quasar | 93a291be0837344a2f715c9941a23b03232294865835f1dce8e81fdce5382bc9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app.exe
Size

3.1MB
MD5

b8f097d5264902c9a54edf5cb26b4731
SHA1

4c2670bc094f0ed3b44de87fca95403073ddd81d
SHA256

93a291be0837344a2f715c9941a23b03232294865835f1dce8e81fdce5382bc9
SHA512

983ae07639c872fbcf07aac883f76f9cc04e7ad3b743be3d500818830ff0db8a9626a32ff7c8a7c3e11ff991a94d8c942d6702f3ec9d2aba7f65a3b290e980d5
SSDEEP

49152:OvWI22SsaNYfdPBldt698dBcjHddRJ6xbR3LoGdyVTHHB72eh2NT:Ov722SsaNYfdPBldt6+dBcjHddRJ6T

Score

10^/10

quasar kdotcrypt discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

KDOTCrypt

fedx.ddns.net:7000

Mutex

70b69453-9c90-490b-81c2-83279615d904

Attributes

encryption_key
92470F4731518ABFA77DC89068544FB7E7B7C459
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1388-1-0x00000000009E0000-0x0000000000D04000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
836	PING.EXE
3776	PING.EXE
4596	PING.EXE
2340	PING.EXE
832	PING.EXE
1388	PING.EXE
4544	PING.EXE
2556	PING.EXE
4452	PING.EXE
5108	PING.EXE
3480	PING.EXE
220	PING.EXE
756	PING.EXE
3868	PING.EXE
1672	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3868	PING.EXE
3776	PING.EXE
1672	PING.EXE
832	PING.EXE
4544	PING.EXE
836	PING.EXE
220	PING.EXE
756	PING.EXE
2556	PING.EXE
5108	PING.EXE
3480	PING.EXE
2340	PING.EXE
4596	PING.EXE
4452	PING.EXE
1388	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	app.exe
Token: SeDebugPrivilege	4968	app.exe
Token: SeDebugPrivilege	3808	app.exe
Token: SeDebugPrivilege	2288	app.exe
Token: SeDebugPrivilege	2928	app.exe
Token: SeDebugPrivilege	4340	app.exe
Token: SeDebugPrivilege	3208	app.exe
Token: SeDebugPrivilege	4548	app.exe
Token: SeDebugPrivilege	784	app.exe
Token: SeDebugPrivilege	3448	app.exe
Token: SeDebugPrivilege	1036	app.exe
Token: SeDebugPrivilege	1328	app.exe
Token: SeDebugPrivilege	3348	app.exe
Token: SeDebugPrivilege	1452	app.exe
Token: SeDebugPrivilege	3820	app.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4632	1388	app.exe	82
PID 1388 wrote to memory of 4632	1388	app.exe	82
PID 4632 wrote to memory of 3784	4632	cmd.exe	84
PID 4632 wrote to memory of 3784	4632	cmd.exe	84
PID 4632 wrote to memory of 220	4632	cmd.exe	85
PID 4632 wrote to memory of 220	4632	cmd.exe	85
PID 4632 wrote to memory of 4968	4632	cmd.exe	90
PID 4632 wrote to memory of 4968	4632	cmd.exe	90
PID 4968 wrote to memory of 3448	4968	app.exe	92
PID 4968 wrote to memory of 3448	4968	app.exe	92
PID 3448 wrote to memory of 64	3448	cmd.exe	94
PID 3448 wrote to memory of 64	3448	cmd.exe	94
PID 3448 wrote to memory of 756	3448	cmd.exe	95
PID 3448 wrote to memory of 756	3448	cmd.exe	95
PID 3448 wrote to memory of 3808	3448	cmd.exe	98
PID 3448 wrote to memory of 3808	3448	cmd.exe	98
PID 3808 wrote to memory of 1544	3808	app.exe	99
PID 3808 wrote to memory of 1544	3808	app.exe	99
PID 1544 wrote to memory of 2472	1544	cmd.exe	101
PID 1544 wrote to memory of 2472	1544	cmd.exe	101
PID 1544 wrote to memory of 3868	1544	cmd.exe	102
PID 1544 wrote to memory of 3868	1544	cmd.exe	102
PID 1544 wrote to memory of 2288	1544	cmd.exe	104
PID 1544 wrote to memory of 2288	1544	cmd.exe	104
PID 2288 wrote to memory of 384	2288	app.exe	105
PID 2288 wrote to memory of 384	2288	app.exe	105
PID 384 wrote to memory of 2892	384	cmd.exe	107
PID 384 wrote to memory of 2892	384	cmd.exe	107
PID 384 wrote to memory of 836	384	cmd.exe	108
PID 384 wrote to memory of 836	384	cmd.exe	108
PID 384 wrote to memory of 2928	384	cmd.exe	110
PID 384 wrote to memory of 2928	384	cmd.exe	110
PID 2928 wrote to memory of 1900	2928	app.exe	111
PID 2928 wrote to memory of 1900	2928	app.exe	111
PID 1900 wrote to memory of 1228	1900	cmd.exe	113
PID 1900 wrote to memory of 1228	1900	cmd.exe	113
PID 1900 wrote to memory of 3776	1900	cmd.exe	114
PID 1900 wrote to memory of 3776	1900	cmd.exe	114
PID 1900 wrote to memory of 4340	1900	cmd.exe	115
PID 1900 wrote to memory of 4340	1900	cmd.exe	115
PID 4340 wrote to memory of 2184	4340	app.exe	116
PID 4340 wrote to memory of 2184	4340	app.exe	116
PID 2184 wrote to memory of 2512	2184	cmd.exe	118
PID 2184 wrote to memory of 2512	2184	cmd.exe	118
PID 2184 wrote to memory of 2556	2184	cmd.exe	119
PID 2184 wrote to memory of 2556	2184	cmd.exe	119
PID 2184 wrote to memory of 3208	2184	cmd.exe	120
PID 2184 wrote to memory of 3208	2184	cmd.exe	120
PID 3208 wrote to memory of 4872	3208	app.exe	121
PID 3208 wrote to memory of 4872	3208	app.exe	121
PID 4872 wrote to memory of 4744	4872	cmd.exe	123
PID 4872 wrote to memory of 4744	4872	cmd.exe	123
PID 4872 wrote to memory of 2340	4872	cmd.exe	124
PID 4872 wrote to memory of 2340	4872	cmd.exe	124
PID 4872 wrote to memory of 4548	4872	cmd.exe	125
PID 4872 wrote to memory of 4548	4872	cmd.exe	125
PID 4548 wrote to memory of 4224	4548	app.exe	126
PID 4548 wrote to memory of 4224	4548	app.exe	126
PID 4224 wrote to memory of 1964	4224	cmd.exe	128
PID 4224 wrote to memory of 1964	4224	cmd.exe	128
PID 4224 wrote to memory of 1672	4224	cmd.exe	129
PID 4224 wrote to memory of 1672	4224	cmd.exe	129
PID 4224 wrote to memory of 784	4224	cmd.exe	130
PID 4224 wrote to memory of 784	4224	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kfw51zw2hcYg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3784
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\app.exe
    "C:\Users\Admin\AppData\Local\Temp\app.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RT0SUxZMDQxC.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:64
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:756
    - - C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVcNFHOL1nIx.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UhDnX8e58LMf.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8wEh5AJiRoa3.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsPLbxGs8A21.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0iF0Z20aHKzS.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgaZZc6LDhAd.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kv7b3Q4QyvLh.bat" "
        18⤵
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9viZwgJ4LvtW.bat" "
        20⤵
        
        PID:532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p9zgQctzi3jm.bat" "
        22⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rc79MriT2OIE.bat" "
        24⤵
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U0he94AlBNG2.bat" "
        26⤵
        
        PID:3776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8b1uoJoqMR4S.bat" "
        28⤵
        
        PID:3556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\app.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jd6qPoaWuFv9.bat" "
        30⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\app.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0iF0Z20aHKzS.bat

Filesize
200B

MD5
6f6a79a05fcda1e49b3b9e20bf5ac117

SHA1
2229544ac8f001b6e155afd54e7e67f84cc619b7

SHA256
bf4719108c95df39ec3fa90cdb37a97a4e9461d761570f05b626badd044317ae

SHA512
89d3908a990ae81784a383cf68084463fead3f0599b4fef416ed2ac3bdc310ae7eb0fa4af3d31fbb54cb5b32a012e6b829cffac96538783f52601847b29338c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b1uoJoqMR4S.bat

Filesize
200B

MD5
a5b627e3e36b125376e451f3ba9ff0df

SHA1
9ea6a37eec8ae36a79c2772fed16a3eee5189368

SHA256
053170e13b473970bb58a07bcdceaa878650649f578cfd2e3a96214e7080a79b

SHA512
a136a48e54580ff1961a378e6c475b0bc58ab8f44605464c6fa165e0c8a0845c1fc11836f86329d3bdfde9d604c9ce377dc343a55f9e1924d3f04ef83f457937

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wEh5AJiRoa3.bat

Filesize
200B

MD5
c01680ce13e2277f89d977180bb26cb8

SHA1
c622666d156b43e792aafc28fd77fcd9249a9095

SHA256
6be076d909b0ab8255f2c05f05cdad489a99e264c5a495fa1eb6746e16b3b470

SHA512
24e4b0ef49035680548ae147f8767ef1235ade4fd693183d4cc18e16288775ee7025ca8ebb5a92d44ae326e1207d69e454c71875ae00a9cefd580f056d69a82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9viZwgJ4LvtW.bat

Filesize
200B

MD5
c98f619d98495035dd68f2d2d526353f

SHA1
6e58bde8e08940dc41ce5fbc27adc79a0d819cbb

SHA256
e72133a4d0bc80be7d4531d46816e7541ca5b8b99e694004c79b5bf665c537e8

SHA512
c310e8e8ec976951d555a51bb2f7a01705561a2e28c3988e3378b956817c35fcf4cf765ded44c4ff71c9bd91c11147915869514a68ef2d9f96cda83fb38353be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVcNFHOL1nIx.bat

Filesize
200B

MD5
2d5fe0c29bc14c6ffa750df60c73dc5b

SHA1
1b9c5c0df5a422832da5da6aff3cd0f6964d33bf

SHA256
ad52b74b8dc728061561c0554f0060927d1f125b007953aeeeedb34d3f17a6f3

SHA512
2a1c36c7d3b6e32dbb4a5fe05c1c9415e6974e96cc4210574de78e8131dd84c51612a9245b761b0beeefb312ea613dd6913ef124bb40310b4db9ae596174fe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jd6qPoaWuFv9.bat

Filesize
200B

MD5
f97274899136360c6e05aff17256064e

SHA1
b4fe1451589e6f49231ec98ea71402d2206b6ee7

SHA256
e92800ff9efbfe54066382d31303dd599211f38190e02b5ceaddca8bc01f3d29

SHA512
b53aee2ab20529dba818d7392d86c6d2741bbb1d32d7fbcc44e1135b7e6e364d2da6d2fd1cdc08f31878889fe66e026874687d91eab78f0a964f6781d2970969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kfw51zw2hcYg.bat

Filesize
200B

MD5
5f549a7fafec5febcfb385aa8c912d29

SHA1
c8daa977aa594b38752a6d4268a3a0d0ee4ed051

SHA256
a1db1dbd8971bd43da4f20379267d5766c2902b0b9aafee10b6766c445fda8b4

SHA512
caf373c71a92f03197dfde2aaecb285498b5bdd923e4d4f841fc901c44c26443e4e77a35c2644c845041ae89a4d332f8d3e7e7abddecfa5e196dd4234476b7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kv7b3Q4QyvLh.bat

Filesize
200B

MD5
89f768c218ce09ab2a68beb428ed2770

SHA1
535c170186dcf4e505b47deaf4dbbce2672a3b7c

SHA256
729e65385b909d395f94b6f8e2982276a8cc6ea6f56f210820a0ba16a6ffdb5b

SHA512
70c570145570196406ea5b16d775f41c7f6ce790ca6bd106ce0d9ae5859bcb9fb92e72d15bcd667444cba170e8f6734bfb50d7b375f4a695e9c6b85a6d78908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RT0SUxZMDQxC.bat

Filesize
200B

MD5
b8529403f380a9f9e4e386c7e50de6bd

SHA1
2f401afb7d6c009986181521e5e4a6559ef34e02

SHA256
d55f43826f52c467e2a3b6ecb70dedc72db4c74db3819b0c7120d9374656281d

SHA512
b6bf83e15a860876222f53c713c9d61ee64d9c696d58556030f2304f88be21732689f6e193cd4932cdc723d6a08240ba0c7aa0d38b7659de2313e41f9ee127dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\U0he94AlBNG2.bat

Filesize
200B

MD5
54f1274490de58d7f602fa1b602c9c63

SHA1
78995d734be2f516015a0abea5f7f4af8665b4e6

SHA256
95cfb87359495613717ae87185b796ca16bd3879d70c1b8a628178598d4e4704

SHA512
e5ef4d5f8e7a1930aba002cb2d7384dbf3c62831f7ae098ea4b8a22e21e995d1b271337fc36eb8faf639e2f9ea1c5c77334005e800e46ffd38749d11d42bbb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UhDnX8e58LMf.bat

Filesize
200B

MD5
b918b7249e743c49c82612b7f21d7985

SHA1
980e89cc9252472552c73a7083f63cd487857f26

SHA256
74a2caf2680a66a255960c360ab248e497e1fc717256d7b9421ccf68df3a6583

SHA512
e474d82d400023ec512119bbd7991a5cd42f6addb23325a8746f99f1d2b8236b3589bcdad5938a07e47e58641bbe07b18b6a0e02a749686728d8ff7abf584f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsPLbxGs8A21.bat

Filesize
200B

MD5
1d68360870cacb32fb433dcc276c3b8f

SHA1
7cafb0ab1ab1f452861c3e9436a20bc2869c4b7e

SHA256
1babe4522a3c4484ae66bfc16e3681d98ed56d022a7fc01d9f7692e00d7feb31

SHA512
5f76408fe9f2fb39a20fdab532c4f98ab50d2e8c56797a9dce5e0053a81a16d8229daaa3651b61d0a624cbc321c91d9a3ee7666fef67cb68299ed9a8c0d287b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9zgQctzi3jm.bat

Filesize
200B

MD5
f1c52a8459858a2fe8b644bb67773ca7

SHA1
54e7dadc94a74c9ed0f7dd67c6f39ffb1ab0a3e8

SHA256
340396103dbe0b2d70139d671d4fd857b94fb01f2cfe25b96340c12ffc600910

SHA512
6eda4dfe4f7653b91036481d228712bf5f95bdd20ada0f4a2a624a2c74e44badd79b27b9366f68935d206cc12ca8769fb4b9f3e5aa5b9267a6f88e4fef696853

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc79MriT2OIE.bat

Filesize
200B

MD5
110eb0f4db9f7fa73d52df6a7b5ab937

SHA1
e98dc75dbb271697b2477aaeac835fcb3b5763ad

SHA256
108d5c4a053acccdea16769184792a735d55360157a5bd9bd61bccb76c360203

SHA512
9d26ddda4760adb778ebac3eb4d6b68796123db9b4c6abc2cfaa4ce15364f545a62faa2387e974cfcdd7c2658b8480db5dc4227bf3e30507dd5b46b01a060d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgaZZc6LDhAd.bat

Filesize
200B

MD5
d3f1a3177530151e6c16a84301f3f288

SHA1
4e9e468c808e498d089b422147faf9b06f614397

SHA256
abe2578d52d394b2dcb96ebe333be2efe5b37d60cc1014034cc97941074578ea

SHA512
2380c3d1168291538897ae730dea726dc5890f7c5b606fbf17a9b65275e5444466ccae56e9729a308e5b559b8d902baddbe8d1181c3ba60df5bd86848afb5539

Download Submit
memory/1388-0-0x00007FFA2AAA3000-0x00007FFA2AAA5000-memory.dmp

Filesize
8KB

Download
memory/1388-4-0x000000001D640000-0x000000001D6F2000-memory.dmp

Filesize
712KB

Download
memory/1388-9-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/1388-3-0x000000001D530000-0x000000001D580000-memory.dmp

Filesize
320KB

Download
memory/1388-2-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/1388-1-0x00000000009E0000-0x0000000000D04000-memory.dmp

Filesize
3.1MB

Download
memory/4968-12-0x00007FFA2A220000-0x00007FFA2ACE1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-18-0x00007FFA2A220000-0x00007FFA2ACE1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-13-0x00007FFA2A220000-0x00007FFA2ACE1000-memory.dmp

Filesize
10.8MB

Download