quasar | 02c614d149eeba84d88bb0bf9054c63a43edd5ae2993d3cb45b669cd7e590662

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lchs.exe
Size

3.4MB
MD5

45135fb081a6c819f57b8af5d643fa0a
SHA1

41d53a31c8fd14780eb5ddbed85bc893c537d8b1
SHA256

02c614d149eeba84d88bb0bf9054c63a43edd5ae2993d3cb45b669cd7e590662
SHA512

a013dc1e56ff12ad7a2137de92a2b154bbe1563ef19a7770ad3241d4218946db4811c06b92e06dfee29fd7ff8e7e679474005ccea80abd8dd6ef1476ee39d29c
SSDEEP

98304:/zUa0ps1XffeC+/qLwLi0mRqDZwqRY9GBN/txR:/zBUEmCbLsi0mEDmqR/zR

Score

10^/10

quasar 25-09-2024-msc discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

25-09-2024-msc

193.124.33.141:4782

Mutex

b4f4a566-ecdf-4f60-b8dc-d8a1a60e842f

Attributes

encryption_key
DD459BB92A43EF8EEB2FE401C8453F685AECE590
install_name
ChromiumDaemon.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Chromium Extentions Service
subdirectory
ChromiumExtentions

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1632-105-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1632-107-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1632-108-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2552 created 1196	2552	Adams.pif	21
PID 2552 created 1196	2552	Adams.pif	21

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CipherLock.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CipherLock.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2552	Adams.pif
1632	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
3056	cmd.exe
2552	Adams.pif
1632	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2224	tasklist.exe
3036	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TeddyAmazon	lchs.exe
File opened for modification	C:\Windows\TcAssure	lchs.exe
File opened for modification	C:\Windows\MirrorsMartin	lchs.exe
File opened for modification	C:\Windows\MaryLatitude	lchs.exe
File opened for modification	C:\Windows\StatingJewish	lchs.exe
File opened for modification	C:\Windows\FewerReasons	lchs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adams.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lchs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	tasklist.exe
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	1632	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2552	Adams.pif
2552	Adams.pif
2552	Adams.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1632	RegAsm.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3056	2244	lchs.exe	28
PID 2244 wrote to memory of 3056	2244	lchs.exe	28
PID 2244 wrote to memory of 3056	2244	lchs.exe	28
PID 2244 wrote to memory of 3056	2244	lchs.exe	28
PID 3056 wrote to memory of 2224	3056	cmd.exe	30
PID 3056 wrote to memory of 2224	3056	cmd.exe	30
PID 3056 wrote to memory of 2224	3056	cmd.exe	30
PID 3056 wrote to memory of 2224	3056	cmd.exe	30
PID 3056 wrote to memory of 2184	3056	cmd.exe	31
PID 3056 wrote to memory of 2184	3056	cmd.exe	31
PID 3056 wrote to memory of 2184	3056	cmd.exe	31
PID 3056 wrote to memory of 2184	3056	cmd.exe	31
PID 3056 wrote to memory of 3036	3056	cmd.exe	33
PID 3056 wrote to memory of 3036	3056	cmd.exe	33
PID 3056 wrote to memory of 3036	3056	cmd.exe	33
PID 3056 wrote to memory of 3036	3056	cmd.exe	33
PID 3056 wrote to memory of 2604	3056	cmd.exe	34
PID 3056 wrote to memory of 2604	3056	cmd.exe	34
PID 3056 wrote to memory of 2604	3056	cmd.exe	34
PID 3056 wrote to memory of 2604	3056	cmd.exe	34
PID 3056 wrote to memory of 2728	3056	cmd.exe	35
PID 3056 wrote to memory of 2728	3056	cmd.exe	35
PID 3056 wrote to memory of 2728	3056	cmd.exe	35
PID 3056 wrote to memory of 2728	3056	cmd.exe	35
PID 3056 wrote to memory of 2756	3056	cmd.exe	36
PID 3056 wrote to memory of 2756	3056	cmd.exe	36
PID 3056 wrote to memory of 2756	3056	cmd.exe	36
PID 3056 wrote to memory of 2756	3056	cmd.exe	36
PID 3056 wrote to memory of 3044	3056	cmd.exe	37
PID 3056 wrote to memory of 3044	3056	cmd.exe	37
PID 3056 wrote to memory of 3044	3056	cmd.exe	37
PID 3056 wrote to memory of 3044	3056	cmd.exe	37
PID 3056 wrote to memory of 2552	3056	cmd.exe	38
PID 3056 wrote to memory of 2552	3056	cmd.exe	38
PID 3056 wrote to memory of 2552	3056	cmd.exe	38
PID 3056 wrote to memory of 2552	3056	cmd.exe	38
PID 3056 wrote to memory of 1332	3056	cmd.exe	39
PID 3056 wrote to memory of 1332	3056	cmd.exe	39
PID 3056 wrote to memory of 1332	3056	cmd.exe	39
PID 3056 wrote to memory of 1332	3056	cmd.exe	39
PID 2552 wrote to memory of 1860	2552	Adams.pif	40
PID 2552 wrote to memory of 1860	2552	Adams.pif	40
PID 2552 wrote to memory of 1860	2552	Adams.pif	40
PID 2552 wrote to memory of 1860	2552	Adams.pif	40
PID 2552 wrote to memory of 348	2552	Adams.pif	42
PID 2552 wrote to memory of 348	2552	Adams.pif	42
PID 2552 wrote to memory of 348	2552	Adams.pif	42
PID 2552 wrote to memory of 348	2552	Adams.pif	42
PID 1860 wrote to memory of 1932	1860	cmd.exe	44
PID 1860 wrote to memory of 1932	1860	cmd.exe	44
PID 1860 wrote to memory of 1932	1860	cmd.exe	44
PID 1860 wrote to memory of 1932	1860	cmd.exe	44
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47
PID 2552 wrote to memory of 1632	2552	Adams.pif	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\lchs.exe
  "C:\Users\Admin\AppData\Local\Temp\lchs.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Royalty Royalty.bat & Royalty.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 82001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "diffsricopermissioninitiatives" Queens
      4⤵
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Responsibility + ..\Documentation + ..\Pointed + ..\Mariah + ..\Assurance + ..\Fort + ..\Remainder + ..\Pissing + ..\Camel + ..\Who + ..\Torture + ..\Preview + ..\Enquiry + ..\Adrian + ..\Martial + ..\Crest + ..\Fame + ..\Regression + ..\Trucks + ..\Sister + ..\Excluded + ..\Seminars + ..\Followed + ..\Matthew + ..\Loan + ..\Boat + ..\Subsidiary + ..\Stewart + ..\Licensed + ..\Specifications + ..\Par + ..\Mint + ..\Insulin + ..\Bryan + ..\Slot + ..\Side + ..\Acre + ..\Ethical + ..\Briefly + ..\Cayman m
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\82001\Adams.pif
      Adams.pif m
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\82001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\82001\RegAsm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1632
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Ata" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CipherGuard Technologies\CipherLock.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Ata" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CipherGuard Technologies\CipherLock.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CipherLock.url" & echo URL="C:\Users\Admin\AppData\Local\CipherGuard Technologies\CipherLock.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CipherLock.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82001\m

Filesize
2.8MB

MD5
252b869ac235e18ece4e305f2bf25918

SHA1
c487013b26a846a0d45d8351ca485731d5eafede

SHA256
0405dc33bc5b31cc84428d016d214a05f7a8d5074568d7480bcac6d8f6a4f761

SHA512
b2a69f1aa3f65de265cb802934fbcdaad10d4ab51d989efb9a3d40c6a12809818c5ee458b420afbc170c88afb609cb51703a4fbce96b4d90515d72a032d00fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acre

Filesize
51KB

MD5
601bd01aa022d880b3f4ce879fc3d4a4

SHA1
a8745722e982ac73523064454b60358ac5f9ff77

SHA256
906d23e09dfae8ce35f3db2d35b1d52f7e9100b4913994c56acd2fcfed503015

SHA512
c438c5582ab1a397007aa5b1cdb145187b2e9fcf486df1bc42dcf70e4b9f35d1a89d586eeb107125f4dc7900506703763141956c0f2b46b77b6354783a7122c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adrian

Filesize
64KB

MD5
ae659416adef46478fdbd878c9ed4110

SHA1
f0dec20ca215efb55ea31ad98f8578a3cfdacaae

SHA256
1ae8bfb298e40f899d2e8ccc01a93462c453ee6b520faab6d02fb5284c2f3c05

SHA512
853956dd62716a8c44de20cda5683d4dda4ae7aa687723dcaad4ecc5455994e6f5eba42fe5119eb77c15b3b1f7ef2a8ae2655491eeaebfd045a7c67de700a5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assurance

Filesize
82KB

MD5
8707eb896cb68f312b19ee94743c6ffd

SHA1
6b64e6d40873a0343984024a368676008a067de7

SHA256
d6a87e4f95d982147cd4f3bd005ae4f7a530e25dadb08695e6954c23a58ea467

SHA512
f443da3f02e8de59dd97473c015e2da633bb177e74a69a10b99b50e1c2bfdd3151f70c8ffeb0f3f28c84f53eb43ee05b5cc4ee1b007c06fab6990f30953e59fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boat

Filesize
65KB

MD5
e13076c16127dc23804617be9cb24978

SHA1
5c85b06b91eda934671169c98ce5a751e3203351

SHA256
5cc7bcac67b8615a1045b7e40aea92d940291c2754a1482f3d1c0845017a82c5

SHA512
d3570d0f02f9ce479455ab997aa7fc0362e1623e9d36fa56288c11b83de35274c5d929d6071dced5388f6b5ef7a3fee01cc25d803c9ac8aa4be7392f3877f743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Briefly

Filesize
54KB

MD5
f2470dc31b8fec8e8580f07cd5c5f2ab

SHA1
32ce1a853bdd08a61c52f9edc80ce488a3f56afe

SHA256
e8b7b64176b24d6b86d3e4b1758a030d8a5c20f0af8a92c3d8a1124a0ee28d43

SHA512
761123eabdb2aff661c90a3f895171fa73d6613e38de7b4229aecdb39ab50713e7dd71702a3810eba4fb5e27b2ea94638b829e1da02f3658edf4f7b86b945498

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bryan

Filesize
86KB

MD5
43eddd3ac3a3ad72a12f49489e63585b

SHA1
f574b44746967643ea371bc9aa11a4a45e10cf08

SHA256
612b00d1f3fddba0a84552b1263e763f82bf6385667ee5d94f3aa26af666fe97

SHA512
d53780d559d94624f5cc8b5323bcb23dd96dc57e099b40626085b1b6434b0dd0ad1b864cef3effeee9cc7f502583c69f8e649ad568a6df9b227e9db6b11f8a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Camel

Filesize
63KB

MD5
d579577e2df519bdcd8c31d44f577b12

SHA1
b3cf6fc8af555aa99dab9c188832c54095190e9c

SHA256
fb188604fe28ee5de6230802e72060cb94db35df83e6e7beb16d52ac9993443d

SHA512
1832bd803e1db4670b951f93bcbabb772b7abb8974f1fba8015f5b59ab5db43f395bd5f580f221f52e93f9682add8ec95f78c647b7aabf3021cb937419814669

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cayman

Filesize
43KB

MD5
7215329876fcee10a1ac927bdcb56bbd

SHA1
6b760f543f0935fc84cb106452a54be32f04c53f

SHA256
ab8873d2904bb09881a8b810ef3de192dc2a33ff83aec0db6eeac23c51635cf5

SHA512
35bcf33ad6f6fda4e49928ef6c3232ae87b3d7b089aba13e0c544cc0ab2de1657db81bb2bd723cab1653a2c7c32e750f010d492b9feb29df9289d9f0d8b7cce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crest

Filesize
59KB

MD5
219f6852bbb641177afaa928e14ecff6

SHA1
e5274a05c1c539df8e82f5f746bd433bb63a2d5d

SHA256
a738d9b4f87a72c70c73d83c3a5ac27c1567e06008c2ee46dd74f13742ff16a3

SHA512
90477e871ab339f8ea9e9c3126ac52faab6ad152920c7b1bda9ef09c82485559b1a2d4f0a693b67a41dfdeed6962d72e755559b67676dd88ff3926d5dc8307a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Documentation

Filesize
70KB

MD5
158d8eab022f949726a82b7470c229a8

SHA1
668230b841656060d0ef7415400584e6fcffe013

SHA256
59484f7b67aff3abe85afcb3f4d9f83ed06b707e27d01ed041823cc5c8a6ddfc

SHA512
859895e959d737ed97d46a45ceb685bf52b2b715abfe789c6ccfdc808b4fb96ade59f2646ecf5070e30a61a41ec4b42e34f2e7e8f0dc2a884d41856eee7d6ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enquiry

Filesize
75KB

MD5
b880c4dbe618e82032d68eb16ba94b43

SHA1
9dd6720dd2dc1399dcdbc57f80ad851918cb9833

SHA256
555edfdd8cd8f862f6394e2a8f9a0b0b28977eaeacdf25192318e41da52b0e1e

SHA512
8fc1c2cd7d7a617e29dafb759d7c4f73001e5f6bfa134fa295c1ec4363086057cff98e2ba9acddf7ef494677316ec392efbe2b0ca6bdca499e4694c575f867bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ethical

Filesize
68KB

MD5
c5e5c994eea5da7e580a4c38012f8207

SHA1
7fd8bb0e28b71a97c835f00c0b80650479d33678

SHA256
59db06836d4dbc21d930df7752d57e49f802c69a481d7a4b83ecac76f7db9552

SHA512
18fe9c8c2b58110a0bd9c537eadcfbb616937bb71ddbe5823bd3bb3024fa945e76a423f1fae530cdff70e5b3748e5ccb02c067aef67a8c57d8335e4d4c887044

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excluded

Filesize
83KB

MD5
8119b3faa0ef3ff564b0ef5cac42d048

SHA1
cf9e08f6ffa56589e6393f4d23fb75de1402b9a2

SHA256
23e9b78b70fb45accabc7c45dc5bc2e1919e5726adce25b2e0214578ef8fb0e7

SHA512
04b2668334eca8d2d59842d6e1f1718325aa34b9164c78515bb9776cf7870aebb750aec8f24fdfa15337e56c7f4b365ffdbddbb72c38321e3110a3800e37e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fame

Filesize
86KB

MD5
86b69a3317394bf67186d25c1314d566

SHA1
1f49a2bd99a317e793b9bc04531939b03b6ed9af

SHA256
7221002ccf312d405bf39630025585b4f78ebba2955f50b8ff9e899d65eb5e83

SHA512
48d04a58bd68f71eca852eb75c4f29e9e8dab79ea9d3cc68cb899fd42ca9bebbc630807ed339626ae8b2ed2fa86f1cf9b61a2a373abc2d2f4f9774993fb4b8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Followed

Filesize
56KB

MD5
1264ba8182c2e3b16666a7652a9c6061

SHA1
39707bbaf36e7f38d63810b8b3dc7a72c1ebfcd9

SHA256
3e42269f6cc628b0cd7e179079fb26ffa0b60af3b093244eb58b382fb63ac8b3

SHA512
7fece8681378fff22984d1f35d72ab9116365db4720b62777d1dda111cd8ce39120358a6acca0af7a7ed9b4de8610cb7cb8721cb095c34c887ae4b33d8816f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fort

Filesize
73KB

MD5
b0a97792af2c97d5433f4ae13e426b04

SHA1
794f8a9126b7b37d7739c8565f7752e2f8185c15

SHA256
0239376c0067b1fb4e167c79d18ecccb5217349df1f079b84648a5f604c9d281

SHA512
40eb871196964c77ff8701f22bf218c4cb43d3a39b3afe28c4478ed8e22c66c58974d67884b3b5d7639daee23165c9158b100a5848424967569a3841c2cc0f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insulin

Filesize
68KB

MD5
694e1faaeb5c7f38b7f1156dbbf2bf82

SHA1
bdad91b050d13517b5c67772b51d06dafdbe6de0

SHA256
4044382b09dcc7599b2139f97bd5b6938e5d14f7bda529cf5325911c21e86909

SHA512
45cd28da84b3afc800bc1e34982926e7335998cd7ee7addc12736433e427c559c34422f13063f4fd86699812b9abbcbf1fa02f881d95b6750fe1cee6920a4d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Licensed

Filesize
53KB

MD5
ad6c3031765e85926f50ffdce937640e

SHA1
40981b62584c5701228a24f0e83c401f33b9c3ae

SHA256
3a51e7c0c8949a8a1bbc462d7b2d2c70cbf4379eaf27e4935502c13959c27f41

SHA512
d8232fea9faeb1011581956591f70ee5ad7016dab15fdc8cf584816d996bb7e67dc006855743cf2e9632298c526512a478b1718a7acd83142ddaed758f168367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loan

Filesize
85KB

MD5
7bf64ff55cce13a38ee873b0ae37aa00

SHA1
3c8b18030b4d82b3cceae60276a8f70b41058d35

SHA256
41dc04590bd8660c6cbf4175f84c60b809dff7e8705b6b56989a507e5fb26b69

SHA512
9f676d81aa4d523ec26a76498fda6ae7ecc12daab8589fe2b6fee55e90d4b72d618f7d4d340bb79966f1fa77df29fde47cb0587223f2c0fec81acbb849114c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mariah

Filesize
89KB

MD5
0df023c5a68116418230687b32668b4d

SHA1
ad016c190d28abff48f8dbd335e047c9de1a6cc2

SHA256
65dddba13bc0c1e5ab348d7dfbb979f38827bb7b0d442458db72414f2f0c33f3

SHA512
eae6d45b0518d4a4aaba2d1176ff984045bddfce7d4f4ed4086136f0a4f4d35eceeec4871344c16e00758142b636f7990955af5ab904d8ab189ababd02723367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Martial

Filesize
55KB

MD5
d9ba59f9bfe081e0706f26ce9ce2526a

SHA1
34ce41241af2bcb1e4c2e862ec539b72293374be

SHA256
0f62c6143fb6bcffd548041a6581a7abf07dbb7f2ad617f3d80d62325b8db8fe

SHA512
53d11309608bae975a777d9284996cfe23909f12cd74188c2eca10bf54cecb0eb7c95de00b990fbc0927a234f3f6aef80469435b7953febd9ef3c498f0732fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Matthew

Filesize
50KB

MD5
bee43a36eebc5b3cc5c81f09c658ecf1

SHA1
505ee1b3bd0581a2a645a7bf63733a895ad7df2a

SHA256
32cc7a4389ba6838404110fb39eece1e6cc7435f9703864446ecf46980b0b927

SHA512
c29a4f69df5fe1261cd76e3bbb1bef882daa0e8273cd7b96fbeec3fca69f45b95a81cd41d4ed292f9a54d519e28557dec1a47bcdae92838a8b709225486c8c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mint

Filesize
64KB

MD5
170638066a0fd05fc6e7dd0936bf4cde

SHA1
0b61682b521137e6acb92930c205630fcdca8e9b

SHA256
fbd991f379e6f10dfde4ad73718fdb1b148a20d7f9a1dcbf71a3936f818dcd26

SHA512
9f051650bf4db93a3371031f2538b0ea67ed29b6fdf2021d30320332700caf38d155461ce98a675391ee97476cc318ff76530cdb723a732122c6aa33d840b171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Par

Filesize
71KB

MD5
8a3ea1b2b4a32dbcf017c4c497beb470

SHA1
4f9f9f878e4fc38a758f34eca008bce91ec9eba8

SHA256
00a85dd782934fc4d0db6026edd30f5f92318a0d2a622646cad848b2510f3c1e

SHA512
04b8069e9137b2abf13b65d3da8553d940fe6b66231dd167e57dbdd4578f0514fe487d4cb9a810783c6af246698c72917061a1a6ba328bc2f9e2f1011fb4906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pissing

Filesize
53KB

MD5
ceed92dafa9fcbd2da114fc04d437624

SHA1
6c0a17025b6cd972baca80dfc7d6fe9aea06d0c3

SHA256
a3d32cd81c7adf481580ff689d2296276137702b02b54f9c25e79cdd36f425e8

SHA512
2679a122cd386605bce0457091ced17d2d0767ea415bae13244954fb729a4529a8cd8fd18a554defc09e33487c00cc97c300438a2f53ba1066f143aa4d5cc347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pointed

Filesize
90KB

MD5
f53641999a18632e6eba2eede2df26b3

SHA1
7f360ac733755b02898cc3dee06e6c297c383732

SHA256
237e7c60bfb20973ad7c3bf424acecf7cea15c75b2466f902fea8463ad6e589a

SHA512
d299ab6a72dcf591cb83a514b23d6ac6a7553c6c6e6677cc7133f8f97ddeeef945fb354d10e41a9bd507c1e1e6b8917ea94f18f6f7e5974694b9fbc06df842b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Preview

Filesize
70KB

MD5
dd543d6477580c04445209272d556a1b

SHA1
828ba2d8ec93b3f6da9d0f4db1afc263e4f013c3

SHA256
019d20107bfa658779a620b4f13919a3b5563bfa29152334d3d4887819d1d48d

SHA512
bf205630df1517f7844a34b25c0121533b7576775159b6b7d8a14011a045d8617af28b8675b3de4c2b1bd4291bdc192f119e9a644a0cb9ee18b041954254b94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Queens

Filesize
4KB

MD5
aac075eb53f6821808a9b8a9871eb08d

SHA1
0fd50aef5cbe1714703421fd99aa2ffa635718b0

SHA256
5de0e312350145fe4604a04ab79009fe5147d531e12040237cee1421e9fe4c5c

SHA512
56b1f73027c82715918a367a5d73be3bc15eb87ffc805b5f53ebfcd5fad1c5753d0f5004d45d598a7e9d9e756f6cb9935e620d75851f0b80c2ad6ac1308f4ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regression

Filesize
71KB

MD5
2ebdca2cd9dd3f3dc34bdb69609ef51b

SHA1
915fa6012329647d98699cce76b3fd662676bc18

SHA256
a60568eba51cdc9023cc986db1497c8d70981b3cea30191feed931748a51e4f4

SHA512
2cb67489574d873fe2e63629f17473c1e73f0427a2e4c7ddacedf2015f2d69776aa0c25b978adcb832132ccaa380388752090713719f700ee4ef8601519cd59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remainder

Filesize
63KB

MD5
aa10871556ae9c65203b65cc85900a1c

SHA1
a0026b773488146df5bb43d50863a8df01fa0585

SHA256
d60c1c7989768b03b162407b9020c8e433b31f9fe34e0fb72989c4c4aac15dd8

SHA512
6d9b31cb424500fea7501d5b47bb95885e73cc3639d74ea283390686485b46057c455354f16fd8b38ccfd5f8d7d1eb3c85bd7cf80a59b66cd9485cd660d60c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Responsibility

Filesize
92KB

MD5
8e45e5da90185b1ee14eba3d6d51b38f

SHA1
85765c24976f42410ef6fb86f394f63ccc0f72ec

SHA256
2152fe48be73fc2ed7450200640eef4f577a80909e6efe4294dff8257724ec84

SHA512
ab47b49b146f7ab988e19479c4bbc3a8bba4ae8f6c03d1a6e001e4fa321b2b2ca2b8fabe0556289662123438717d9081f859b72f9bb455bf05d6e236da0acb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Royalty

Filesize
13KB

MD5
2580a7cf9cb0e9740710abe114d85eb8

SHA1
9f5f182bc6821b9e4be8ab75a73b685018be4e8e

SHA256
ab07fec8c1c3076a22af061749fc7366d4b24feb9f9bd2f4d2fcf9c5a42fb738

SHA512
46e18aa4c84c898309468b5fd99d205a63415cf7d8263e84ac70761f6356775750eedde0562eeca534574ece61a6567b86ecde45452509710fc7d04aac7f02b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seminars

Filesize
53KB

MD5
8af82385af9c7dca055c530deb0b4af6

SHA1
322d24b5a54e0e9ae0ae31478deb011559676ef2

SHA256
88c10071723a47e7e4580a8b53f0d9409d3ef42e0bc4e373dc0cf9b194f81c91

SHA512
cfbcf9b05bd83db07c5822036527a04a35951a31788764773d598f14d51712a0aa037f7665917b3f85537f5477c7e2dedbfe0bac4b2e986e2d7c51e1d34e1bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Side

Filesize
91KB

MD5
32a88b735a2d94b8ab5bad28a4964f41

SHA1
8d32bf3581303dc20652c7f96ac7577af96f2776

SHA256
16a418f1731ee80bf123c8b86512c09455016114491e6418710b0e5c7c714805

SHA512
ad25100048b7a8275c2cfb5b8c23f9a3cebfb30ead4c7b5c7399b40883607af98fd03cd4357784b67d311dbd611cc49eb6ea65bd08d9d0049ce8b0457836e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sister

Filesize
88KB

MD5
277cbb9e47b8621ba8d73d25cad9c804

SHA1
5ed9537e2f09bd5522a2fe087fb105d5ed8bf546

SHA256
483bac5adf8998c2928c22d0584be2adf13d076381d7a49678cfc81ec2b154b8

SHA512
a335fb554e3f47017cd4a99ef17785a0911e390d7e39298c88e2f459dcaf8a2a1d25238299b1f9dc57d989a1b24221ff4c777a030a301d8f43e67dc7ad0bb28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slot

Filesize
91KB

MD5
e74c16a5cf79dadc05bcad128ba1e026

SHA1
35da9339c4626d54d1786c8c4ecc24d331018248

SHA256
4912639049d6a71f4157bf6a6bf3a97028fee82a8d97d6c6551b5f1ae5ccbccd

SHA512
5893a452a3079fbadfee54157af27af3ac5f44d5b1ebd42a274e7eff951524d817acc0bc524413e872564daabfee65f74739868e177b69e7e2d43810fdac2635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specifications

Filesize
54KB

MD5
ed78ac8601299584872b33b0dddbf9df

SHA1
72eb7426d30dec807c00b2f07f24147227a4bcd3

SHA256
61f66f5a06ec8ff71eb1ea5521de920a59b745b32459140c5ac49c39554fe3c9

SHA512
ee0003694928a8ca099c5eed5d0a10da1209398116c6dd0eee1baeeeffb1517db088996f7200ebaaa8caca923f64bd6ea39790a3116d265946507f2ccf9dd261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stewart

Filesize
73KB

MD5
8f607d29da81aab83fb78dd87494fd81

SHA1
0fa190b4f2e741f0ea9f42b88435e43b6961cf4e

SHA256
e8a61348e9883c27f937daad86f8b4b13d077303692b7e9ed368f51f48522bfb

SHA512
afbe43e91f6c20dccbdf1439a6760b2b734a6349066308e8f25444bdb72f1e54ea965c236d4f7e6efbf009c2f9226cf59af5e8bf014cc41fb179b9aaf594b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsidiary

Filesize
93KB

MD5
c074e16a957a6d0b1cbb31385f5583eb

SHA1
08848d7d3ea079f5900faccef9679f4311fb6eff

SHA256
ebdffa0fe71340dd7e22b27ae55596b7a5055cc10dd3a9ed71d0837dab730551

SHA512
42f30068842ebf17d5839eff5a6a2f88d22d56d0dfb9885179b46b2cc63fdf1bee3fb758d71516631d738281c4e69bf8dac6db1d18de3487f32ba3ae1d6637fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Torture

Filesize
91KB

MD5
73c6791a8c734e03e0d00545e605ece4

SHA1
764a86aaaee77a5234fcc19c22229d6142635158

SHA256
8c1c165ff22e09190aff133917b596e67dcaa29ffafaad605f380c5d4bef0db4

SHA512
914941865cc339777951e879bd5b0c85948c3f35efa5ac43321ecae72305ab255f4e26a55e559d8319c3dd6f9c6d099ad270741431fbe0d2a41be42a32dc743d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trucks

Filesize
91KB

MD5
51902f899510fb89039aacbeef8cfecc

SHA1
974bc659a519118fca83e17c12a2a6b62b111c58

SHA256
53c3c023ecef9be11d9cd6789aee82a7bb3cee774886f696593c8924206eb391

SHA512
30a06dd082fb051d8c8e055664fd2b2230e8312945773d9c7034229b086369ae0d07f1e57ca5f4460f6145340f8798ed9dd20ee50087941a99fc99e67f0b698e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Who

Filesize
69KB

MD5
d46240eef7d6ef6e1dd8597b50a4df87

SHA1
3ffe4ae564a6315dfb84e8c77a35b02d4fb713bb

SHA256
0b7c6b4faffec11700494a43be061e92967ecae7cdab5988500681a7c82e431e

SHA512
8b3d9cf363506e38a69b0abcd6dadd7cdc248f8eb2dd2a4dd76016b66833bd1c127b57debbd1b90e0a75fea9facd6b8ddef129e666b1135cadc3428fcf3ab035

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wonder

Filesize
867KB

MD5
fe89da2f2cc16c77a19f1a39097f74fa

SHA1
a6d0ea04d10691e9c5d1b040bb86387bbcdf3abb

SHA256
2b6e84d53b3876a2d6480e23967627d685c6b12a38af127839cfd6274b62fc49

SHA512
e5be9369853e5e59cfc4f5bea19902bfd961aa44c0459fd1dbaebc0e5a1c4e8b64938268d593a66e7def8ebef579c32178a43dc161445fdcd5c45af1446a0aad

Download Submit
\Users\Admin\AppData\Local\Temp\82001\Adams.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
\Users\Admin\AppData\Local\Temp\82001\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1632-105-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/1632-107-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/1632-108-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download