quasar | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

08/05/2025, 20:31

250508-za4lkaar2s 10

07/05/2025, 21:52

07/05/2025, 16:33

07/05/2025, 13:51

07/05/2025, 13:46

Analysis

max time kernel
17s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20250502-en
resource tags

arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

quasar nigga office04 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

epotiz-56104.portmap.host:56104

Mutex

dff263c5-5f46-4ebd-b314-af4f281b1196

Attributes

encryption_key
91AE6D01E5588CB2EC925069EE1425C401902592
install_name
Realtek HD Audio Manager.exe
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek HD Audio Manager
subdirectory
Realtek HD Audio Manager

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
svchost.exe
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Steam

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000024245-8.dat	family_quasar
behavioral1/memory/1580-16-0x0000000000EC0000-0x00000000011E4000-memory.dmp	family_quasar
behavioral1/files/0x000500000002225b-51.dat	family_quasar
behavioral1/memory/1156-60-0x0000000000720000-0x0000000000A44000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5172	powershell.exe
5708	powershell.exe
4420	powershell.exe
372	powershell.exe
6140	powershell.exe
4004	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
24	3800	4363463463464363463463463.exe
24	3800	4363463463464363463463463.exe
24	3800	4363463463464363463463463.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1580	Realtek%20HD%20Audio%20Manager.exe
5052	Vikings.exe
1156	example_win32_dx11.exe
3556	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
24	raw.githubusercontent.com
42	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1748	3908	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vikings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4904	PING.EXE
4088	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000_Classes\Local Settings	taskmgr.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4088	PING.EXE
4904	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5172	powershell.exe
5172	powershell.exe
1132	taskmgr.exe
1132	taskmgr.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
4420	powershell.exe
4420	powershell.exe
1132	taskmgr.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
1132	taskmgr.exe
1132	taskmgr.exe
6140	powershell.exe
6140	powershell.exe
1132	taskmgr.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
1132	taskmgr.exe
1132	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	4363463463464363463463463.exe
Token: SeDebugPrivilege	1580	Realtek%20HD%20Audio%20Manager.exe
Token: SeDebugPrivilege	5052	Vikings.exe
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	1156	example_win32_dx11.exe
Token: SeDebugPrivilege	1132	taskmgr.exe
Token: SeSystemProfilePrivilege	1132	taskmgr.exe
Token: SeCreateGlobalPrivilege	1132	taskmgr.exe
Token: SeDebugPrivilege	5708	powershell.exe
Token: SeDebugPrivilege	3556	svchost.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe
1132	taskmgr.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 1580	3800	4363463463464363463463463.exe	92
PID 3800 wrote to memory of 1580	3800	4363463463464363463463463.exe	92
PID 3800 wrote to memory of 5052	3800	4363463463464363463463463.exe	93
PID 3800 wrote to memory of 5052	3800	4363463463464363463463463.exe	93
PID 3800 wrote to memory of 5052	3800	4363463463464363463463463.exe	93
PID 5052 wrote to memory of 5172	5052	Vikings.exe	95
PID 5052 wrote to memory of 5172	5052	Vikings.exe	95
PID 5052 wrote to memory of 5172	5052	Vikings.exe	95
PID 3800 wrote to memory of 1156	3800	4363463463464363463463463.exe	97
PID 3800 wrote to memory of 1156	3800	4363463463464363463463463.exe	97
PID 5172 wrote to memory of 5708	5172	powershell.exe	99
PID 5172 wrote to memory of 5708	5172	powershell.exe	99
PID 5172 wrote to memory of 5708	5172	powershell.exe	99
PID 1156 wrote to memory of 3556	1156	example_win32_dx11.exe	100
PID 1156 wrote to memory of 3556	1156	example_win32_dx11.exe	100
PID 3556 wrote to memory of 5996	3556	svchost.exe	101
PID 3556 wrote to memory of 5996	3556	svchost.exe	101
PID 5996 wrote to memory of 536	5996	cmd.exe	103
PID 5996 wrote to memory of 536	5996	cmd.exe	103
PID 5996 wrote to memory of 4904	5996	cmd.exe	104
PID 5996 wrote to memory of 4904	5996	cmd.exe	104
PID 5052 wrote to memory of 4420	5052	Vikings.exe	105
PID 5052 wrote to memory of 4420	5052	Vikings.exe	105
PID 5052 wrote to memory of 4420	5052	Vikings.exe	105
PID 4420 wrote to memory of 372	4420	powershell.exe	107
PID 4420 wrote to memory of 372	4420	powershell.exe	107
PID 4420 wrote to memory of 372	4420	powershell.exe	107
PID 5052 wrote to memory of 6140	5052	Vikings.exe	108
PID 5052 wrote to memory of 6140	5052	Vikings.exe	108
PID 5052 wrote to memory of 6140	5052	Vikings.exe	108
PID 6140 wrote to memory of 4004	6140	powershell.exe	110
PID 6140 wrote to memory of 4004	6140	powershell.exe	110
PID 6140 wrote to memory of 4004	6140	powershell.exe	110

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\Files\Realtek%20HD%20Audio%20Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Realtek%20HD%20Audio%20Manager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\Files\Vikings.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Vikings.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Yota'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Yota
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4004
- - C:\Yota\multiyota.exe
    "C:\Yota\multiyota.exe"
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 792
      4⤵
      Program crash
      PID:1748
- C:\Users\Admin\AppData\Local\Temp\Files\example_win32_dx11.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\example_win32_dx11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DlzAZucNp68Y.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5996
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:536
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
    - - C:\Users\Admin\AppData\Roaming\Steam\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"
        5⤵
        
        PID:384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uPQd5ylemsET.bat" "
        6⤵
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4088

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3908 -ip 3908
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
420B

MD5
f12c338203eab3fe3a6fba6b1d6c6597

SHA1
6dc5ee6c42b962c2db5c646d38a09b0a6b339005

SHA256
8aaae4536aeb0191adc8f84217ad9e0c5b3a58389ec144c7c1aa118b3033b7eb

SHA512
60df2b92c4572b4e54d75a44debe82141a7382a8df9ad24d950ee65c45bba3d35dede1d1502ce1c2726d83de4d5d16fa8cef5559abbf8f6af74931c1ff21a824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
562717e5b482f58fbd9f11eb95cf200e

SHA1
e850f4a2d660526af507075c57f4fcfae15abef0

SHA256
f95351ede440bdb02d3639f697f7c29152ba13b8ad42bf358f4893c82115aef1

SHA512
9833206359778b2fdf8c88018ea8ae029110c6a02b16d1891d463bdd7a908d86bb5ad5f83ad82e285a0a7d6ef77ed5cf903c9bc1cef3c733e7479495b666cecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
3dd153bc8e7ec3cc2c52dd05426f5daf

SHA1
d970d44b433961ec4c4aad025867517c99084509

SHA256
5275b936e7ad266aa33cadb280fc47ddd763a87361635737dd2d787592b6c8e5

SHA512
bac8a089d1ee67761403614470f2fa2222ead8d6ccc6309baee32f64add42dface8c421fbddc7c417d989961cd6a444892e64705cd25badf347c503e84aee31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
688d4103ea7d4eeb63a1a24581a56fd0

SHA1
34229574dcc092129f2c6388b6ced36cbce21886

SHA256
44b298889b7be21f87357feeb1308a70f3e457b4c295e280c644ab857515bae8

SHA512
cf630e6451b7d232b6ba7a73e0edab99c8ed7c2fbc137a21d9f358e139ded1cb118383a6db2f54a7924a6a414472683fb7e980d34f8504d40330e328091a4e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DlzAZucNp68Y.bat

Filesize
207B

MD5
b54e475469c0b84d45e8554b9cb8a974

SHA1
44146b0b10a6a4800a6d80b7f35fed04d70b202e

SHA256
5e89f1a1cd55cce093e4004ab8128b0e2a460d4da571f8bc35f246ae30e5d597

SHA512
4adf21fb4eb2ad0db777084652eca43da1a7f649d0a9a581f439537acdc859ff7e530ace6ce382f4bb27442a37f74d7f6db060afa81574ec17cf153913bb2d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Realtek%20HD%20Audio%20Manager.exe

Filesize
3.1MB

MD5
20eeb65678c6fcffcc30cc2fc429f572

SHA1
182305533e4a842da880cf204604456e838878db

SHA256
4266be83abea2867cfa44836d014983f658f688a1f96fe74bed4b2b5f0d59c1b

SHA512
f32cc7a2b5fde293bc9bb6e99c75b92d5725297f128a945f6edcb9ab4d6579ca388370bca5ddff1b5532d6b5e248641bf232a71af93aa031cb86097ed745a872

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Vikings.exe

Filesize
10KB

MD5
732352bfae7311001cea7e8af6c0bfb3

SHA1
122d3235c0d63190611e0993378ba9b77892d53e

SHA256
7ecf83ecf249c5a43ee1649d6e15ca25705f82ae052475c9230cf65de0947464

SHA512
f398d8533191470184a650cc8aa774b83028f154cc804f0d2a78a7f5f784ce72a2d0bcd96116ec5177c96d619910d37688a158bd28ebfa7e631ee08164daa8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\example_win32_dx11.exe

Filesize
3.1MB

MD5
a7d75b048989da5d22a1f7cca58edb51

SHA1
413d22b60ae540b3b11863e2107980b0403faf50

SHA256
884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7

SHA512
4a453dc7f2a0e82d66fe5d73727ab2a23b5f00ea1b4a53032e4a538b72edf9caaf0894774d0fafb4af401f74a0b65bbf2d83a0cc643dc1a66ae23fb2136dd351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kepek.exe

Filesize
411B

MD5
d886b65b3a71460938224bbece88f2df

SHA1
0331ed3126d7f78bcdde2287da70e8a3da46431b

SHA256
f80dc39bb3b7ae017bc2d0ab465c814c1c1ac5b12c5fd4e0c559dbc76afe82ff

SHA512
90c903918de6ce98649bfdf9a4a434c83e7ba96f5050db490f3135437d05533277097b6270bd6aa8a7eae464672cc0784a7d57ef6261b60ed3bb56e4fbbc9ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzcce2gl.ndi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uPQd5ylemsET.bat

Filesize
207B

MD5
3b3f6324e9a3e0c90ed2d47a3fac102d

SHA1
935f9bef9f39bf7931bfa71dd349011bfeab0f5e

SHA256
0e978a7841ced334743b3f0bb9e94bf33126768a01d2d6ec4f0ad1878c63273d

SHA512
ccf10643701319a317b2590482f06be323991c66f9c45f1579ce10bb0da304c803f1151113b9891b6e3776d6612114401ec93026b1e332170aa593d301123cb8

Download Submit
C:\Yota\multiyota.exe

Filesize
212KB

MD5
d9a23524fc7e744b547ee35a00c80cae

SHA1
ac189d3ed4a5c8d094dbb0f9197c88f92f567929

SHA256
b41ad61bdf186fe82b70dc045791e0bab5d9566ba56b010b19c494dbbd70db31

SHA512
f815ad8516aa3d4c4f35abc2a42b8e6119cd2a022d9475e2c9cc25649736a89cb7b46f2b3def79bfdcb82bc9798de397a8b95f6fe04ba337c90d1c1b85cb4861

Download Submit
memory/372-158-0x000000006F8F0000-0x000000006F93C000-memory.dmp

Filesize
304KB

Download
memory/1132-90-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-99-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-96-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-97-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-98-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-100-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-101-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-102-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-91-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1132-92-0x000001FB65020000-0x000001FB65021000-memory.dmp

Filesize
4KB

Download
memory/1156-60-0x0000000000720000-0x0000000000A44000-memory.dmp

Filesize
3.1MB

Download
memory/1580-28-0x00007FF882AC0000-0x00007FF883581000-memory.dmp

Filesize
10.8MB

Download
memory/1580-157-0x00007FF882AC0000-0x00007FF883581000-memory.dmp

Filesize
10.8MB

Download
memory/1580-15-0x00007FF882AC3000-0x00007FF882AC5000-memory.dmp

Filesize
8KB

Download
memory/1580-136-0x00007FF882AC3000-0x00007FF882AC5000-memory.dmp

Filesize
8KB

Download
memory/1580-16-0x0000000000EC0000-0x00000000011E4000-memory.dmp

Filesize
3.1MB

Download
memory/3556-103-0x000000001C800000-0x000000001C8B2000-memory.dmp

Filesize
712KB

Download
memory/3556-89-0x000000001AF90000-0x000000001AFE0000-memory.dmp

Filesize
320KB

Download
memory/3800-3-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3800-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/3800-2-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/3800-73-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/3800-74-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3800-1-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/3908-219-0x0000000000AB0000-0x0000000000AEC000-memory.dmp

Filesize
240KB

Download
memory/4004-191-0x000000006F8F0000-0x000000006F93C000-memory.dmp

Filesize
304KB

Download
memory/4420-146-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/5052-171-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5052-218-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5052-32-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5052-29-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/5052-30-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/5052-31-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/5172-37-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/5172-72-0x0000000005FD0000-0x000000000601C000-memory.dmp

Filesize
304KB

Download
memory/5172-33-0x0000000004700000-0x0000000004736000-memory.dmp

Filesize
216KB

Download
memory/5172-34-0x0000000004D70000-0x0000000005398000-memory.dmp

Filesize
6.2MB

Download
memory/5172-35-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/5172-36-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/5172-61-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/5172-71-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/5708-125-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/5708-122-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/5708-118-0x00000000070C0000-0x0000000007163000-memory.dmp

Filesize
652KB

Download
memory/5708-105-0x0000000007080000-0x00000000070B2000-memory.dmp

Filesize
200KB

Download
memory/5708-116-0x0000000007040000-0x000000000705E000-memory.dmp

Filesize
120KB

Download
memory/5708-106-0x000000006F8F0000-0x000000006F93C000-memory.dmp

Filesize
304KB

Download
memory/5708-123-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/5708-124-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/5708-127-0x0000000007600000-0x000000000760E000-memory.dmp

Filesize
56KB

Download
memory/5708-126-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/5708-130-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/5708-129-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/5708-128-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download