quasar | 884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7

Analysis

max time kernel
142s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

example_win32_dx11.exe
Size

3.1MB
MD5

a7d75b048989da5d22a1f7cca58edb51
SHA1

413d22b60ae540b3b11863e2107980b0403faf50
SHA256

884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7
SHA512

4a453dc7f2a0e82d66fe5d73727ab2a23b5f00ea1b4a53032e4a538b72edf9caaf0894774d0fafb4af401f74a0b65bbf2d83a0cc643dc1a66ae23fb2136dd351
SSDEEP

49152:TvCI22SsaNYfdPBldt698dBcjHe0RJ6qbR3LoGdHTHHB72eh2NT:TvP22SsaNYfdPBldt6+dBcjHe0RJ6E

Score

10^/10

quasar nigga discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Steam

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2308-1-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar
behavioral1/files/0x00070000000195d6-5.dat	family_quasar
behavioral1/memory/1748-7-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar
behavioral1/memory/968-52-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/2216-64-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/2064-75-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/2928-96-0x0000000001230000-0x0000000001554000-memory.dmp	family_quasar
behavioral1/memory/3016-127-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/2264-138-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar
behavioral1/memory/2376-149-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar
behavioral1/memory/2012-160-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1748	svchost.exe
2676	svchost.exe
2848	svchost.exe
2872	svchost.exe
968	svchost.exe
2216	svchost.exe
2064	svchost.exe
2380	svchost.exe
2928	svchost.exe
2344	svchost.exe
2240	svchost.exe
3016	svchost.exe
2264	svchost.exe
2376	svchost.exe
2012	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3000	PING.EXE
2336	PING.EXE
2600	PING.EXE
1464	PING.EXE
2000	PING.EXE
3048	PING.EXE
2696	PING.EXE
304	PING.EXE
2228	PING.EXE
2484	PING.EXE
2868	PING.EXE
2628	PING.EXE
2144	PING.EXE
1448	PING.EXE
2636	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3048	PING.EXE
2696	PING.EXE
2600	PING.EXE
2228	PING.EXE
2636	PING.EXE
2336	PING.EXE
304	PING.EXE
2868	PING.EXE
2144	PING.EXE
2000	PING.EXE
1448	PING.EXE
2628	PING.EXE
3000	PING.EXE
1464	PING.EXE
2484	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	example_win32_dx11.exe
Token: SeDebugPrivilege	1748	svchost.exe
Token: SeDebugPrivilege	2676	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2872	svchost.exe
Token: SeDebugPrivilege	968	svchost.exe
Token: SeDebugPrivilege	2216	svchost.exe
Token: SeDebugPrivilege	2064	svchost.exe
Token: SeDebugPrivilege	2380	svchost.exe
Token: SeDebugPrivilege	2928	svchost.exe
Token: SeDebugPrivilege	2344	svchost.exe
Token: SeDebugPrivilege	2240	svchost.exe
Token: SeDebugPrivilege	3016	svchost.exe
Token: SeDebugPrivilege	2264	svchost.exe
Token: SeDebugPrivilege	2376	svchost.exe
Token: SeDebugPrivilege	2012	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1748	2308	example_win32_dx11.exe	30
PID 2308 wrote to memory of 1748	2308	example_win32_dx11.exe	30
PID 2308 wrote to memory of 1748	2308	example_win32_dx11.exe	30
PID 1748 wrote to memory of 2808	1748	svchost.exe	31
PID 1748 wrote to memory of 2808	1748	svchost.exe	31
PID 1748 wrote to memory of 2808	1748	svchost.exe	31
PID 2808 wrote to memory of 2968	2808	cmd.exe	33
PID 2808 wrote to memory of 2968	2808	cmd.exe	33
PID 2808 wrote to memory of 2968	2808	cmd.exe	33
PID 2808 wrote to memory of 3048	2808	cmd.exe	34
PID 2808 wrote to memory of 3048	2808	cmd.exe	34
PID 2808 wrote to memory of 3048	2808	cmd.exe	34
PID 2808 wrote to memory of 2676	2808	cmd.exe	35
PID 2808 wrote to memory of 2676	2808	cmd.exe	35
PID 2808 wrote to memory of 2676	2808	cmd.exe	35
PID 2676 wrote to memory of 2704	2676	svchost.exe	36
PID 2676 wrote to memory of 2704	2676	svchost.exe	36
PID 2676 wrote to memory of 2704	2676	svchost.exe	36
PID 2704 wrote to memory of 2400	2704	cmd.exe	38
PID 2704 wrote to memory of 2400	2704	cmd.exe	38
PID 2704 wrote to memory of 2400	2704	cmd.exe	38
PID 2704 wrote to memory of 2696	2704	cmd.exe	39
PID 2704 wrote to memory of 2696	2704	cmd.exe	39
PID 2704 wrote to memory of 2696	2704	cmd.exe	39
PID 2704 wrote to memory of 2848	2704	cmd.exe	40
PID 2704 wrote to memory of 2848	2704	cmd.exe	40
PID 2704 wrote to memory of 2848	2704	cmd.exe	40
PID 2848 wrote to memory of 1780	2848	svchost.exe	41
PID 2848 wrote to memory of 1780	2848	svchost.exe	41
PID 2848 wrote to memory of 1780	2848	svchost.exe	41
PID 1780 wrote to memory of 2868	1780	cmd.exe	43
PID 1780 wrote to memory of 2868	1780	cmd.exe	43
PID 1780 wrote to memory of 2868	1780	cmd.exe	43
PID 1780 wrote to memory of 2628	1780	cmd.exe	44
PID 1780 wrote to memory of 2628	1780	cmd.exe	44
PID 1780 wrote to memory of 2628	1780	cmd.exe	44
PID 1780 wrote to memory of 2872	1780	cmd.exe	45
PID 1780 wrote to memory of 2872	1780	cmd.exe	45
PID 1780 wrote to memory of 2872	1780	cmd.exe	45
PID 2872 wrote to memory of 2264	2872	svchost.exe	46
PID 2872 wrote to memory of 2264	2872	svchost.exe	46
PID 2872 wrote to memory of 2264	2872	svchost.exe	46
PID 2264 wrote to memory of 2996	2264	cmd.exe	48
PID 2264 wrote to memory of 2996	2264	cmd.exe	48
PID 2264 wrote to memory of 2996	2264	cmd.exe	48
PID 2264 wrote to memory of 3000	2264	cmd.exe	49
PID 2264 wrote to memory of 3000	2264	cmd.exe	49
PID 2264 wrote to memory of 3000	2264	cmd.exe	49
PID 2264 wrote to memory of 968	2264	cmd.exe	50
PID 2264 wrote to memory of 968	2264	cmd.exe	50
PID 2264 wrote to memory of 968	2264	cmd.exe	50
PID 968 wrote to memory of 2104	968	svchost.exe	51
PID 968 wrote to memory of 2104	968	svchost.exe	51
PID 968 wrote to memory of 2104	968	svchost.exe	51
PID 2104 wrote to memory of 2032	2104	cmd.exe	53
PID 2104 wrote to memory of 2032	2104	cmd.exe	53
PID 2104 wrote to memory of 2032	2104	cmd.exe	53
PID 2104 wrote to memory of 2336	2104	cmd.exe	54
PID 2104 wrote to memory of 2336	2104	cmd.exe	54
PID 2104 wrote to memory of 2336	2104	cmd.exe	54
PID 2104 wrote to memory of 2216	2104	cmd.exe	55
PID 2104 wrote to memory of 2216	2104	cmd.exe	55
PID 2104 wrote to memory of 2216	2104	cmd.exe	55
PID 2216 wrote to memory of 2012	2216	svchost.exe	56

C:\Users\Admin\AppData\Local\Temp\example_win32_dx11.exe
"C:\Users\Admin\AppData\Local\Temp\example_win32_dx11.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQ5SiASGEGmA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2968
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3048
  - - C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3fWUtM0VKaeb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2400
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
      - C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aX2IR66Zs30z.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MrUZrEVbIYVd.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOnjFwqPd20o.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYmWF07JG9i8.bat" "
        13⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:304
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LL260Te5KuT2.bat" "
        15⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OVHRfygO19B9.bat" "
        17⤵
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jU7m8kVy7hpZ.bat" "
        19⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vyRDt6oSJTIv.bat" "
        21⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YubivA1fDkNX.bat" "
        23⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kXevQcmtlSIv.bat" "
        25⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FfSy3WitAtLY.bat" "
        27⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PMkCxtuC2tno.bat" "
        29⤵
        
        PID:612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B17L8nhH5urJ.bat" "
        31⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fWUtM0VKaeb.bat

Filesize
207B

MD5
dcbf3f935e440a1c01b368401320a9fd

SHA1
cb4663ec4af52f29ccd18272fe74314571ebccff

SHA256
ec1a2fd770386376210088681a6e4aab2364b7658a2507fdf8b6c668a80cb8dc

SHA512
247b7dde00bf1c36970b7f3ccb71ab5dbbae3d7ea9c47752f5f9997fe368514f6d243d0fadb986c65ce22405afc400cbc7ff309641351dacc04f494e0981da1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B17L8nhH5urJ.bat

Filesize
207B

MD5
b600d790b7b9553f6e85d49d4fe7b99d

SHA1
ead2d768596fda4a40ea3597ba0cd048e81cf98a

SHA256
d81b5b691866c290d5a4521bec2465d0977e82be7f009db5453bb6d409700717

SHA512
9daa229d079bf7b555e434ef60f9214850770be44df172460923dd18022af1d5cef1b41c410c91ac6b582af4d9a3a6a8908642807833c613df4669a05e101813

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfSy3WitAtLY.bat

Filesize
207B

MD5
44a3f9d296fa39eb6164cd6f40561f9d

SHA1
4e17377b3692771f73472ae3dc3796b3e706c14e

SHA256
50cfc57da412d908fe36d1298c82b53d4e5cadbffb061bf5d5039ba07edc1092

SHA512
dd1f7e899d58937d57fb3434b13c27a086ec22987e850452a101f51e48738dcbadecb648f215240aebe643a4fc1633578f771a9c2b477a7d9482a50446597058

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOnjFwqPd20o.bat

Filesize
207B

MD5
8655d538ff451557418b02e72cc68c60

SHA1
1aafc920c26a26927ef7c573b3d753bd681d0b7f

SHA256
c36e0236cd521fd4a1a4a9ad18f5e87c0ce698368acc8781ee22936369d468f4

SHA512
239618c1854f10b2f2d40b2e48414c498f34124c3c837fceeffe266c834e807f2f71f6228cf6a973f5fd891c94c102973cd8017a24dd924f8338d8ef230af43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LL260Te5KuT2.bat

Filesize
207B

MD5
9b45333a794fb8ac839f0d19e503c9d4

SHA1
2b6f011788f66db635451b9d0d5a31907b54071f

SHA256
418763b2c036dccbfdfa9d2358e544e367ecd7f5539210531b49760eaf2a4473

SHA512
3ebb2162c8a6dc0b96aa12a7e510ab76bbb4963adafe7985cba1a0d533e00516429953ff7b83adef26c03a7123916de1b1d4bb2ba38618bd0709e8b3fd26fe1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrUZrEVbIYVd.bat

Filesize
207B

MD5
87ba20360aba2b6ebacfe4ebe344ad24

SHA1
be01e41daa0428d8770f1ce4af2f1941b7eaa87e

SHA256
3d82aed73d4074bd20ef847ce1f9adddc21ab846ad1d11185b035d7c68fbf6f2

SHA512
91957dde1b138b41c92af696111f03434e804d41bde65e3af0c4e70a4702b491b351e4be9981a78bf7a6a6c4340726ac83782bb889c1112eae248ba0b98a83ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVHRfygO19B9.bat

Filesize
207B

MD5
647213584d1a09556e57ea66c2ebb2bf

SHA1
38fac640b352692eed5a330b5834ddc3f3a3f8f2

SHA256
a3f98f3b134c763650a901491526aa35cc1a60f9a1907fceb8316d0537ef305b

SHA512
864d6c7f40d2423c11d9f3a33e999fc3f53565e083b965ea3913ffeb3b4505b2b542a09f8cbfb77977af6ffa6c8ee028e17267579c2ce2b377775bb248c3cb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMkCxtuC2tno.bat

Filesize
207B

MD5
3d1e554dcd6ca0aa4cff79d0a4de9352

SHA1
5f82e86eed7eb3eb58cdf0735378deefdc7d54e9

SHA256
71cd9f56b25ae904dd0d7e4b536d87547788e5132161552758a487b9e0a58fe4

SHA512
5497e8fc18221c9f34146abdefeb0cd14e8b4ab9fd0750857725bc9245f9ce6aea8cd725c6a47e67812144a27bc43b40704978a1f50225b4d7451aeebdbeac8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YubivA1fDkNX.bat

Filesize
207B

MD5
a1681173af489082e45b2dc0fb9bfe9b

SHA1
6269127097271255867dff2844f0c7d11f6c7078

SHA256
b4e949d45b7020e67293fe3f0bb756e6e356bb7febee22f76d454d9bcf370bc5

SHA512
322a3b78c6e2bb0b9ea59d666c906c434b88f11f2d00fd811b11ddcbff2818cefbc8837aadeab6a1ddcb6c3bda65f3ef59a7d0b7d772d8d5a4d44ba0ff480f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\aX2IR66Zs30z.bat

Filesize
207B

MD5
081157a5d0d02bbfc94a020d17e440fc

SHA1
bdc2e3b155dc2461a1e64024560c46021a222186

SHA256
7010a22f0ce75351165d35221a396ac7106a76bd35f2dc2153ec48a469db66aa

SHA512
a1f1f102fe280c14697ed618d509e25bc685826950eb7142c325184ebfa59a82306f54b44dc143b7e4265333c98e3fc7b6c60ad34c2d0900bfc09f6a3e4a0eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQ5SiASGEGmA.bat

Filesize
207B

MD5
a59feb56868cf867405acbf8b0b3da89

SHA1
f75578f41302bd334eb9694d7938e204740369b8

SHA256
00981646c8de9229f3fc1f8549e95b54acdbcd9da268f18cdcc58dccf26e8a91

SHA512
557e7e8e9cfa195b4ff06332c85607ec2a6667256fd3bcf30fd60588491be5ac411874b8c52305ded5b335a6455db7951ba681e7b6c45787efeb6ff31ab775fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYmWF07JG9i8.bat

Filesize
207B

MD5
0048919132ce1e28fd9bf80d526bb0b1

SHA1
e9c8d63fb99ad41f302efc159ccba4cf9c1f8aa9

SHA256
dc9c6db48e9d285faf433896df9afe92050b78df37b58c0d0d732fd110ee23c9

SHA512
f03f7bed479c54ae74deac03cd686ce7de474f60938e7afb94fbdd330546c6b18b2d8ea83a837958c32065ead8749c09b84818640104a284d1054680c0d884ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jU7m8kVy7hpZ.bat

Filesize
207B

MD5
760277473f3103df15981afd25103521

SHA1
c3295f5932b7851b153c70c582c379d9c49efea4

SHA256
ea613edb0c996d22e8e5fbd3287255b3746be1f84bde67632542d5e4e39a09d6

SHA512
18323c2f776b85b105714f9a598ef0eade274db3842e518f65ef560f4b32a3c5e0687175790c456c872780b823a8f0bbacda18d204c7e2be4dc5267bc692e529

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXevQcmtlSIv.bat

Filesize
207B

MD5
6b2278cbf7408afa01595e84c44ee99a

SHA1
9de762750038a29549e7f2c06279ce67d9c42487

SHA256
455133f2c1cac0811a695494b3dc8c1cac4402aa0c9fdcf0bed6858b2acba134

SHA512
98588123e2a5337c569d228452630aa3c2363cac93503f99071b3c0835a2229756c2120eb523d40819cd5b496ae8aa5d25d3ec0b82db8effc021a5fb59d409e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyRDt6oSJTIv.bat

Filesize
207B

MD5
4b796819bb6fed4e47c1627efb3a5780

SHA1
b9c74ed364a236d1ae01982a9fd1883fd8921be9

SHA256
1ba6cdc7e49c13f3642fdbbae22e00c7a5a3258824ef5945b3c7f2227ba6a523

SHA512
55dca4a466f1190dadb6020d5205b4969dba7923c79ff6b8df31e73ae5e2fe342d289b29f95b2696848bc2537b851189caa1f434ea4c0c66979a42d024196969

Download Submit
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe

Filesize
3.1MB

MD5
a7d75b048989da5d22a1f7cca58edb51

SHA1
413d22b60ae540b3b11863e2107980b0403faf50

SHA256
884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7

SHA512
4a453dc7f2a0e82d66fe5d73727ab2a23b5f00ea1b4a53032e4a538b72edf9caaf0894774d0fafb4af401f74a0b65bbf2d83a0cc643dc1a66ae23fb2136dd351

Download Submit
memory/968-52-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/1748-19-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1748-9-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1748-10-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1748-7-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/2012-160-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2064-75-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/2216-64-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/2264-138-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/2308-8-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/2376-149-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/2928-96-0x0000000001230000-0x0000000001554000-memory.dmp

Filesize
3.1MB

Download
memory/3016-127-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download