Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 05:17

General

  • Target

    e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe

  • Size

    3.1MB

  • MD5

    5da0a355dcd44b29fdd27a5eba904d8d

  • SHA1

    1099e489937a644376653ab4b5921da9527f50a9

  • SHA256

    e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

  • SHA512

    289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

  • SSDEEP

    49152:3viI22SsaNYfdPBldt698dBcjHFfRJ6fbR3LoGd5THHB72eh2NT:3vv22SsaNYfdPBldt6+dBcjHFfRJ6x

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.79:4782

Mutex

956eafb2-7482-407b-bff4-d2b57a1c3d75

Attributes
  • encryption_key

    EFEBD005E03B8B8669985D9A167E2BEF9FFCA477

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 5 IoCs
  • Executes dropped EXE 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe
    "C:\Users\Admin\AppData\Local\Temp\e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2864
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2248
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCexhAPeswhM.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2580
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2620
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:432
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2224
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\bnml9Qcfu59A.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3000
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:592
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1572
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2816
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2972
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEplYNfX77ZD.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:844
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:764
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1904
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1184
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2520
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySF0EkOxFyQC.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1608
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:2064
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:880
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of SetWindowsHookEx
                              PID:1628
                              • C:\Windows\system32\schtasks.exe
                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1536
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\3XeulYmNX3wT.bat" "
                                11⤵
                                  PID:1804
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:556
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:1832
                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1808
                                      • C:\Windows\system32\schtasks.exe
                                        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                        13⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1504
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TqhrD5yzl7Nu.bat" "
                                        13⤵
                                          PID:3068
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:2792
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:2836
                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2664
                                              • C:\Windows\system32\schtasks.exe
                                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                15⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2692
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\3swwnq0GEpZg.bat" "
                                                15⤵
                                                  PID:1716
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:1988
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2424
                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1920
                                                      • C:\Windows\system32\schtasks.exe
                                                        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2024
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gJegSuk749yt.bat" "
                                                        17⤵
                                                          PID:1476
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:1140
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:2892
                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2992
                                                              • C:\Windows\system32\schtasks.exe
                                                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:1964
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCggbd2p79qT.bat" "
                                                                19⤵
                                                                  PID:764
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:900
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:2152
                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:544
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2392
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZVzefbJZZrr9.bat" "
                                                                        21⤵
                                                                          PID:2076
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:1512
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:892
                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:736
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:388

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\3XeulYmNX3wT.bat

                                    Filesize

                                    207B

                                    MD5

                                    afb6bd7187820e6232f8f3cf81a08d85

                                    SHA1

                                    55b4ffbcf3069e2404ad44bf4a025f20ded760e7

                                    SHA256

                                    eb3a68c8416ed5669c761e1284b73be68e390b0ecb1a90097ddaad37c3851b2c

                                    SHA512

                                    c0099523f8ea0c4193b8835bf37a6b2e4a5f3033c96ae735879385959683833a8c35fbaf93700eed4bc6807d2f32acb0604b5f53d61dc6c55a5abce1ac4048aa

                                  • C:\Users\Admin\AppData\Local\Temp\3swwnq0GEpZg.bat

                                    Filesize

                                    207B

                                    MD5

                                    96968a3fcae7b47ab40f850b79bc984d

                                    SHA1

                                    972fb26c489368c7dd1999ec4b848021c7c2f3d6

                                    SHA256

                                    80f03cb68b4ab6199c90b9bd2015814ba8938dceeaaccc9d29505fe4fc1b1a14

                                    SHA512

                                    54b1f83f4501e048c4314d930183f2446e7f85c908592d1b8c642b439a2bef2e557e19f9e405b9e713af05532fbe6694249b776f5d6d7da89d45be3007c60893

                                  • C:\Users\Admin\AppData\Local\Temp\QCexhAPeswhM.bat

                                    Filesize

                                    207B

                                    MD5

                                    c1079b405958041a168207cf65b76a10

                                    SHA1

                                    7e5f407b0d9ed95daf6981275432e2c95e45aa5e

                                    SHA256

                                    f29e7ee6b32c1d0e3bb90491e4c680f917d209a16b2393f7ee10de255543b6da

                                    SHA512

                                    2d2a7fd402ef4dfe225955d1d35835abefc784c850e44f429cafd738a9d43df1e78577b94c305949f696718074a783c1f82ee431f6c7a28ee78e8b847b26c365

                                  • C:\Users\Admin\AppData\Local\Temp\TqhrD5yzl7Nu.bat

                                    Filesize

                                    207B

                                    MD5

                                    51412f8f993fb4c406f9d3c8b1c862b5

                                    SHA1

                                    8b1c675a3a41f2acba5c46999e992fc45ee30e9e

                                    SHA256

                                    ba5fdbcb435af332c3f7da587b60f9283e4e2fbc7f0af72e4f3c3cfa66753756

                                    SHA512

                                    6d3e06b27e4c3f725ff7ef10bc03d4f7ccb85388c802700d64bff3535fcda53ae06d389121d9bc1dca647e1e56d38842114d577b9233857bda162b734aa53af1

                                  • C:\Users\Admin\AppData\Local\Temp\ZVzefbJZZrr9.bat

                                    Filesize

                                    207B

                                    MD5

                                    6c22dd324d3d5939c7b9a2388a1a765c

                                    SHA1

                                    ac7d83048a6ec290b4d0dc06fd121fa1a3817b67

                                    SHA256

                                    48836dbb245074df4c74850401c8c883791557b8c7e4c68c33618199b457964a

                                    SHA512

                                    eefa952bc6f470a4a3cffeae6275cc82ad67ef935d875343ac47b948293055599096c06b9465c89e572aaca0185c504abf592700ee28f64c5c377a054f54fe89

                                  • C:\Users\Admin\AppData\Local\Temp\bnml9Qcfu59A.bat

                                    Filesize

                                    207B

                                    MD5

                                    aa9323321decc56a6cb7f49ed197f088

                                    SHA1

                                    96ec0569548e844529b7d804a765a03f0804402b

                                    SHA256

                                    e61cf8e25d272b4c2998f7e4ec62e08a20b7e00a0a4b6a4e9367baa085ec2931

                                    SHA512

                                    0c5b81ff1569899b01fe806ce7933230e53db743e9377c16eb0206b8113dd6a26e8d4457d141189c361060875703dd1b284ef7e0c4f7a1b3dcd44ae19e53acf2

                                  • C:\Users\Admin\AppData\Local\Temp\gJegSuk749yt.bat

                                    Filesize

                                    207B

                                    MD5

                                    167b7d2c46b1968858ba2e073d0635e0

                                    SHA1

                                    964d05bf3df39ad7a2d64c775c081b2f706cf1ed

                                    SHA256

                                    650209fe0d8c8a97069f62ae15f0a7bf13b13f5f89af6ada686c50577b8ee1f1

                                    SHA512

                                    d2cc7c9985f8fda6d2bee1df119caa17de4ffcafc408677c6597c3be0900dec07dbbfc33449ae05b74ef012ab8e35142fed3dbdf209e4b32be7b05c995673ea6

                                  • C:\Users\Admin\AppData\Local\Temp\jEplYNfX77ZD.bat

                                    Filesize

                                    207B

                                    MD5

                                    34ffa512bb7d113355739c87c0bdba03

                                    SHA1

                                    e86d814b960db342e47d6d90a150229d0bb0c812

                                    SHA256

                                    92d47bd7c4c88aeec73cf0cdd8a539da0533093ae5827b5eb6fe0df9c7d162fa

                                    SHA512

                                    380718e7174b47feda1be7d2405d37e4b82ea6c2095c594f362c9a5dc035b5df596cb1559ae3ceb169253a233e8528a4844eb18b83ecb257b388bd3ea8526886

                                  • C:\Users\Admin\AppData\Local\Temp\ySF0EkOxFyQC.bat

                                    Filesize

                                    207B

                                    MD5

                                    f2483a9fb59edd0c0ad53b16fa8d759d

                                    SHA1

                                    45c2f6b08f7e50cf96ee2451adb41580d2b6d34c

                                    SHA256

                                    7b86bacf0c97e093f6aae76a34a387cb17ca3f5566ce5658a3ddd4d0e1b6199d

                                    SHA512

                                    611e0252a7e76c71dd9a011b9470e62ba6f5656f48259c9b0af407102a5f12c79a188780c92d013999dacb8908aef6bed6d147db8bc2b602bbccca702ad84275

                                  • C:\Users\Admin\AppData\Local\Temp\zCggbd2p79qT.bat

                                    Filesize

                                    207B

                                    MD5

                                    8677b88e5c88bdfda55709f9bc063743

                                    SHA1

                                    07841f9b0f132f3741d783ed801c9890bd3548b3

                                    SHA256

                                    3dd5f63764673204ae85860f6690ff2609ee52949b8ec13cdb54560bf593ce01

                                    SHA512

                                    8bf057e56fb8299889fe916f50c686ec96e49ef6e99ea15becbb681bb8f82cd8c0a120b0e8569b4d88ff83706929bf8b3b09e0925914b88f7424fba21716a8b6

                                  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                    Filesize

                                    3.1MB

                                    MD5

                                    5da0a355dcd44b29fdd27a5eba904d8d

                                    SHA1

                                    1099e489937a644376653ab4b5921da9527f50a9

                                    SHA256

                                    e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

                                    SHA512

                                    289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

                                  • memory/432-23-0x0000000001000000-0x0000000001324000-memory.dmp

                                    Filesize

                                    3.1MB

                                  • memory/2492-0-0x000007FEF6503000-0x000007FEF6504000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2492-10-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2492-2-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2492-1-0x0000000000870000-0x0000000000B94000-memory.dmp

                                    Filesize

                                    3.1MB

                                  • memory/2664-77-0x00000000012A0000-0x00000000015C4000-memory.dmp

                                    Filesize

                                    3.1MB

                                  • memory/2764-20-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2764-11-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2764-9-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

                                    Filesize

                                    3.1MB

                                  • memory/2764-8-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

                                    Filesize

                                    9.9MB