quasar | ba5fad18ee46eddf4b5934ca3fe9468f3beda482c031c5c4c294d30fbc6717d3

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
Size

658KB
MD5

45303daac5f89e133dd82a6e3daa6053
SHA1

cf18d75d69bbc8554ccdd32a9def207b6abb3fea
SHA256

ba5fad18ee46eddf4b5934ca3fe9468f3beda482c031c5c4c294d30fbc6717d3
SHA512

99ff552be6edded807101365e0b59eb9993290d611e791d02bc3cfcb4d80db51da64ae9b672b5b17d8839c6f5d9c5efe3ece60da18f2b5bc3aa0109fc9a88cd3
SSDEEP

12288:OKEr+MYYF0QO2EHm81/09S6I6YZXIG/ZofFWj7:rEKMYq926YGiYsj7

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

simplyrat.ddns.net:7777

Mutex

QSR_MUTEX_Icgj5r6QyqJxuPNxJ7

Attributes

encryption_key
FAZB6Y2s3Cy7dzM0vpDh7SmeuqfXDwSw
install_name
skinchanger.exe
log_directory
Logs
reconnect_delay
3000
startup_key
CS:GO Skin Changer
subdirectory
windows64

Signatures

Quasar RAT 5 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

44 ip-api.com
59 ip-api.com
62 ip-api.com
848 schtasks.exe
13 ip-api.com

flow	ioc
44	ip-api.com
59	ip-api.com
62	ip-api.com
848	schtasks.exe
13	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1328-1-0x0000000000E90000-0x0000000000F3A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

skinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	skinchanger.exe

Executes dropped EXE 14 IoCs

Processes:

pid	process
4876	skinchanger.exe
4776	skinchanger.exe
680	skinchanger.exe
4100	skinchanger.exe
4820	skinchanger.exe
1356	skinchanger.exe
5116	skinchanger.exe
684	skinchanger.exe
212	skinchanger.exe
1712	skinchanger.exe
1148	skinchanger.exe
3200	skinchanger.exe
1680	skinchanger.exe
1128	skinchanger.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

skinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exe45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe\""	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CS:GO Skin Changer = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows64\\skinchanger.exe\""	skinchanger.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
44 ip-api.com
59 ip-api.com
62 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
13	ip-api.com
44	ip-api.com
59	ip-api.com
62	ip-api.com

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4828	4876	WerFault.exe	skinchanger.exe
1004	4776	WerFault.exe	skinchanger.exe
3932	680	WerFault.exe	skinchanger.exe
3272	4100	WerFault.exe	skinchanger.exe
4676	4820	WerFault.exe	skinchanger.exe
1640	1356	WerFault.exe	skinchanger.exe
2936	5116	WerFault.exe	skinchanger.exe
3480	684	WerFault.exe	skinchanger.exe
3516	212	WerFault.exe	skinchanger.exe
4700	1712	WerFault.exe	skinchanger.exe
4484	1148	WerFault.exe	skinchanger.exe
2528	3200	WerFault.exe	skinchanger.exe
4612	1680	WerFault.exe	skinchanger.exe
2900	1128	WerFault.exe	skinchanger.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1108	schtasks.exe
5056	schtasks.exe
4992	schtasks.exe
4048	schtasks.exe
3268	schtasks.exe
1496	schtasks.exe
3024	schtasks.exe
848	schtasks.exe
3644	schtasks.exe
1772	schtasks.exe
2052	schtasks.exe
2244	schtasks.exe
4984	schtasks.exe
1500	schtasks.exe
3848	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1760	PING.EXE
2076	PING.EXE
888	PING.EXE
1068	PING.EXE
1712	PING.EXE
3984	PING.EXE
1584	PING.EXE
1380	PING.EXE
2640	PING.EXE
2844	PING.EXE
2256	PING.EXE
4876	PING.EXE
3104	PING.EXE
2292	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exe

description	pid	process
Token: SeDebugPrivilege	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
Token: SeDebugPrivilege	4876	skinchanger.exe
Token: SeDebugPrivilege	4776	skinchanger.exe
Token: SeDebugPrivilege	680	skinchanger.exe
Token: SeDebugPrivilege	4100	skinchanger.exe
Token: SeDebugPrivilege	4820	skinchanger.exe
Token: SeDebugPrivilege	1356	skinchanger.exe
Token: SeDebugPrivilege	5116	skinchanger.exe
Token: SeDebugPrivilege	684	skinchanger.exe
Token: SeDebugPrivilege	212	skinchanger.exe
Token: SeDebugPrivilege	1712	skinchanger.exe
Token: SeDebugPrivilege	1148	skinchanger.exe
Token: SeDebugPrivilege	3200	skinchanger.exe
Token: SeDebugPrivilege	1680	skinchanger.exe
Token: SeDebugPrivilege	1128	skinchanger.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

skinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exeskinchanger.exe

pid	process
4876	skinchanger.exe
4776	skinchanger.exe
680	skinchanger.exe
4820	skinchanger.exe
1356	skinchanger.exe
5116	skinchanger.exe
1712	skinchanger.exe
1148	skinchanger.exe
3200	skinchanger.exe
1680	skinchanger.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exeskinchanger.execmd.exeskinchanger.execmd.exeskinchanger.execmd.exeskinchanger.execmd.exe

description	pid	process	target process
PID 1328 wrote to memory of 848	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1328 wrote to memory of 848	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1328 wrote to memory of 848	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	schtasks.exe
PID 1328 wrote to memory of 4876	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 1328 wrote to memory of 4876	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 1328 wrote to memory of 4876	1328	45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe	skinchanger.exe
PID 4876 wrote to memory of 3848	4876	skinchanger.exe	schtasks.exe
PID 4876 wrote to memory of 3848	4876	skinchanger.exe	schtasks.exe
PID 4876 wrote to memory of 3848	4876	skinchanger.exe	schtasks.exe
PID 4876 wrote to memory of 4792	4876	skinchanger.exe	cmd.exe
PID 4876 wrote to memory of 4792	4876	skinchanger.exe	cmd.exe
PID 4876 wrote to memory of 4792	4876	skinchanger.exe	cmd.exe
PID 4792 wrote to memory of 2328	4792	cmd.exe	chcp.com
PID 4792 wrote to memory of 2328	4792	cmd.exe	chcp.com
PID 4792 wrote to memory of 2328	4792	cmd.exe	chcp.com
PID 4792 wrote to memory of 2292	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 2292	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 2292	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 4776	4792	cmd.exe	skinchanger.exe
PID 4792 wrote to memory of 4776	4792	cmd.exe	skinchanger.exe
PID 4792 wrote to memory of 4776	4792	cmd.exe	skinchanger.exe
PID 4776 wrote to memory of 4048	4776	skinchanger.exe	schtasks.exe
PID 4776 wrote to memory of 4048	4776	skinchanger.exe	schtasks.exe
PID 4776 wrote to memory of 4048	4776	skinchanger.exe	schtasks.exe
PID 4776 wrote to memory of 4880	4776	skinchanger.exe	cmd.exe
PID 4776 wrote to memory of 4880	4776	skinchanger.exe	cmd.exe
PID 4776 wrote to memory of 4880	4776	skinchanger.exe	cmd.exe
PID 4880 wrote to memory of 4688	4880	cmd.exe	chcp.com
PID 4880 wrote to memory of 4688	4880	cmd.exe	chcp.com
PID 4880 wrote to memory of 4688	4880	cmd.exe	chcp.com
PID 4880 wrote to memory of 3984	4880	cmd.exe	PING.EXE
PID 4880 wrote to memory of 3984	4880	cmd.exe	PING.EXE
PID 4880 wrote to memory of 3984	4880	cmd.exe	PING.EXE
PID 4880 wrote to memory of 680	4880	cmd.exe	skinchanger.exe
PID 4880 wrote to memory of 680	4880	cmd.exe	skinchanger.exe
PID 4880 wrote to memory of 680	4880	cmd.exe	skinchanger.exe
PID 680 wrote to memory of 2244	680	skinchanger.exe	schtasks.exe
PID 680 wrote to memory of 2244	680	skinchanger.exe	schtasks.exe
PID 680 wrote to memory of 2244	680	skinchanger.exe	schtasks.exe
PID 680 wrote to memory of 2996	680	skinchanger.exe	cmd.exe
PID 680 wrote to memory of 2996	680	skinchanger.exe	cmd.exe
PID 680 wrote to memory of 2996	680	skinchanger.exe	cmd.exe
PID 2996 wrote to memory of 684	2996	cmd.exe	chcp.com
PID 2996 wrote to memory of 684	2996	cmd.exe	chcp.com
PID 2996 wrote to memory of 684	2996	cmd.exe	chcp.com
PID 2996 wrote to memory of 1068	2996	cmd.exe	PING.EXE
PID 2996 wrote to memory of 1068	2996	cmd.exe	PING.EXE
PID 2996 wrote to memory of 1068	2996	cmd.exe	PING.EXE
PID 2996 wrote to memory of 4100	2996	cmd.exe	skinchanger.exe
PID 2996 wrote to memory of 4100	2996	cmd.exe	skinchanger.exe
PID 2996 wrote to memory of 4100	2996	cmd.exe	skinchanger.exe
PID 4100 wrote to memory of 4984	4100	skinchanger.exe	schtasks.exe
PID 4100 wrote to memory of 4984	4100	skinchanger.exe	schtasks.exe
PID 4100 wrote to memory of 4984	4100	skinchanger.exe	schtasks.exe
PID 4100 wrote to memory of 2044	4100	skinchanger.exe	cmd.exe
PID 4100 wrote to memory of 2044	4100	skinchanger.exe	cmd.exe
PID 4100 wrote to memory of 2044	4100	skinchanger.exe	cmd.exe
PID 2044 wrote to memory of 3372	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 3372	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 3372	2044	cmd.exe	chcp.com
PID 2044 wrote to memory of 1712	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1712	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 1712	2044	cmd.exe	PING.EXE
PID 2044 wrote to memory of 4820	2044	cmd.exe	skinchanger.exe

C:\Users\Admin\AppData\Local\Temp\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\45303daac5f89e133dd82a6e3daa6053_JaffaCakes118.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:848

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j7qaT3ktITpC.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2328

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2292

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkOqtd1gkGaX.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4688

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3984

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LdVeaZUs7RQF.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:684

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1068

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEuzHxpJ8mS8.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3372

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1712

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yBM1yOREABHW.bat" "
11⤵
PID:4496

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2352

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:888

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIrmgdnjUEIG.bat" "
13⤵
PID:4336

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1760

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZFAoMtDZJvoO.bat" "
15⤵
PID:3068

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:780

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2256

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hHRPj0oWXEOr.bat" "
17⤵
PID:4464

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2844

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\913E7Oy5vLqB.bat" "
19⤵
PID:220

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3780

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1584

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SjbB5aXSB0Ug.bat" "
21⤵
PID:4596

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2068

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2076

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QjH7ZTzU2MBy.bat" "
23⤵
PID:4956

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4716

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tRV4rGIdxFrl.bat" "
25⤵
PID:4472

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1396

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1380

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiWaGFp2DHU6.bat" "
27⤵
PID:1544

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4268

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3104

C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe
"C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "CS:GO Skin Changer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCUjTh8xaR7k.bat" "
29⤵
PID:3936

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:2348

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 2184
29⤵
- Program crash
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2212
27⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 2208
25⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1920
23⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1908
21⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 2196
19⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 2212
17⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 2188
15⤵
- Program crash
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 2216
13⤵
- Program crash
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2196
11⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 2180
9⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 2204
7⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 2180
5⤵
- Program crash
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2004
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4776 -ip 4776
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 680 -ip 680
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4100 -ip 4100
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4820 -ip 4820
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1356 -ip 1356
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5116 -ip 5116
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 684 -ip 684
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 212 -ip 212
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1712 -ip 1712
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1148 -ip 1148
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3200 -ip 3200
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1680 -ip 1680
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1128 -ip 1128
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\913E7Oy5vLqB.bat

Filesize
215B

MD5
e22d0e8e1b216208f42ecc9a799748a2

SHA1
cd188c3a101d400989b5481864b830ef0ef31929

SHA256
6567dfc682cbbf6206d1f2601a1f31675ccc0ee6686a4bda41304bfab50802c9

SHA512
234c2c8ee0aca269966dca760c1ce7eda80e3cd44ecfffb3e298ddab224caaf49fcbbb2ff9d5602468aa469084e55dab97a7647c5e6377bb5d26b929a84596ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiWaGFp2DHU6.bat

Filesize
215B

MD5
db4f4c03caff61fd298dbce11a8672c3

SHA1
9e6b4e466b511732a93726e1ee38aa10ef15e466

SHA256
40026f0d58aef9fcc4fd58e79b48cb1616faf2d85b2a89e6c7264a8ac401c1d4

SHA512
aa096716742a3bd29d6be746b6575da1674ff8bec5645368fc8eb171efa9aa517a12e2ae635fc5c073f602c7d346360c03fdaba170e2ffd6c5d69efdfc0ef754

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkOqtd1gkGaX.bat

Filesize
215B

MD5
9d3078fc136a4fb027350b60ac130c93

SHA1
52cc5efac8c99c5f4a016509631e7574074d2bf9

SHA256
3a7834de66b0135e6846b2f4af868e8d1e3e24f9c51999079085cd07d592f16d

SHA512
e491d78a171244cafaf4400465aff384b3075d0abc09fe776418728260f0cff721d0e924548732efb1d6844dcb8245eafeb65c1934db2468fc6791279484a538

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdVeaZUs7RQF.bat

Filesize
215B

MD5
dd081483e98117601c143fefdaf817b8

SHA1
224b3d5552b747ae694db8d149b0db240809c98e

SHA256
f132b2b63fc62a177c3ba3403d0ab03e92b9e3f1a71de730f98c20873b8a6c5c

SHA512
e9f49bad8ae9207c621de15b243a6f39bf337dec9a857f88efe252328e016624806c826573404c75605e8f45e75f9d320b874bc0aabe1d57e8e5274f432135a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QjH7ZTzU2MBy.bat

Filesize
215B

MD5
4801d04e0f38bd6ca5d069ca1ea98155

SHA1
00d19555e4f7ab4187b1385437b9aba683528ed5

SHA256
bc90c965b20cbd4c19ad3fc0ad88bb77fab2c89087e1612c74011c09ed58ace1

SHA512
068adeffa4056fa7cbb7c15abb71fed1b09bd16ffba23facd3bf264335eebc7d1fcfead5134faee91cb1180ac894c57563ee0bda51627e31f3112db753a4e9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjbB5aXSB0Ug.bat

Filesize
215B

MD5
4f5132371eb152d63b036f4f4f613d90

SHA1
ef1a9b74c3bda487822d261a64c34362e601814a

SHA256
99b52b8d61c146dd75b58a4549355b663cfaaef2e3fb337583b9dbe112e3b7d2

SHA512
2448f7b7010ecb738bae7b2e8a015806d05c71de9dad3d565ec7750a59ff3942c48fc77529ba8b2f673075943fb04fa4ec87e3f667f4f9cb1c2d78f545ed94d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIrmgdnjUEIG.bat

Filesize
215B

MD5
8ec64eceba9263373c1f0e94459a6252

SHA1
23e092725a9f059acc8df4444be8f7d8ed5f771d

SHA256
044a152c44256211f7cdc58cd390df8f5975931d1ab703252da6e959e9680bcc

SHA512
3d8718ef714acff4d4aa24dcbbdb4b2c842e78bc600b885beaf6b5b7284e9b30d5c9aed284f7d43b919391996234db4fa044f40ad3f758b1e41cda75b6125e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFAoMtDZJvoO.bat

Filesize
215B

MD5
e02eb1107d89bc0e2fb05f0286614888

SHA1
6234ff2e1a5e1f5851e2662078a370e0f00c41a2

SHA256
528aaf603137847169bf8d8b629755a289f30930b8990fdedad8f160eb38879c

SHA512
ac34ef70da513b29ec05f8a395b8db62a699f35d0bb7da59fd96a95e1ae6ef2c2883736a938c61d7c554918dd72e19ff84e1386fd2c045bac659a8f84d953c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\hHRPj0oWXEOr.bat

Filesize
215B

MD5
0d9291236c3c492d92be8bb3d838afa2

SHA1
f0c8422c61d1cbf2f3422110896440e87b40ee99

SHA256
81cba60483106d30ee2b829a5dac6d104d8b6563049aea1419b46f12d8b29fda

SHA512
27ed9b3fb0ef68305195b65960f2c0b18973a6b29b6d5ce299cce0a8a371021d5a2cbd49531dd2442a5a9f7dd9caa1791ae70d7e46fa852afd0bf46e4e506033

Download Submit
C:\Users\Admin\AppData\Local\Temp\j7qaT3ktITpC.bat

Filesize
215B

MD5
128b26f93f8f68ad8bde3aebbe790c08

SHA1
9ba06c818aa9f83fc3483f51b7d0ecad9a4ae57a

SHA256
5af68c5750b64b1add2bbded729835c17e4f195682278371505e7adaf2760fcc

SHA512
3b5a537b720df865a28ef974b04c38283afd6dc876b9317543b59314892422dfcd312c55ef8a166222666f28a0cc0901690171053e443d6954d2bcca7cb3211e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCUjTh8xaR7k.bat

Filesize
215B

MD5
3c1d28d267aa5a40249a4c07a659f35f

SHA1
63b4c6b6d0bc6f73861116b1d0875ac35fb89dd4

SHA256
21af84870aeb84627c6f700301402d5ab9ddf07ff527a9a17d43990f4b8ed0f3

SHA512
5c6c696a9ed5316bf695e40cced6786261e0453fa0bc7d8b9d5815067c8e3b30a23c9930d8fe0511c08a923d4549af5d10b2c04e4017ebe81f8332a737d5f843

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEuzHxpJ8mS8.bat

Filesize
215B

MD5
ef55325044971ed6ae19571847e8dc27

SHA1
95e65a2a5c6e0ba37e05b1cd8a0f8e86613fb9c0

SHA256
67ea5ed1b3c3fe7aaa2c422492f92d1fbf688000ec7f9d9f00bffd9e40d31613

SHA512
0131177289d2a69dc958d95525c03e57c6c5842356ff7dd00016fd3f1e17887f4baca745a6370b3b1e5114ded9ad7949cbd1f1cfac9457c53137cd347f2b31c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRV4rGIdxFrl.bat

Filesize
215B

MD5
c031cad317d8fbaaf7845aac05ec3319

SHA1
2c0264e39866f191905051c7dcf5193c04454942

SHA256
54a96fdade810ea243a51209620c65e51e36d27b8f8cf6b993241189bb04bbe8

SHA512
25317df187d79cbb184153ee61633f43914f25bf0293f207a7198fe8bcfc6a7c471224089d294edd0574678f4f5b9b77fc4ccffe0ee691116b9db8a636a0020d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yBM1yOREABHW.bat

Filesize
215B

MD5
89d6c0ff741d0511171b74e0254687b4

SHA1
bb85859cb3906ad23811fe07a94d49fb8a40c038

SHA256
a7edeae60cef5e30760f71b065b9727b88271a8472c20450b4b423d7f81a0a65

SHA512
009c86609d0397a3bff2cb919f47010122969a3e4135e9e62c767eca62db303b5b0c492fa80153e33d3d6d08cae603ca7279e86c7b34e0ad767b13534522372e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
2be0d4e6977b54c36ff35bdc042d65b0

SHA1
81072f156ea8be4955cbba8f4029db1ceb664e76

SHA256
bc2d3d0e2f424a290b92f4e9fdadc57ccfdfc4a7d165b5a0e8f86cfca7c6f004

SHA512
bd12d6552f194165791b75351c1c77a186f0515087e9e99e19962a2b890c2e06cc7da0520ce05fe352266a4a22fcc688e5ecba4f5d346fa00bfa42993832711e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
8106650200ad9d2709850e2e995506b8

SHA1
a3eacdc6e8992b8bdb88e323f503c48f77db4318

SHA256
7f3c8bb04a53c0de791161e36615a480989fe3d0be417094d6c35713c43a2c5a

SHA512
89860c0858e7049c431615e379fc03f607bcbd0ddcb1d3ab532a7ba0cc95c0945ce472f3d62405e8d813533a36a8a3101efa36ea92130c447366dd0d7c7687b1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
50ad241c349c1fd569c48ecf2ee8f08c

SHA1
15bb89b3e577c01372de8016b7c24c4f5785fd4b

SHA256
69a6fe9bf27fd83a907ae5b168c03780f00acd295210835d699eee915cef9190

SHA512
24a87ef861900a5f4dd9bc4af4d61eed8f42e131db2982bed7e3cbd2db7ef22eec702df64801efce593e83b01bd2f2c024ced72552ecdd2809d8546412e9711c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
3c5cf36121046fcbf33c04acac78f43a

SHA1
d559fa8ffd753cb625af67be5361c06c2dc18095

SHA256
a89bf4bf78dea40affe2d9cc9c59fa2ecff0e57afc750517c91c99f83e35f5f5

SHA512
6b28fbe0a06eb0c1651785553c3593526850cee2cf9e5a487eabf6bbc6ef4f20c9c8e6c4ce6cccdf2632be8da90dacf046d783352072ed335bf4fb31a38bb7fb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
7df1bc1b85759dadbc8b569a61b64c57

SHA1
9a679fe43d8fa66d39d1f0b00d0978c9bb510a6e

SHA256
ebcf831e81a3eb86f3562d0dd9c21b0896336b5dc2579d216749615d53416e9e

SHA512
86b8b14fc6c40235be7dc4dda689fbf805180817556b78cebcf139290f5f2c3ba857f4aa10e175694798eadb183c6af40ccd9070f855216fa5712792b568adad

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
4abef805eef55ea7bd221f9d7d43d64e

SHA1
084ccb8ba85044147fdfe196119186b6a3ea9de4

SHA256
202ac36b042aa8e155ad27c8f387af1694530d5dfeb05f1c94a48dd1e086cdbe

SHA512
39a8b6395ca3d9659e2290f45154af56b4c12352aca32a7aec4e3c3fd15fb37a8fb249d89a320aa6769609425fb4fb8bcb4108d6f637f55b72e52ef5ce886241

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
0d4762612949d04ced6ba6c7db5773e9

SHA1
cecfae6e852da44f2370c81c580c8deec7259333

SHA256
0a0f85ea7e9b68553c8ef6c9f5db83f6ef8ff4324112c62a4cdff3b79a971ee0

SHA512
67a46dfbd825e300975c08b0b56b9e61918087ffe5f5aa3ef1673dd9453926cdfddc76bd1035dab2eb18f44444829f857d5a73d8e3774b33eb675b595da5b6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
c94c11b754ae7a4a7fd042baae7cfd43

SHA1
f42a44d1757d3231899de045739b3927fcb90d88

SHA256
a6d0547b01818f5324c4339de2557faaa1d06d2a130044b09e6a734c48261717

SHA512
41ba499f59ac3b1a9b789df6ef1d431f7191c23f0f16b2b1e66d4d505d51c2b7f9ecf561015286d73abfb55618182259c1e93505016a3284e7840540bf251256

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-15-2024

Filesize
224B

MD5
822df3f6aa47ecea6e835cda5f0b1f68

SHA1
6aef87ee2a23d887695b7342a6ee22e775ddf499

SHA256
0d4e91a58f784aa4b599f9412e835088013e64c4fb756eb88231b6e7ba8585be

SHA512
254748bf51f0a3c9c069a8eaaa12286b868f115187f95125307d29277fb06a31c28b776eb5b1182cb25eaa1677c5fed19ab6180c420de3b9c7fe7ac86c8c0926

Download Submit
C:\Users\Admin\AppData\Roaming\windows64\skinchanger.exe

Filesize
658KB

MD5
45303daac5f89e133dd82a6e3daa6053

SHA1
cf18d75d69bbc8554ccdd32a9def207b6abb3fea

SHA256
ba5fad18ee46eddf4b5934ca3fe9468f3beda482c031c5c4c294d30fbc6717d3

SHA512
99ff552be6edded807101365e0b59eb9993290d611e791d02bc3cfcb4d80db51da64ae9b672b5b17d8839c6f5d9c5efe3ece60da18f2b5bc3aa0109fc9a88cd3

Download Submit
memory/1328-3-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1328-14-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1328-1-0x0000000000E90000-0x0000000000F3A000-memory.dmp

Filesize
680KB

Download
memory/1328-6-0x0000000006630000-0x0000000006642000-memory.dmp

Filesize
72KB

Download
memory/1328-2-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/1328-5-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1328-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/1328-4-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1328-7-0x0000000006B70000-0x0000000006BAC000-memory.dmp

Filesize
240KB

Download
memory/4876-27-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4876-20-0x00000000063F0000-0x000000000640A000-memory.dmp

Filesize
104KB

Download
memory/4876-19-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

Filesize
40KB

Download
memory/4876-21-0x0000000006B40000-0x0000000006BF2000-memory.dmp

Filesize
712KB

Download
memory/4876-17-0x0000000006520000-0x0000000006B38000-memory.dmp

Filesize
6.1MB

Download
memory/4876-16-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4876-18-0x0000000005FF0000-0x0000000006040000-memory.dmp

Filesize
320KB

Download
memory/4876-15-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download