quasar | f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe
Size

12.8MB
MD5

1c1cd3ee6e73a4e599c7c32bae300b05
SHA1

dd22b9c9531efdecd80d37b01254e96728ef26c3
SHA256

f1946c208e4a8f7428f97e8e40f31ffa95885b61571dc4ab9ba6a3356336fc12
SHA512

484ab45694f4789a8f385dd6346c2711d8b79368760819065592163f763a8724c91993fbc0bfbf58ce0c1d0f7d9132f9b59a99645790e4e68ece6650b99cd037
SSDEEP

393216:IY/d0T2My8oDotr3LItcM4epPOgmYQbml1ay:IYeqvE1Sd/WmSy

Score

10^/10

quasar venomrat greedens evasion rat rootkit spyware stealer themida trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

greedens

127.0.0.1:4782

Mutex

VNM_MUTEX_7DOOh0yZCLxX4Y4Ltu

Attributes

encryption_key
ZSBFYPSY9jJS688RgNV6
install_name
$77setup.exe
log_directory
gameboard
reconnect_delay
3000
startup_key
drivers
subdirectory
$77

Signatures

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2620-25-0x0000000000920000-0x00000000029EA000-memory.dmp	disable_win_def
behavioral1/memory/2620-26-0x0000000000920000-0x00000000029EA000-memory.dmp	disable_win_def
behavioral1/memory/2908-39-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	disable_win_def
behavioral1/memory/2908-40-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	disable_win_def
behavioral1/memory/3052-64-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	disable_win_def
behavioral1/memory/3052-65-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	disable_win_def
behavioral1/memory/852-95-0x0000000000190000-0x000000000225A000-memory.dmp	disable_win_def
behavioral1/memory/852-96-0x0000000000190000-0x000000000225A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	photo_protected.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2620-25-0x0000000000920000-0x00000000029EA000-memory.dmp	family_quasar
behavioral1/memory/2620-26-0x0000000000920000-0x00000000029EA000-memory.dmp	family_quasar
behavioral1/memory/2908-39-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	family_quasar
behavioral1/memory/2908-40-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	family_quasar
behavioral1/memory/3052-64-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	family_quasar
behavioral1/memory/3052-65-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	family_quasar
behavioral1/memory/852-95-0x0000000000190000-0x000000000225A000-memory.dmp	family_quasar
behavioral1/memory/852-96-0x0000000000190000-0x000000000225A000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	photo_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	$77setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	$77setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	photo_protected.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	$77setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	$77setup.exe

Deletes itself 1 IoCs

pid	Process
576	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2620	photo_protected.exe
2908	$77setup.exe
3052	$77setup.exe
852	photo_protected.exe

Loads dropped DLL 12 IoCs

pid	Process
1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe
1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe
1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe
1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe
2620	photo_protected.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
1852	cmd.exe
1744	cmd.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c000000014319-8.dat	themida
behavioral1/memory/2620-25-0x0000000000920000-0x00000000029EA000-memory.dmp	themida
behavioral1/memory/2620-26-0x0000000000920000-0x00000000029EA000-memory.dmp	themida
behavioral1/memory/2908-39-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	themida
behavioral1/memory/2908-40-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	themida
behavioral1/memory/3052-64-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	themida
behavioral1/memory/3052-65-0x0000000000EF0000-0x0000000002FBA000-memory.dmp	themida
behavioral1/memory/852-95-0x0000000000190000-0x000000000225A000-memory.dmp	themida
behavioral1/memory/852-96-0x0000000000190000-0x000000000225A000-memory.dmp	themida

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	photo_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	photo_protected.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	photo_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	$77setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	$77setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	photo_protected.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\$77\$77setup.exe	photo_protected.exe
File opened for modification	C:\Windows\SysWOW64\$77\$77setup.exe	$77setup.exe
File opened for modification	C:\Windows\SysWOW64\$77	$77setup.exe
File created	C:\Windows\SysWOW64\$77\r77-x64.dll	photo_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2620	photo_protected.exe
2908	$77setup.exe
3052	$77setup.exe
852	photo_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	2908	WerFault.exe	33

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2352	PING.EXE
760	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1644	powershell.exe
3052	$77setup.exe
2620	photo_protected.exe
2620	photo_protected.exe
2620	photo_protected.exe
2620	photo_protected.exe
2620	photo_protected.exe
2620	photo_protected.exe
2620	photo_protected.exe
852	photo_protected.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	photo_protected.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2908	$77setup.exe
Token: SeDebugPrivilege	2908	$77setup.exe
Token: SeDebugPrivilege	3052	$77setup.exe
Token: SeDebugPrivilege	852	photo_protected.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1236	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2908	$77setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2620	1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe	29
PID 1924 wrote to memory of 2620	1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe	29
PID 1924 wrote to memory of 2620	1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe	29
PID 1924 wrote to memory of 2620	1924	1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2868	2620	photo_protected.exe	31
PID 2620 wrote to memory of 2868	2620	photo_protected.exe	31
PID 2620 wrote to memory of 2868	2620	photo_protected.exe	31
PID 2620 wrote to memory of 2868	2620	photo_protected.exe	31
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 2908	2620	photo_protected.exe	33
PID 2620 wrote to memory of 1644	2620	photo_protected.exe	34
PID 2620 wrote to memory of 1644	2620	photo_protected.exe	34
PID 2620 wrote to memory of 1644	2620	photo_protected.exe	34
PID 2620 wrote to memory of 1644	2620	photo_protected.exe	34
PID 2908 wrote to memory of 2172	2908	$77setup.exe	36
PID 2908 wrote to memory of 2172	2908	$77setup.exe	36
PID 2908 wrote to memory of 2172	2908	$77setup.exe	36
PID 2908 wrote to memory of 2172	2908	$77setup.exe	36
PID 2908 wrote to memory of 1852	2908	$77setup.exe	38
PID 2908 wrote to memory of 1852	2908	$77setup.exe	38
PID 2908 wrote to memory of 1852	2908	$77setup.exe	38
PID 2908 wrote to memory of 1852	2908	$77setup.exe	38
PID 2908 wrote to memory of 2000	2908	$77setup.exe	40
PID 2908 wrote to memory of 2000	2908	$77setup.exe	40
PID 2908 wrote to memory of 2000	2908	$77setup.exe	40
PID 2908 wrote to memory of 2000	2908	$77setup.exe	40
PID 1852 wrote to memory of 1784	1852	cmd.exe	41
PID 1852 wrote to memory of 1784	1852	cmd.exe	41
PID 1852 wrote to memory of 1784	1852	cmd.exe	41
PID 1852 wrote to memory of 1784	1852	cmd.exe	41
PID 1852 wrote to memory of 2352	1852	cmd.exe	42
PID 1852 wrote to memory of 2352	1852	cmd.exe	42
PID 1852 wrote to memory of 2352	1852	cmd.exe	42
PID 1852 wrote to memory of 2352	1852	cmd.exe	42
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 1852 wrote to memory of 3052	1852	cmd.exe	43
PID 2620 wrote to memory of 2300	2620	photo_protected.exe	44
PID 2620 wrote to memory of 2300	2620	photo_protected.exe	44
PID 2620 wrote to memory of 2300	2620	photo_protected.exe	44
PID 2620 wrote to memory of 2300	2620	photo_protected.exe	44
PID 2300 wrote to memory of 576	2300	cmd.exe	46
PID 2300 wrote to memory of 576	2300	cmd.exe	46
PID 2300 wrote to memory of 576	2300	cmd.exe	46
PID 2300 wrote to memory of 576	2300	cmd.exe	46
PID 2620 wrote to memory of 1744	2620	photo_protected.exe	49
PID 2620 wrote to memory of 1744	2620	photo_protected.exe	49
PID 2620 wrote to memory of 1744	2620	photo_protected.exe	49
PID 2620 wrote to memory of 1744	2620	photo_protected.exe	49
PID 1744 wrote to memory of 1340	1744	cmd.exe	51
PID 1744 wrote to memory of 1340	1744	cmd.exe	51
PID 1744 wrote to memory of 1340	1744	cmd.exe	51
PID 1744 wrote to memory of 1340	1744	cmd.exe	51
PID 1744 wrote to memory of 760	1744	cmd.exe	52
PID 1744 wrote to memory of 760	1744	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c1cd3ee6e73a4e599c7c32bae300b05_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- - C:\Windows\SysWOW64\$77\$77setup.exe
    "C:\Windows\SysWOW64\$77\$77setup.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "drivers" /sc ONLOGON /tr "C:\Windows\SysWOW64\$77\$77setup.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ptcxTOdOFkg1.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1784
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2352
    - - C:\Windows\SysWOW64\$77\$77setup.exe
        
        "C:\Windows\SysWOW64\$77\$77setup.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1380
      4⤵
      Loads dropped DLL
      Program crash
      PID:2000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      Deletes itself
      PID:576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\26iDqG5SW6rh.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:760
  - - C:\Users\Admin\AppData\Local\Temp\photo_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\photo_protected.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26iDqG5SW6rh.bat

Filesize
212B

MD5
c11febd595de5b1ac9d400a0fb32ec0b

SHA1
5ac59721c1c2775584d0cb34824050501ad63bfd

SHA256
469ae7ddbab15fcdadc659fb8e885a0b289cf644226a008fc8f44d393c835abe

SHA512
87172352a823472bd54080a09374295bdebcdd39e0e2e63ebb6fde8697801d6e626f15883f5b55fdde4f9185f76770ae47fb8d6a85ca8a269218a0d8fa3a47e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_2021-01-20_10-32-33.jpg

Filesize
15KB

MD5
4ed5be10b9b30e012b2b9ba0dae6cf8f

SHA1
675c76af77de29bc8edabfcff7161f3c5124aa26

SHA256
f7b9988a7419825092d7f6b01b99aa41e628023697b17850252705657ad42b41

SHA512
349e26ae4509ec2d606921d02d453137c27a4794223b8fdc5a4f6bae2dd0ae1776d83cc23deeeffc0ca0113917fb8e35eb00d0aecc3be5c59a2f0d36712a9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptcxTOdOFkg1.bat

Filesize
195B

MD5
27c9bc10c28fbb4df24b227ee9c25ef8

SHA1
61bdee25ad9d4a736ff3cc2f91fcafaee36cb424

SHA256
4cbe1516985239cacf4d4233bda54b4265fcbb8fd69e2d4d85bb22285917f776

SHA512
d161b350fbec6a481b3325fde9208e40f2eda7e11edd5e5061e9b2004a9b2e030d0782415b23dc997bbaf681e101b9fdc25457ec745ec6d6fd40ff18d79e6672

Download Submit
\Users\Admin\AppData\Local\Temp\photo_protected.exe

Filesize
12.6MB

MD5
61ca2ad2572a94b36652120f72678cdc

SHA1
a4d651b8f78fd50e8a4404c2f478cee43a37a0a6

SHA256
36368eb39f43447cdcac8543b31da262253479e826635d03ed0dda76947b5c97

SHA512
8ed1e598e7b309683079e9e93cf4d8237082ec544322dc10edabf84a73ad326a019f289968b0dc721a49d27cf14dedea8ad3f034be203d3513acc6c5676a4875

Download Submit
memory/852-96-0x0000000000190000-0x000000000225A000-memory.dmp

Filesize
32.8MB

Download
memory/852-95-0x0000000000190000-0x000000000225A000-memory.dmp

Filesize
32.8MB

Download
memory/1236-5-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1236-6-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1236-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1924-20-0x00000000047D0000-0x000000000689A000-memory.dmp

Filesize
32.8MB

Download
memory/1924-68-0x00000000047D0000-0x000000000689A000-memory.dmp

Filesize
32.8MB

Download
memory/1924-4-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/2620-25-0x0000000000920000-0x00000000029EA000-memory.dmp

Filesize
32.8MB

Download
memory/2620-26-0x0000000000920000-0x00000000029EA000-memory.dmp

Filesize
32.8MB

Download
memory/2908-39-0x0000000000EF0000-0x0000000002FBA000-memory.dmp

Filesize
32.8MB

Download
memory/2908-40-0x0000000000EF0000-0x0000000002FBA000-memory.dmp

Filesize
32.8MB

Download
memory/3052-65-0x0000000000EF0000-0x0000000002FBA000-memory.dmp

Filesize
32.8MB

Download
memory/3052-64-0x0000000000EF0000-0x0000000002FBA000-memory.dmp

Filesize
32.8MB

Download