quasar | b12573a06d210c94325adff99d72041732ee2937d4000a2766afa930dc31bff7

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xzczxczxczxvxzvxzv.exe
Size

3.1MB
MD5

61437e24f20626caa1da68d45dc6349c
SHA1

e8e757aa167f0dfd15528bf26f6465758fbbb6f3
SHA256

b12573a06d210c94325adff99d72041732ee2937d4000a2766afa930dc31bff7
SHA512

8da16a08df45608736fe6cfacad123b54f326b366fd6d4d449f7b5c32c6385d8110813e76767ee35e2093cdb554ea57d1ed8b1d10a4fef4d437d312dfaa7bcce
SSDEEP

49152:NvUI22SsaNYfdPBldt698dBcjH6q6rXMfltoGdXTHHB72eh2NT:NvZ22SsaNYfdPBldt6+dBcjH6q6r+

Score

10^/10

quasar shiba spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

score-seminars.gl.at.ply.gg:35300:35300

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes

encryption_key
A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7
install_name
$sxr-insta.exe
log_directory
$sxr-logs
reconnect_delay
1000
startup_key
$sxr-mstha
subdirectory
$sxr-start

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/1988-1-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015616-6.dat	family_quasar
behavioral1/memory/1344-9-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/1632-43-0x00000000013B0000-0x00000000016D4000-memory.dmp	family_quasar
behavioral1/memory/820-64-0x0000000000250000-0x0000000000574000-memory.dmp	family_quasar
behavioral1/memory/2036-75-0x00000000012D0000-0x00000000015F4000-memory.dmp	family_quasar
behavioral1/memory/852-127-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/1784-138-0x0000000001100000-0x0000000001424000-memory.dmp	family_quasar
behavioral1/memory/452-149-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
1344	$sxr-insta.exe
2552	$sxr-insta.exe
2960	$sxr-insta.exe
1632	$sxr-insta.exe
2292	$sxr-insta.exe
820	$sxr-insta.exe
2036	$sxr-insta.exe
2892	$sxr-insta.exe
1208	$sxr-insta.exe
2724	$sxr-insta.exe
2436	$sxr-insta.exe
852	$sxr-insta.exe
1784	$sxr-insta.exe
452	$sxr-insta.exe
1620	$sxr-insta.exe
2332	$sxr-insta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
1184	PING.EXE
1884	PING.EXE
2820	PING.EXE
2776	PING.EXE
2004	PING.EXE
2864	PING.EXE
2660	PING.EXE
1680	PING.EXE
3028	PING.EXE
1116	PING.EXE
1252	PING.EXE
3056	PING.EXE
1928	PING.EXE
2612	PING.EXE
768	PING.EXE
1100	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	xzczxczxczxvxzvxzv.exe
Token: SeDebugPrivilege	1344	$sxr-insta.exe
Token: SeDebugPrivilege	2552	$sxr-insta.exe
Token: SeDebugPrivilege	2960	$sxr-insta.exe
Token: SeDebugPrivilege	1632	$sxr-insta.exe
Token: SeDebugPrivilege	2292	$sxr-insta.exe
Token: SeDebugPrivilege	820	$sxr-insta.exe
Token: SeDebugPrivilege	2036	$sxr-insta.exe
Token: SeDebugPrivilege	2892	$sxr-insta.exe
Token: SeDebugPrivilege	1208	$sxr-insta.exe
Token: SeDebugPrivilege	2724	$sxr-insta.exe
Token: SeDebugPrivilege	2436	$sxr-insta.exe
Token: SeDebugPrivilege	852	$sxr-insta.exe
Token: SeDebugPrivilege	1784	$sxr-insta.exe
Token: SeDebugPrivilege	452	$sxr-insta.exe
Token: SeDebugPrivilege	1620	$sxr-insta.exe
Token: SeDebugPrivilege	2332	$sxr-insta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1344	1988	xzczxczxczxvxzvxzv.exe	28
PID 1988 wrote to memory of 1344	1988	xzczxczxczxvxzvxzv.exe	28
PID 1988 wrote to memory of 1344	1988	xzczxczxczxvxzvxzv.exe	28
PID 1344 wrote to memory of 2580	1344	$sxr-insta.exe	29
PID 1344 wrote to memory of 2580	1344	$sxr-insta.exe	29
PID 1344 wrote to memory of 2580	1344	$sxr-insta.exe	29
PID 2580 wrote to memory of 2636	2580	cmd.exe	31
PID 2580 wrote to memory of 2636	2580	cmd.exe	31
PID 2580 wrote to memory of 2636	2580	cmd.exe	31
PID 2580 wrote to memory of 2660	2580	cmd.exe	32
PID 2580 wrote to memory of 2660	2580	cmd.exe	32
PID 2580 wrote to memory of 2660	2580	cmd.exe	32
PID 2580 wrote to memory of 2552	2580	cmd.exe	33
PID 2580 wrote to memory of 2552	2580	cmd.exe	33
PID 2580 wrote to memory of 2552	2580	cmd.exe	33
PID 2552 wrote to memory of 2652	2552	$sxr-insta.exe	34
PID 2552 wrote to memory of 2652	2552	$sxr-insta.exe	34
PID 2552 wrote to memory of 2652	2552	$sxr-insta.exe	34
PID 2652 wrote to memory of 2508	2652	cmd.exe	36
PID 2652 wrote to memory of 2508	2652	cmd.exe	36
PID 2652 wrote to memory of 2508	2652	cmd.exe	36
PID 2652 wrote to memory of 1928	2652	cmd.exe	37
PID 2652 wrote to memory of 1928	2652	cmd.exe	37
PID 2652 wrote to memory of 1928	2652	cmd.exe	37
PID 2652 wrote to memory of 2960	2652	cmd.exe	38
PID 2652 wrote to memory of 2960	2652	cmd.exe	38
PID 2652 wrote to memory of 2960	2652	cmd.exe	38
PID 2960 wrote to memory of 852	2960	$sxr-insta.exe	39
PID 2960 wrote to memory of 852	2960	$sxr-insta.exe	39
PID 2960 wrote to memory of 852	2960	$sxr-insta.exe	39
PID 852 wrote to memory of 1476	852	cmd.exe	41
PID 852 wrote to memory of 1476	852	cmd.exe	41
PID 852 wrote to memory of 1476	852	cmd.exe	41
PID 852 wrote to memory of 2612	852	cmd.exe	42
PID 852 wrote to memory of 2612	852	cmd.exe	42
PID 852 wrote to memory of 2612	852	cmd.exe	42
PID 852 wrote to memory of 1632	852	cmd.exe	43
PID 852 wrote to memory of 1632	852	cmd.exe	43
PID 852 wrote to memory of 1632	852	cmd.exe	43
PID 1632 wrote to memory of 1084	1632	$sxr-insta.exe	44
PID 1632 wrote to memory of 1084	1632	$sxr-insta.exe	44
PID 1632 wrote to memory of 1084	1632	$sxr-insta.exe	44
PID 1084 wrote to memory of 1756	1084	cmd.exe	46
PID 1084 wrote to memory of 1756	1084	cmd.exe	46
PID 1084 wrote to memory of 1756	1084	cmd.exe	46
PID 1084 wrote to memory of 768	1084	cmd.exe	47
PID 1084 wrote to memory of 768	1084	cmd.exe	47
PID 1084 wrote to memory of 768	1084	cmd.exe	47
PID 1084 wrote to memory of 2292	1084	cmd.exe	48
PID 1084 wrote to memory of 2292	1084	cmd.exe	48
PID 1084 wrote to memory of 2292	1084	cmd.exe	48
PID 2292 wrote to memory of 2388	2292	$sxr-insta.exe	49
PID 2292 wrote to memory of 2388	2292	$sxr-insta.exe	49
PID 2292 wrote to memory of 2388	2292	$sxr-insta.exe	49
PID 2388 wrote to memory of 392	2388	cmd.exe	51
PID 2388 wrote to memory of 392	2388	cmd.exe	51
PID 2388 wrote to memory of 392	2388	cmd.exe	51
PID 2388 wrote to memory of 1100	2388	cmd.exe	52
PID 2388 wrote to memory of 1100	2388	cmd.exe	52
PID 2388 wrote to memory of 1100	2388	cmd.exe	52
PID 2388 wrote to memory of 820	2388	cmd.exe	55
PID 2388 wrote to memory of 820	2388	cmd.exe	55
PID 2388 wrote to memory of 820	2388	cmd.exe	55
PID 820 wrote to memory of 1792	820	$sxr-insta.exe	56

C:\Users\Admin\AppData\Local\Temp\xzczxczxczxvxzvxzv.exe
"C:\Users\Admin\AppData\Local\Temp\xzczxczxczxvxzvxzv.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
  "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAlyoILXewxK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2636
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2660
  - - C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
      "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mnGrM5y9oiQI.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2508
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1928
      - C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKwoUIyFQNeB.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9WInBbK6Me7s.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\P9AUMqD85JJX.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWwm6qDhJViB.bat" "
        13⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ntn9m5MU4Ozd.bat" "
        15⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSgfJp5dtEfl.bat" "
        17⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rsq02S5JXMv1.bat" "
        19⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqOzJ5Y5IYW6.bat" "
        21⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\73Vno4s9Ouge.bat" "
        23⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKqHMTbKO8Iz.bat" "
        25⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uL4Fitz47PBD.bat" "
        27⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2eOLbDPpIeDI.bat" "
        29⤵
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        Runs ping.exe
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uzBGtwIT0xum.bat" "
        31⤵
        
        PID:312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        Runs ping.exe
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kodLWXxtxO60.bat" "
        33⤵
        
        PID:2420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        Runs ping.exe
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2eOLbDPpIeDI.bat

Filesize
215B

MD5
4e1b370102122d4028e5d711b6d89dac

SHA1
9700d389829482a7e2b6b9fddd78ab87bc124a61

SHA256
229137bd49ecc899e5680ea0eec1445be04e89b43b34869b861f46c1e18f9f2b

SHA512
e0ea36a64ac3b96e6d39cef71577f6bcf663914f332a531da522536e309cb38bac01c8eeb3762e53285af07bed0bc1ead06fb882c169de22eb9a710299cbe960

Download Submit
C:\Users\Admin\AppData\Local\Temp\73Vno4s9Ouge.bat

Filesize
215B

MD5
2bc7efd08144eeb6ddcae7595259df96

SHA1
b7870aaeb67a4b36bd18c92f4480aa0ac5d93273

SHA256
fddedee6247c9cdb7d51f34c3ded05599a3ef01e4c1dcf1fc5d7ace3d9731045

SHA512
b6affb9b8f88c78ae8fd8db0a1c4db12cc3ec232276b0ccea9b5230371271ed50de96f66bf62e16c7001511b4103487b93803aca20c278a3b62dd196b2b32a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\9WInBbK6Me7s.bat

Filesize
215B

MD5
8fa57dd696b7b6a9736628308c9d72eb

SHA1
e21b4d0a9cd66c00cf9bd19f69f224b312586c3d

SHA256
dea8e98f54fc0f80b3ce477e62cecba8a2dfc687d7f08dfb70230b1bd58ab680

SHA512
a0587615bfbdf5760c4546ddfdb9ae3f1bc4f4158954427b843f431e6059cd1e26d465fbd0ab1f7c7f3496ef90e78a7d907da1475288770b98adad5b84755cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKqHMTbKO8Iz.bat

Filesize
215B

MD5
ecde2d78e9e8ed3df54c5319cc2a0164

SHA1
1192db336ea7f524c44d2c6c09ad44ba27d31436

SHA256
aa219852f5feed2c5a2b8c123be05fa992ff590cbbf27bd90507a803df1498c8

SHA512
03d3ce1d3344f1bad7ef634288fc3fc4766a0548b21b1f7c73e0640c23c87b5b8baba09f6ee4b2139f4fb3fd6532ac3ef14ca525966557fd039199544413f25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSgfJp5dtEfl.bat

Filesize
215B

MD5
f01463a7fbfa22b52b275f73e5e01c71

SHA1
7f21c4e265dedb5b34e4a21eb87f15b8b72e9e20

SHA256
62ddd86a154635b6d3230296cf342862e920c04dd686b953c548fd68e8f6bc3e

SHA512
15db89c3302d5a5e9e33dc4e6556563f0455d32196970494648a8ffe528ec304854d4359eac5a3143a9cf2def1df747f29ebc0238685e0f0d10f83fa70390aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9AUMqD85JJX.bat

Filesize
215B

MD5
af71364f0791020dd27c63ac4b997b51

SHA1
fe0078560b718ae19a0fa7c7fd2624363dedaf96

SHA256
1efd257bf2f51bf231644b7a4c3db5565e86934315eae588027dfcbf68f9312b

SHA512
062783135affd0bdaeacefabaab342a204804370ea07fd52610f2e7148e25e9a976cadf76258fb13058099d67e95fbff920e91f31ddedf39af86e6163d86d8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rsq02S5JXMv1.bat

Filesize
215B

MD5
1b75867b62129022bc10695d3e1f47b0

SHA1
bec822408795a7f17a75f0a8fb8323e08759a973

SHA256
1adbffd26a9fbd203f34f7c58c8c1495c2db9d79194a87b78b45f7ac373cbd11

SHA512
98e682a4e96161a80e1785ef6e71c6449c8647bfe2ae25f84e9e81afb4e5518c8358c7b6f531a83511266669e637a6db985ec61393bed5b87239503af82aca8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWwm6qDhJViB.bat

Filesize
215B

MD5
90bbc181685bb1baaa231cff031667fe

SHA1
ced3ca8a475635c632e34ad381534f597ae7b79b

SHA256
db9e78bdfe667d067a7c6895f3f618fdf911e5908c7dffc6415d7236882db071

SHA512
324c634f2eb9e9609e370539feff385f0c365666cbfdfb62e4708c636ba85b418a91e31c530e0117def28346e0d3675de4448dc761bc5b54fbe83d731f87fc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKwoUIyFQNeB.bat

Filesize
215B

MD5
bae780745d5c7c4ce9e792ba739e1322

SHA1
9584670e686dfebc8b2f3188cfb43bea83192191

SHA256
a3c427ef113974daa39a64c533035618e23737364dc453ce9a1f745a1dc98b3a

SHA512
7b61a20eab2971589a7743104a7e1949ada986db592f7f5b0bf0751a2a53471c934bae44f7c0477653cba6dec3b584eeeb82bbefb3cd69c943a8dedad1e38448

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodLWXxtxO60.bat

Filesize
215B

MD5
dd8b1b3bf12fe6f1eca11c9851d970a8

SHA1
406ae8ebd6eae848acc6496360fe4283e17be892

SHA256
347fe68c5cd4f11981db67e8460221f1a0dee2ca850b0981c5f96fc49dcfd409

SHA512
2674aea226a2155b6fc6988d0de27d68a0bf59952a9778082695c143e65abbc2e0fa02a4cd378a5ac7a254c31cc4acccfcd5c3df4d34da8ce78dd2058977c3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnGrM5y9oiQI.bat

Filesize
215B

MD5
601c3efb059d6e45edd98676748964bd

SHA1
4070126b5715033e6ced191c2bcaa35c26a6cceb

SHA256
5297427e50035291ae8277d87d508786a0abfa8668607030fb0c36af3540fcfe

SHA512
262be6df13e4444f9fd89db79263d6502947bb1f6da2b10288d1bcd05fd4ba035b7300ae6842b2722473aec9a1d9eaba9986ed81226d39ebec5ade703fb8a677

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntn9m5MU4Ozd.bat

Filesize
215B

MD5
768a4b301d58bb345752d770b1dab2c1

SHA1
1678ace8c09de45e39c2cf42f85efce2263c2924

SHA256
0c22322ab8db9e21b02c385e80ffc2be116b3c5722564d17864c58d7df95c178

SHA512
1549060353d572165e84eef263f310c12f8ee14cde6d429f3fffd4d6feaff67e67a7edb0e5a9aa25c2dd0ea339438be031de9000f3cfda3065f51c7410cbc409

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqOzJ5Y5IYW6.bat

Filesize
215B

MD5
1da17e2b7a33f691a86527acea1a1270

SHA1
8f856f6513a5bcbcc876042ae5bdf8abbb7169a7

SHA256
889b4c11396e478f58e9e5ec389c99d2f5933717fee5c2cb9822836f0c0bcb19

SHA512
381053e1102b7bb1a7a23ecff234cdc796bc32747294a3583ee1eb4bcc0d23840a47efab2384e2d816f78a99e0dda581638f618398de0b369f4cc16d7c885618

Download Submit
C:\Users\Admin\AppData\Local\Temp\uL4Fitz47PBD.bat

Filesize
215B

MD5
adbd4a382a155697838d5376f91868c0

SHA1
c61a4843eb5a633a3e1483d238960ca41e43b6e9

SHA256
c8ef8b89de947307dc39bb30da71feac0c4f5114c1057d05fc93953de58cf7ae

SHA512
717da9cd282a547bbd311a87196c1adf9857ffeafebead47b0a32759ace48fef213b22865bde0a65b660d551cfd4d64e5b74bfb76d30589bcb4559079c8c018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzBGtwIT0xum.bat

Filesize
215B

MD5
050f947b5d2007b0e3dc3a835da17497

SHA1
40ccb6af4906dfcb14ba0b1524ffcbeaf9e17dfa

SHA256
e2e460ab44b64bce498ec5a898ff7399bfe2a9f35fbb571ca353617354d7f0e4

SHA512
6fc0e3ad06b5e01cf2d0e97528e1e79c4c9d6e8ae13ed34b6dda4e740c28474a18803b8eea9a3a53a340f96f68b9b1ef6315777b3235da8c79ae728080b05173

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAlyoILXewxK.bat

Filesize
215B

MD5
edbd901dc8bf541192820e804b52302a

SHA1
8c344e7726c267a94dc3e54768f1f060847f78b7

SHA256
b2fb8c04245e80d857ce0d17518ebfcd6a7cbda620985370f728a330bf05488b

SHA512
0d957803fb306e60746aef82d80cba160d576aff130dd9b87a187a62dda14dff6b20daf2639345d8fb8ec14529a86a8e2bd79b8bc6633c2014a4ba47033c4b4f

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe

Filesize
3.1MB

MD5
61437e24f20626caa1da68d45dc6349c

SHA1
e8e757aa167f0dfd15528bf26f6465758fbbb6f3

SHA256
b12573a06d210c94325adff99d72041732ee2937d4000a2766afa930dc31bff7

SHA512
8da16a08df45608736fe6cfacad123b54f326b366fd6d4d449f7b5c32c6385d8110813e76767ee35e2093cdb554ea57d1ed8b1d10a4fef4d437d312dfaa7bcce

Download Submit
memory/452-149-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/820-64-0x0000000000250000-0x0000000000574000-memory.dmp

Filesize
3.1MB

Download
memory/852-127-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/1344-8-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-10-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-21-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-9-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/1632-43-0x00000000013B0000-0x00000000016D4000-memory.dmp

Filesize
3.1MB

Download
memory/1784-138-0x0000000001100000-0x0000000001424000-memory.dmp

Filesize
3.1MB

Download
memory/1988-11-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-0-0x000007FEF5043000-0x000007FEF5044000-memory.dmp

Filesize
4KB

Download
memory/1988-2-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-1-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/2036-75-0x00000000012D0000-0x00000000015F4000-memory.dmp

Filesize
3.1MB

Download