93dea4aae560f413f

SHA256
9ec9848c4a47dc58b607af5243404d9f800982ccccd5ad959ead0501c3a2d582

SHA512
35e1d322675689417e7afd66ec1c01ab64f5fb21fe368df7be3ca91a5bcd1ded82e5fba01f5c1eb17ae41b8def7b1f5e5c5ce4422f484439a36038c27e5baa34

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9f4DCf1DWHD.bat

Filesize
217B

MD5
acfb41fef936ed9d79b40177da10cacd

SHA1
bb3924f0672393ccf011b9f289fc669168d04be2

SHA256
a177a2bd122137e7b4bc5344cd6c1ed8266cfab17e5b9c45b1ee7e6a7414ff0e

SHA512
76b673d781fec30d60842381b0405f05934da5db38c62141c30987f2833c90c1203ada7bb1bae66673621e17baa1d322f98f0a132737bfd365ce6fc542c0254f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1VQf1XYYO0l.bat

Filesize
243B

MD5
1f6ac97dddda6f0bd9bc9b959a030c2a

SHA1
21f4507566e7267544b66dda135f03f1a16bc516

SHA256
e5caac3cb4648ef3bef70ee99c7db96bb2aeb1558ff3ab4183aec6f4657403ad

SHA512
cd032cb783b7500fc1e3e27e11a98a6d229a9f603a0cb162e6fb91de1b0978f258bac0b0f100960e0fc8b57ae49afb02f74c20e636fe8e9b0305963d0dff72d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar329A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\SubDir\windows security.exe

Filesize
598KB

MD5
164cc91241694bba1ddee440c96530c1

SHA1
0354ca6a88e4e97d92366b119bb06c78ecb4f1d7

SHA256
6d6831eb5e141890de5963fdeb0444fadc89bf15d48aeccbc2c14f9ce72c47b2

SHA512
223294d6ccb00ef6a2c25d972729f3226eff96647ec769fa0364500f4d145750d4913df6b9d03ddb4a20a2252fb5fa84a4d88d42b4de1e664295f2015b867f0a

Download Submit
memory/1880-130-0x0000000000F60000-0x0000000000FFC000-memory.dmp

Filesize
624KB

Download
memory/1972-19-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-5-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/1972-1-0x0000000000070000-0x000000000010C000-memory.dmp

Filesize
624KB

Download
memory/1972-2-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1972-3-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2044-139-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-18-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-17-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2172-119-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-129-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-27-0x0000000000DC0000-0x0000000000E5C000-memory.dmp

Filesize
624KB

Download