quasar | ffd1d3a0e43ff0ba827e83fccc2515392e2d08719338219d200b8a310c5acdb6

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VaporWaveX2.1.rar
Size

72.5MB
MD5

c1b8933cfb2e489e8601d151bb291fb1
SHA1

fa62983e1a63940f55a25cd6f872b2f0206a94ad
SHA256

ffd1d3a0e43ff0ba827e83fccc2515392e2d08719338219d200b8a310c5acdb6
SHA512

e501a5a88047e0f974355c1a703303edba46c187c0c8bb24be6bcdaffc3c357923d982797cae82cd1f5c89fd8bb40391b0995093da9be18d428700b3a4a23eed
SSDEEP

1572864:OPWU7/Jq6WgiEaArvFfrdpT/3BTkwHmkuiH09i4h5gmIKTv6yjZOE:Oftq6W7A7xLTfBTgkuAjm5rz1OE

Score

10^/10

quasar general1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

general1

servicehos.zapto.org:4444

Mutex

QSR_MUTEX_ksxWAP4ziOqMlreofU

Attributes

encryption_key
i9HUVkY4QNExDOHIMtIX
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\14.0\Common	7zFM.exe
	2	ip-api.com	Process not Found
	7	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/2540-12-0x0000000000CC0000-0x0000000000D1E000-memory.dmp	family_quasar
behavioral1/memory/2924-20-0x0000000000E20000-0x0000000000E7E000-memory.dmp	family_quasar
behavioral1/memory/264-37-0x0000000000E20000-0x0000000000E7E000-memory.dmp	family_quasar
behavioral1/memory/2956-68-0x0000000000DC0000-0x0000000000E1E000-memory.dmp	family_quasar
behavioral1/memory/1560-74-0x0000000001340000-0x000000000139E000-memory.dmp	family_quasar
behavioral1/memory/1612-92-0x0000000001340000-0x000000000139E000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

pid	Process
2540	VaporWave2-1.exe
2924	svchost.exe
264	svchost.exe
2976	svchost.exe
2956	VaporWave2-1.exe
1560	svchost.exe
1612	svchost.exe
2444	svchost.exe

Loads dropped DLL 21 IoCs

pid	Process
2540	VaporWave2-1.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2780	2924	WerFault.exe	35
2040	264	WerFault.exe	43
2200	1560	WerFault.exe	56
2352	1612	WerFault.exe	64

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VaporWave2-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VaporWave2-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1956	PING.EXE
1860	PING.EXE
2628	PING.EXE
1304	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2628	PING.EXE
1304	PING.EXE
1956	PING.EXE
1860	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2900	schtasks.exe
2824	schtasks.exe
1584	schtasks.exe
2416	schtasks.exe
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1908	7zFM.exe
1908	7zFM.exe
1908	7zFM.exe
1908	7zFM.exe
1908	7zFM.exe
1908	7zFM.exe
1908	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1908	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	1908	7zFM.exe
Token: 35	1908	7zFM.exe
Token: SeSecurityPrivilege	1908	7zFM.exe
Token: SeDebugPrivilege	2540	VaporWave2-1.exe
Token: SeDebugPrivilege	2924	svchost.exe
Token: SeDebugPrivilege	264	svchost.exe
Token: SeSecurityPrivilege	1908	7zFM.exe
Token: SeDebugPrivilege	2956	VaporWave2-1.exe
Token: SeDebugPrivilege	1560	svchost.exe
Token: SeDebugPrivilege	1612	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1908	7zFM.exe
1908	7zFM.exe
1908	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2924	svchost.exe
264	svchost.exe
1560	svchost.exe
1612	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2540	1908	7zFM.exe	31
PID 1908 wrote to memory of 2540	1908	7zFM.exe	31
PID 1908 wrote to memory of 2540	1908	7zFM.exe	31
PID 1908 wrote to memory of 2540	1908	7zFM.exe	31
PID 2540 wrote to memory of 2744	2540	VaporWave2-1.exe	33
PID 2540 wrote to memory of 2744	2540	VaporWave2-1.exe	33
PID 2540 wrote to memory of 2744	2540	VaporWave2-1.exe	33
PID 2540 wrote to memory of 2744	2540	VaporWave2-1.exe	33
PID 2540 wrote to memory of 2924	2540	VaporWave2-1.exe	35
PID 2540 wrote to memory of 2924	2540	VaporWave2-1.exe	35
PID 2540 wrote to memory of 2924	2540	VaporWave2-1.exe	35
PID 2540 wrote to memory of 2924	2540	VaporWave2-1.exe	35
PID 2924 wrote to memory of 2900	2924	svchost.exe	36
PID 2924 wrote to memory of 2900	2924	svchost.exe	36
PID 2924 wrote to memory of 2900	2924	svchost.exe	36
PID 2924 wrote to memory of 2900	2924	svchost.exe	36
PID 2924 wrote to memory of 2908	2924	svchost.exe	38
PID 2924 wrote to memory of 2908	2924	svchost.exe	38
PID 2924 wrote to memory of 2908	2924	svchost.exe	38
PID 2924 wrote to memory of 2908	2924	svchost.exe	38
PID 2924 wrote to memory of 2780	2924	svchost.exe	40
PID 2924 wrote to memory of 2780	2924	svchost.exe	40
PID 2924 wrote to memory of 2780	2924	svchost.exe	40
PID 2924 wrote to memory of 2780	2924	svchost.exe	40
PID 2908 wrote to memory of 2184	2908	cmd.exe	41
PID 2908 wrote to memory of 2184	2908	cmd.exe	41
PID 2908 wrote to memory of 2184	2908	cmd.exe	41
PID 2908 wrote to memory of 2184	2908	cmd.exe	41
PID 2908 wrote to memory of 1304	2908	cmd.exe	42
PID 2908 wrote to memory of 1304	2908	cmd.exe	42
PID 2908 wrote to memory of 1304	2908	cmd.exe	42
PID 2908 wrote to memory of 1304	2908	cmd.exe	42
PID 2908 wrote to memory of 264	2908	cmd.exe	43
PID 2908 wrote to memory of 264	2908	cmd.exe	43
PID 2908 wrote to memory of 264	2908	cmd.exe	43
PID 2908 wrote to memory of 264	2908	cmd.exe	43
PID 264 wrote to memory of 2824	264	svchost.exe	44
PID 264 wrote to memory of 2824	264	svchost.exe	44
PID 264 wrote to memory of 2824	264	svchost.exe	44
PID 264 wrote to memory of 2824	264	svchost.exe	44
PID 264 wrote to memory of 1760	264	svchost.exe	46
PID 264 wrote to memory of 1760	264	svchost.exe	46
PID 264 wrote to memory of 1760	264	svchost.exe	46
PID 264 wrote to memory of 1760	264	svchost.exe	46
PID 264 wrote to memory of 2040	264	svchost.exe	48
PID 264 wrote to memory of 2040	264	svchost.exe	48
PID 264 wrote to memory of 2040	264	svchost.exe	48
PID 264 wrote to memory of 2040	264	svchost.exe	48
PID 1760 wrote to memory of 1988	1760	cmd.exe	49
PID 1760 wrote to memory of 1988	1760	cmd.exe	49
PID 1760 wrote to memory of 1988	1760	cmd.exe	49
PID 1760 wrote to memory of 1988	1760	cmd.exe	49
PID 1760 wrote to memory of 1956	1760	cmd.exe	50
PID 1760 wrote to memory of 1956	1760	cmd.exe	50
PID 1760 wrote to memory of 1956	1760	cmd.exe	50
PID 1760 wrote to memory of 1956	1760	cmd.exe	50
PID 1760 wrote to memory of 2976	1760	cmd.exe	51
PID 1760 wrote to memory of 2976	1760	cmd.exe	51
PID 1760 wrote to memory of 2976	1760	cmd.exe	51
PID 1760 wrote to memory of 2976	1760	cmd.exe	51
PID 1908 wrote to memory of 2956	1908	7zFM.exe	52
PID 1908 wrote to memory of 2956	1908	7zFM.exe	52
PID 1908 wrote to memory of 2956	1908	7zFM.exe	52
PID 1908 wrote to memory of 2956	1908	7zFM.exe	52

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1.rar"
1⤵
- Quasar RAT
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\7zO4777DBC6\VaporWave2-1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4777DBC6\VaporWave2-1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO4777DBC6\VaporWave2-1.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2744
- - C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMNqUCm2fdrI.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1304
    - - C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2824
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WpG7LS1XKRg3.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 1444
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1440
      4⤵
      Loads dropped DLL
      Program crash
      PID:2780
- C:\Users\Admin\AppData\Local\Temp\7zO47708288\VaporWave2-1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO47708288\VaporWave2-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO47708288\VaporWave2-1.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1584
- - C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1560
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\epOkKcNlrK6b.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1164
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:760
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
    - - C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaAVpzuR9hxE.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1396
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1456
      4⤵
      Loads dropped DLL
      Program crash
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WpG7LS1XKRg3.bat

Filesize
208B

MD5
ea1fb0f9c8ce3aeed50b7be9ee77e427

SHA1
739b73a119dad6558fa10dfd78d7270cc978f89c

SHA256
4a75c0e67903f87f5277995a9fa7caf9d995d5a4cb4a173ef5c2a2364fcd25ac

SHA512
1e856f1d09555207b3943a59906df5203cccb50d7d8979c6ec137dfec08613f3e4d30faff8f8e7ab1657f945a256cc80bf59c7a23ca05082bdeb3c65c8517bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\epOkKcNlrK6b.bat

Filesize
208B

MD5
f7718b836540af62e0f0d322d54c4de8

SHA1
78f9edfe348ae70c814a2aa786d67cc9c406b611

SHA256
f21c31666790bd8c7cdb94dd0fcd4a1423935df487e6d19f8a601114bace7ec5

SHA512
80aa93c5c5c72b35fe26977eca40049ca4aa0c0f282ca5aa228fe44d5bfce2772587d2fcde48dc86d4c3b857547817290941a236048f5cc7e3314dc66389afc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMNqUCm2fdrI.bat

Filesize
208B

MD5
fba1f9cd922e442855e14ad25da64775

SHA1
d8a79985891bd24a01261a4dadd4e204ad12e010

SHA256
08c54b5d6d2213f6a9eea6bb1ccb956cb1c3ac5cf60937321934674548fca144

SHA512
86744a5f914f4d24c8df7b9c2e2a59221e906d1b62908d262928e1fb00b6d1800888ce409ed46c5c4e8de23c79f8931521bdbc95da33bb1779f85aa5ab371b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaAVpzuR9hxE.bat

Filesize
208B

MD5
9d13243fa7eec44ffa8e28df4c427814

SHA1
a2e8e241591343f6927da3ea7dfee6c9fcbb7abb

SHA256
8bcc68e96578ae0df3ba2c28786f1991104661ac41e8c8a99c19d28f90dfb04f

SHA512
7280420a86e87b71e6e9ea6a2c9cbe26f9aca408087490c76535042c6936a504da82678eaf036fb1a42ab7888a68bc9015911c4a920a2d015802bc81b0b1f23d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-07-2024

Filesize
224B

MD5
53be4c06463a98af8992d418f4573580

SHA1
8036797ae36e091e12e8f1826c6862c3deeaa320

SHA256
1af3f059c354ad83f1bd8edb96e130730ea5bb93750a53ee426ae482b5b195fb

SHA512
cdde9e193297007aae1e27c436f41b29cc74fb68aa2e5cf6f1b931271a2b0a8e4fea2e4c9e31d25c866243dfcae46a63082b58de4d8b926ab6028ba8a32b1a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-07-2024

Filesize
224B

MD5
052c0dedc39fe96891fbf0d0f32fcf2a

SHA1
686d622665672a0306393e2624f87831eff948c3

SHA256
bda8d88c8a18479d901f360f474fd0e4b8cd6cb3ea2baaae5e8d3290421d5aba

SHA512
ebfebca48b454c617b2aca844f1b3fa21c8aca735ee670227cca5904d54af8227b6dbbfd2451454aee2a66a72ac53eb747d255765187e1fa0149355b249d5077

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-07-2024

Filesize
224B

MD5
42715a70012f0fa6aa5324b1bf993d4a

SHA1
ea566ad04cf0958c491a289cf1941b7a73798599

SHA256
6daa3a7cba9d4a090fc6e52d93e59a9212c67a65e2da895ed6e10b47d4f52605

SHA512
204c4a07d9255be6c410db005047b37cb57023445ef7302c54e0609ec7d410920780dcbd070961cb896b7f0b2fc985a05fb0a6e4d90fe862f812531902ccb82b

Download Submit
memory/264-37-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download
memory/1560-74-0x0000000001340000-0x000000000139E000-memory.dmp

Filesize
376KB

Download
memory/1612-92-0x0000000001340000-0x000000000139E000-memory.dmp

Filesize
376KB

Download
memory/2540-12-0x0000000000CC0000-0x0000000000D1E000-memory.dmp

Filesize
376KB

Download
memory/2924-20-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download
memory/2956-68-0x0000000000DC0000-0x0000000000E1E000-memory.dmp

Filesize
376KB

Download