quasar | e0f72d48e121eb069eed758c81643f435997e300a961162d0d884bb49219d2c9

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

5e3064f23dddf22df2101a997691a696
SHA1

232e882b7bc054e481c70c894aca6269c1f9316d
SHA256

e0f72d48e121eb069eed758c81643f435997e300a961162d0d884bb49219d2c9
SHA512

ac3bfdf2d5eee1725fa84a2a91004012a88c090ab18e0d8639d23df17bc938b34d7ae0b19b7243850071031b62bbd8874975e006bf295886a4ee28dc4e01a23f
SSDEEP

49152:nvkG42pda6D+/PjlLOlg6yQipVLH88o5NBFBeTHoGv5ULTHHB72eh2NT:nvP42pda6D+/PjlLOlZyQipVLc87

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

193.161.193.99:1194

v4lc-36448.portmap.host:36448:1194

Mutex

a25b5bbf-cc69-4b0b-a242-9d07a80705d5

Attributes

encryption_key
23DCD2457576BD8C17F35C9C4F50BF16D2C7C161
install_name
FlipHood.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/984-1-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar
behavioral1/files/0x000a000000023b86-8.dat	family_quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FlipHood.exe

Executes dropped EXE 11 IoCs

pid	Process
3932	FlipHood.exe
2060	FlipHood.exe
1328	FlipHood.exe
4280	FlipHood.exe
3380	FlipHood.exe
4172	FlipHood.exe
3532	FlipHood.exe
4220	FlipHood.exe
4488	FlipHood.exe
4980	FlipHood.exe
3888	FlipHood.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3504	PING.EXE
3768	PING.EXE
1728	PING.EXE
1512	PING.EXE
3480	PING.EXE
4524	PING.EXE
4772	PING.EXE
404	PING.EXE
3916	PING.EXE
1900	PING.EXE
1612	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
1512	PING.EXE
4524	PING.EXE
1612	PING.EXE
1900	PING.EXE
404	PING.EXE
3504	PING.EXE
3768	PING.EXE
1728	PING.EXE
3916	PING.EXE
3480	PING.EXE
4772	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	Client-built.exe
Token: SeDebugPrivilege	3932	FlipHood.exe
Token: SeDebugPrivilege	2060	FlipHood.exe
Token: SeDebugPrivilege	1328	FlipHood.exe
Token: SeDebugPrivilege	4280	FlipHood.exe
Token: SeDebugPrivilege	3380	FlipHood.exe
Token: SeDebugPrivilege	4172	FlipHood.exe
Token: SeDebugPrivilege	3532	FlipHood.exe
Token: SeDebugPrivilege	4220	FlipHood.exe
Token: SeDebugPrivilege	4488	FlipHood.exe
Token: SeDebugPrivilege	4980	FlipHood.exe
Token: SeDebugPrivilege	3888	FlipHood.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3932	FlipHood.exe
2060	FlipHood.exe
1328	FlipHood.exe
4280	FlipHood.exe
3380	FlipHood.exe
4172	FlipHood.exe
3532	FlipHood.exe
4220	FlipHood.exe
4488	FlipHood.exe
4980	FlipHood.exe
3888	FlipHood.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3932	FlipHood.exe
2060	FlipHood.exe
1328	FlipHood.exe
4280	FlipHood.exe
3380	FlipHood.exe
4172	FlipHood.exe
3532	FlipHood.exe
4220	FlipHood.exe
4488	FlipHood.exe
4980	FlipHood.exe
3888	FlipHood.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 3932	984	Client-built.exe	87
PID 984 wrote to memory of 3932	984	Client-built.exe	87
PID 3932 wrote to memory of 3036	3932	FlipHood.exe	93
PID 3932 wrote to memory of 3036	3932	FlipHood.exe	93
PID 3036 wrote to memory of 1060	3036	cmd.exe	95
PID 3036 wrote to memory of 1060	3036	cmd.exe	95
PID 3036 wrote to memory of 3480	3036	cmd.exe	96
PID 3036 wrote to memory of 3480	3036	cmd.exe	96
PID 3036 wrote to memory of 2060	3036	cmd.exe	99
PID 3036 wrote to memory of 2060	3036	cmd.exe	99
PID 2060 wrote to memory of 1008	2060	FlipHood.exe	100
PID 2060 wrote to memory of 1008	2060	FlipHood.exe	100
PID 1008 wrote to memory of 2952	1008	cmd.exe	102
PID 1008 wrote to memory of 2952	1008	cmd.exe	102
PID 1008 wrote to memory of 4524	1008	cmd.exe	103
PID 1008 wrote to memory of 4524	1008	cmd.exe	103
PID 1008 wrote to memory of 1328	1008	cmd.exe	105
PID 1008 wrote to memory of 1328	1008	cmd.exe	105
PID 1328 wrote to memory of 952	1328	FlipHood.exe	107
PID 1328 wrote to memory of 952	1328	FlipHood.exe	107
PID 952 wrote to memory of 1516	952	cmd.exe	109
PID 952 wrote to memory of 1516	952	cmd.exe	109
PID 952 wrote to memory of 4772	952	cmd.exe	110
PID 952 wrote to memory of 4772	952	cmd.exe	110
PID 952 wrote to memory of 4280	952	cmd.exe	111
PID 952 wrote to memory of 4280	952	cmd.exe	111
PID 4280 wrote to memory of 452	4280	FlipHood.exe	112
PID 4280 wrote to memory of 452	4280	FlipHood.exe	112
PID 452 wrote to memory of 4664	452	cmd.exe	114
PID 452 wrote to memory of 4664	452	cmd.exe	114
PID 452 wrote to memory of 1900	452	cmd.exe	115
PID 452 wrote to memory of 1900	452	cmd.exe	115
PID 452 wrote to memory of 3380	452	cmd.exe	116
PID 452 wrote to memory of 3380	452	cmd.exe	116
PID 3380 wrote to memory of 4792	3380	FlipHood.exe	117
PID 3380 wrote to memory of 4792	3380	FlipHood.exe	117
PID 4792 wrote to memory of 2372	4792	cmd.exe	119
PID 4792 wrote to memory of 2372	4792	cmd.exe	119
PID 4792 wrote to memory of 1612	4792	cmd.exe	120
PID 4792 wrote to memory of 1612	4792	cmd.exe	120
PID 4792 wrote to memory of 4172	4792	cmd.exe	121
PID 4792 wrote to memory of 4172	4792	cmd.exe	121
PID 4172 wrote to memory of 556	4172	FlipHood.exe	122
PID 4172 wrote to memory of 556	4172	FlipHood.exe	122
PID 556 wrote to memory of 2944	556	cmd.exe	124
PID 556 wrote to memory of 2944	556	cmd.exe	124
PID 556 wrote to memory of 404	556	cmd.exe	125
PID 556 wrote to memory of 404	556	cmd.exe	125
PID 556 wrote to memory of 3532	556	cmd.exe	126
PID 556 wrote to memory of 3532	556	cmd.exe	126
PID 3532 wrote to memory of 4192	3532	FlipHood.exe	127
PID 3532 wrote to memory of 4192	3532	FlipHood.exe	127
PID 4192 wrote to memory of 860	4192	cmd.exe	129
PID 4192 wrote to memory of 860	4192	cmd.exe	129
PID 4192 wrote to memory of 3504	4192	cmd.exe	130
PID 4192 wrote to memory of 3504	4192	cmd.exe	130
PID 4192 wrote to memory of 4220	4192	cmd.exe	131
PID 4192 wrote to memory of 4220	4192	cmd.exe	131
PID 4220 wrote to memory of 3608	4220	FlipHood.exe	132
PID 4220 wrote to memory of 3608	4220	FlipHood.exe	132
PID 3608 wrote to memory of 2952	3608	cmd.exe	134
PID 3608 wrote to memory of 2952	3608	cmd.exe	134
PID 3608 wrote to memory of 3768	3608	cmd.exe	135
PID 3608 wrote to memory of 3768	3608	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rfevB6fu6bHF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1060
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3480
  - - C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vdy2hAtWqUJ4.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2952
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4524
      - C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MFPFsfpWKZDl.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3cYyuExdOdyf.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUbRsMapzmhF.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgeZzKbeaObz.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UA8wwlIolj5o.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ExUdJq3WZAZM.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYhQb3RPxdI8.bat" "
        19⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zS5Uk9Nv4EfI.bat" "
        21⤵
        
        PID:3308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O5TfJS6kcMSx.bat" "
        23⤵
        
        PID:3256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FlipHood.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cYyuExdOdyf.bat

Filesize
209B

MD5
80d4ac4ffc150ab3531f4816a12d2a09

SHA1
125fef83db371aa5dbd44145461ad5c5227e9b87

SHA256
69fea4b589ef8ee5016c061d3d42fbb3a89253aa5b79c7a4f10f6c75294345d4

SHA512
6988848b78e15a3e9b36dbcbe132c598587b09756bfdb405beafa96e4f79f56a141046e4a3cb1e72e4d97548904fba42471d115df734afb3ae945d40a794e6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExUdJq3WZAZM.bat

Filesize
209B

MD5
1efc8f4751e2e734a07bf317d0d6fe2e

SHA1
3dc6cfdc21fc8a44dfb8a345767baa0e55671e3b

SHA256
164c6834fe0c236a53a378b6021e36a97022aba0d995b4493bedd9b0cad7a9a2

SHA512
790e6dd8d3afe07f384363ef4e10b992db9b1e1d4628048186e86e2dfeded7f3a652134bb867ce422eee8ff5b9cc4505bc40ec95bc2bc5106ea431fd9bd508b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYhQb3RPxdI8.bat

Filesize
209B

MD5
7e268a342b1c0245317910f072aff40f

SHA1
3735d35a88f23de23ec198dcb950b4415ec2d14a

SHA256
dc8fc48a120b49b92f78b2254665876c4fc3b0b52a88dae2ea2bc2a31b9883d4

SHA512
f4dfe6498760d01cbb4f65e22f7f8cb1ddc6abdce60380748e08249dfa4b7cf30272244e2ca73b2f57d171db9da66d2d7a75dd6c8d472c7f3376de7e0c3d21cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFPFsfpWKZDl.bat

Filesize
209B

MD5
a165eb40a33a3c708febcf0cd52bbc5a

SHA1
0d6ecadd8f90d0a0d3f5becee3eda57522702017

SHA256
72e0bc03a8050473e2af9d01f11a7e24b914381a330b12b2b00f5a7b3bdb26ad

SHA512
a06eee8a672ec0d53cc9bb8dfa64bf853b61cf04ea8ec5ba1347d87ec35a8db8f1a55efaf695765632bb4be232f1df57452f9185e45fa641ee9b92b599a69805

Download Submit
C:\Users\Admin\AppData\Local\Temp\O5TfJS6kcMSx.bat

Filesize
209B

MD5
0f021994bcda6f3e249c4016d74a3586

SHA1
1b62b626d9097f8d5adf1cdebf554a2c6d641d2e

SHA256
c888041cee1e4ff0acbca49a7c63c911248b225703611b27d5ea32ece034f1b7

SHA512
e7a72a4ba44806c9f01b2573a6e81d59c6934f7bd590312f9b14771a29fc71899a8c963078105668cb57aa72e5aeaa8acbe362dd4f496f3906850cb4b3aaf42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgeZzKbeaObz.bat

Filesize
209B

MD5
dda300d1b8dda356b1d6ec4c6ccc17ef

SHA1
f32c03ef2d14856a809ee7fcc881233a73d40fb0

SHA256
5ec057735dbc090f252e2eb9dad4cbbb49ff23c696c028651aba9c94886cdddf

SHA512
347ed1099c4c346a1049c1e6ce815ed1787b09ec557182365fc6acd1477a87e3d7891a7bab3bceb555999aa574e976b7cc2456562de4fe5b08cf4a8bd8d6cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUbRsMapzmhF.bat

Filesize
209B

MD5
c46e4bdf971de7af39ae82a265331ba2

SHA1
4c8dc7d3e0a99aea4a11d762e252c3afcb73422c

SHA256
cbf009ed0bb56f2beaa9ddbdfc135b48bbaefad59c6e235666b4db9d90e3d721

SHA512
31d873a745caf019657a8e085a6e92759496c9b7465fdea91ec597f708158c3f2ad90eb3ee3c6fb2614dbaf089a58bf0e3c0c8fb8d01d089813451d612094766

Download Submit
C:\Users\Admin\AppData\Local\Temp\UA8wwlIolj5o.bat

Filesize
209B

MD5
1eb706e9e88490232e39d7c81492b384

SHA1
505a0d64f28db10a50816c5c2021899572ca33d3

SHA256
4536f2153621dfdeccb6cf3e6ff9844fb8f9cf6c080b8665a40ebb64f6c1525f

SHA512
df156c9be0545f84cd356ba039f59166569d0dc4bda2bbc8fc4ee589155cee8f8b8d6443eed59f29898debb192b814365c4ba5ad37ec72d4deeb227d551eb357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vdy2hAtWqUJ4.bat

Filesize
209B

MD5
043b454b7e1f4c17293510da1acec0c9

SHA1
bacc81c8277b65877a68dea3880e9305ee91162e

SHA256
05e487f32ddd9eb4f33ddf3500fa32db20c4989a83a85deca71182f449a56a12

SHA512
6c32d5e112ce57bc240b398fdd6b4538a3d517cb9618adcbb398306d2cf2ab543555d574e22778573b20b81bb69233a2a216cffff2573a23d8ddda8141dec285

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfevB6fu6bHF.bat

Filesize
209B

MD5
012c3cbfda65a9bbd8df6e7c38b00503

SHA1
2b85719c1dd94be06f9667cc95032bcbd97907f8

SHA256
2367a69eca4f15f49388468267958ede3af83178065198fff1180e95ba75d277

SHA512
50ddb24f63b736d8038a9c8d762a5c4e5edfb703f8c982eee80a12f0861246eb17c7032bd384b1d0cb226ca76148fe3321c21333eb8961df4cd21167532ce846

Download Submit
C:\Users\Admin\AppData\Local\Temp\zS5Uk9Nv4EfI.bat

Filesize
209B

MD5
aee8d31a12bf7191cab005540d66b07e

SHA1
bfb80cd8c16cb4d5702cf0fe0ff223bbce3770db

SHA256
7ca89ffc57cd5bbee5cec46f53739af2a1079db67e38ce9a58031ec262a1250f

SHA512
3d09aa3d98a9d1aa24b2b6428b5eeca7e840f05086c8bc840568bf3fa876404d93485ec54ef796e5df0eeb656e874f6723c0ed1886a5e797fdfc5a614c0a50b0

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\FlipHood.exe

Filesize
3.1MB

MD5
5e3064f23dddf22df2101a997691a696

SHA1
232e882b7bc054e481c70c894aca6269c1f9316d

SHA256
e0f72d48e121eb069eed758c81643f435997e300a961162d0d884bb49219d2c9

SHA512
ac3bfdf2d5eee1725fa84a2a91004012a88c090ab18e0d8639d23df17bc938b34d7ae0b19b7243850071031b62bbd8874975e006bf295886a4ee28dc4e01a23f

Download Submit
memory/984-0-0x00007FFC0E973000-0x00007FFC0E975000-memory.dmp

Filesize
8KB

Download
memory/984-10-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/984-2-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/984-1-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download
memory/3932-18-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/3932-13-0x000000001C6C0000-0x000000001C772000-memory.dmp

Filesize
712KB

Download
memory/3932-12-0x000000001C5B0000-0x000000001C600000-memory.dmp

Filesize
320KB

Download
memory/3932-11-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/3932-9-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download