Analysis
-
max time kernel
6s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 07:58
Behavioral task
behavioral1
Sample
ea9da1047cd9f8d93602a679e6c95e1d.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ea9da1047cd9f8d93602a679e6c95e1d.exe
Resource
win10v2004-20220718-en
General
-
Target
ea9da1047cd9f8d93602a679e6c95e1d.exe
-
Size
2.0MB
-
MD5
ea9da1047cd9f8d93602a679e6c95e1d
-
SHA1
b0e94c4d54e561ddd1d30ec34113d4f35149b421
-
SHA256
0a9ddda2208d336240816293316219caba2b0bb1f5a1b9c148b1e01115f4d4e5
-
SHA512
cdf08f601337e49f231da412b8bf17c732895d2c1a01ad839333a88c1d4c0b93384f8fd9e959c845044a2df518284f7c1f2ccd4881b87952c0978ae3de7f25c3
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 13 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar behavioral2/memory/2196-147-0x0000000000DA0000-0x0000000000DFE000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe family_quasar C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\AppData\Local\Temp\windef.exe family_quasar C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe family_quasar -
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE 3 IoCs
Processes:
vnc.exewindef.exewinsock.exepid process 1168 vnc.exe 2196 windef.exe 1424 winsock.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ea9da1047cd9f8d93602a679e6c95e1d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation ea9da1047cd9f8d93602a679e6c95e1d.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ea9da1047cd9f8d93602a679e6c95e1d.exedescription ioc process File opened (read-only) \??\i: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\j: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\q: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\r: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\s: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\e: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\f: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\h: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\u: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\w: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\z: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\t: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\y: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\a: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\k: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\m: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\x: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\b: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\n: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\v: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\p: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\g: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\l: ea9da1047cd9f8d93602a679e6c95e1d.exe File opened (read-only) \??\o: ea9da1047cd9f8d93602a679e6c95e1d.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe autoit_exe C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe autoit_exe C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ea9da1047cd9f8d93602a679e6c95e1d.exevnc.exedescription pid process target process PID 1008 set thread context of 2052 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe ea9da1047cd9f8d93602a679e6c95e1d.exe PID 1168 set thread context of 2612 1168 vnc.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3636 1424 WerFault.exe winsock.exe 2488 4812 WerFault.exe winsock.exe 956 4908 WerFault.exe winsock.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5024 schtasks.exe 4984 schtasks.exe 2184 schtasks.exe 3368 schtasks.exe 1588 schtasks.exe 4956 schtasks.exe 4256 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 4516 PING.EXE 4712 PING.EXE 2632 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ea9da1047cd9f8d93602a679e6c95e1d.exepid process 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vnc.exepid process 1168 vnc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
windef.exewinsock.exedescription pid process Token: SeDebugPrivilege 2196 windef.exe Token: SeDebugPrivilege 1424 winsock.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winsock.exepid process 1424 winsock.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ea9da1047cd9f8d93602a679e6c95e1d.exevnc.exewindef.exewinsock.exedescription pid process target process PID 1008 wrote to memory of 1168 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe vnc.exe PID 1008 wrote to memory of 1168 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe vnc.exe PID 1008 wrote to memory of 1168 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe vnc.exe PID 1008 wrote to memory of 2196 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe windef.exe PID 1008 wrote to memory of 2196 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe windef.exe PID 1008 wrote to memory of 2196 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe windef.exe PID 1168 wrote to memory of 2612 1168 vnc.exe svchost.exe PID 1168 wrote to memory of 2612 1168 vnc.exe svchost.exe PID 1008 wrote to memory of 2052 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe ea9da1047cd9f8d93602a679e6c95e1d.exe PID 1008 wrote to memory of 2052 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe ea9da1047cd9f8d93602a679e6c95e1d.exe PID 1008 wrote to memory of 2052 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe ea9da1047cd9f8d93602a679e6c95e1d.exe PID 1008 wrote to memory of 2052 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe ea9da1047cd9f8d93602a679e6c95e1d.exe PID 1168 wrote to memory of 2612 1168 vnc.exe svchost.exe PID 1008 wrote to memory of 2052 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe ea9da1047cd9f8d93602a679e6c95e1d.exe PID 1008 wrote to memory of 5024 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe schtasks.exe PID 1008 wrote to memory of 5024 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe schtasks.exe PID 1008 wrote to memory of 5024 1008 ea9da1047cd9f8d93602a679e6c95e1d.exe schtasks.exe PID 1168 wrote to memory of 2612 1168 vnc.exe svchost.exe PID 1168 wrote to memory of 2612 1168 vnc.exe svchost.exe PID 2196 wrote to memory of 4984 2196 windef.exe schtasks.exe PID 2196 wrote to memory of 4984 2196 windef.exe schtasks.exe PID 2196 wrote to memory of 4984 2196 windef.exe schtasks.exe PID 2196 wrote to memory of 1424 2196 windef.exe winsock.exe PID 2196 wrote to memory of 1424 2196 windef.exe winsock.exe PID 2196 wrote to memory of 1424 2196 windef.exe winsock.exe PID 1424 wrote to memory of 2184 1424 winsock.exe schtasks.exe PID 1424 wrote to memory of 2184 1424 winsock.exe schtasks.exe PID 1424 wrote to memory of 2184 1424 winsock.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea9da1047cd9f8d93602a679e6c95e1d.exe"C:\Users\Admin\AppData\Local\Temp\ea9da1047cd9f8d93602a679e6c95e1d.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jVRQXjGHQBab.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQIl4nFRJJMe.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zK95bsEcCR8h.bat" "8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"9⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 22288⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 22406⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 22684⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ea9da1047cd9f8d93602a679e6c95e1d.exe"C:\Users\Admin\AppData\Local\Temp\ea9da1047cd9f8d93602a679e6c95e1d.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1424 -ip 14241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4812 -ip 48121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4908 -ip 49081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\MQIl4nFRJJMe.batFilesize
208B
MD5c684f60b72e96f3e05c9a7a3a3ebdd14
SHA1b054f52646adfef96c73080df97224d4c6ccc27a
SHA256954f5d8ac98482a18a8d7373e1e6b2d6fc4a426a6e89b565c67152bc82f60788
SHA5125a282f531016c50a1839dce0e6fac7bf52c6d13c56604b09fb0b7ab9667441ce4e094750dd3153a33d9491c624044f6da07192a1547b518712f17c89a2368a05
-
C:\Users\Admin\AppData\Local\Temp\jVRQXjGHQBab.batFilesize
208B
MD5f8bdafee5b14ba97c5a32bbbc10d9099
SHA19c902a2b5b6d28e5f604e5b1960c343a976760bd
SHA256aa078cd8936b8ec694c8b922c6d8629c07d566e257b580f43a4a81d610669893
SHA51269578c76e787761f2efb408debf5cfb36f63369f529468cff6bbfa5ef41fe763a84088c001bc7834270da88eba2f1620b42a9f96a36c71c7b806508dea954217
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\zK95bsEcCR8h.batFilesize
208B
MD5f75ad6ef4d2abc0175ff429a02863200
SHA1f7b99febdee8d6d3b9c43fcf3105fce7041debaa
SHA256552d8bb75e3dd64a81a02c822b5692f9745881ab1ef861fd6787db707106be9b
SHA512cc57130c035c9e53fd7d93beece8c0a340da292e78c4eb9c71df29a85b9b66599eb8a3b2681fba91ba9e220f44ed3baebf4d4f6c1ef7cad0da5f9c5708c223f5
-
C:\Users\Admin\AppData\Roaming\Logs\07-19-2022Filesize
224B
MD56b23c1db486f6416491a34a08948a60f
SHA126940cc1021b40a56d77485342c5e7af5795ee99
SHA25647126da5c0cf942f742ca1275f0c097d61566a7f3bb2c8d2e7f661a337ebe6be
SHA512b3359fbd15a6debabc30f54648e7cf4c58166fe7deb8050902e2a28bcf05ad230808aa954a6c5326976a6f6d03e3d4cc814590a747329aedf3ba469ab4d64760
-
C:\Users\Admin\AppData\Roaming\Logs\07-19-2022Filesize
224B
MD5112b151cf33e8d718d90a9de8b8cbf56
SHA19f4f7205e904a0c7a2817d996af0c43b243e846e
SHA25654111e501cd7b6123f5c610ea7061858e20efb3b513ac60588c2752f918e98d2
SHA512ded6906ff3e12f7db37e6ae272ee77ab9cabaa769a7a869a67d1323835d1602d4aac357ad3f68d3d5f91506a614667db76e9ebf5361a8a2482890466a9c75712
-
C:\Users\Admin\AppData\Roaming\Logs\07-19-2022Filesize
224B
MD52e95f8599a97b4656491e176f366aef3
SHA1ba87e20b374809a4a04e0f07f3954c14de7f00ad
SHA25681bac9a6a59c4e19fb19b643e128252fbf599fed9a607df7ecc44285ad576833
SHA512d4aa44af579d7a9b2d6cf810f62d1374b347d78312b1359fb1129e197678f4e782781d8e89489b1c75481faf3b47ec6807ad516f6d2a330e73a4f8b5aab72f65
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD546d7a9023314b92e9687f009aa5f044a
SHA13c41d4568e55736fb14005a91cf2c3da68019b5d
SHA2561c12da99fd65415e0e2d4cf4529c5f578894096e9064bbdb55a8142692943828
SHA5127b978ffbae8b6e9ec8185220fa129c6abc8c98f982ed12f6968ef55db6166bbcd974a97250f4f534fbf419d195efe66a7273b183ce1e723ddefc5464aa84cd89
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD546d7a9023314b92e9687f009aa5f044a
SHA13c41d4568e55736fb14005a91cf2c3da68019b5d
SHA2561c12da99fd65415e0e2d4cf4529c5f578894096e9064bbdb55a8142692943828
SHA5127b978ffbae8b6e9ec8185220fa129c6abc8c98f982ed12f6968ef55db6166bbcd974a97250f4f534fbf419d195efe66a7273b183ce1e723ddefc5464aa84cd89
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD546d7a9023314b92e9687f009aa5f044a
SHA13c41d4568e55736fb14005a91cf2c3da68019b5d
SHA2561c12da99fd65415e0e2d4cf4529c5f578894096e9064bbdb55a8142692943828
SHA5127b978ffbae8b6e9ec8185220fa129c6abc8c98f982ed12f6968ef55db6166bbcd974a97250f4f534fbf419d195efe66a7273b183ce1e723ddefc5464aa84cd89
-
memory/208-184-0x0000000000000000-mapping.dmp
-
memory/628-171-0x0000000000000000-mapping.dmp
-
memory/628-172-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/628-181-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1168-130-0x0000000000000000-mapping.dmp
-
memory/1424-160-0x0000000006D50000-0x0000000006D5A000-memory.dmpFilesize
40KB
-
memory/1424-156-0x0000000000000000-mapping.dmp
-
memory/1544-194-0x0000000000000000-mapping.dmp
-
memory/1588-190-0x0000000000000000-mapping.dmp
-
memory/1800-200-0x0000000000000000-mapping.dmp
-
memory/2052-135-0x0000000000000000-mapping.dmp
-
memory/2052-146-0x0000000000AA0000-0x0000000000AC0000-memory.dmpFilesize
128KB
-
memory/2052-136-0x0000000000AA0000-0x0000000000AC0000-memory.dmpFilesize
128KB
-
memory/2184-159-0x0000000000000000-mapping.dmp
-
memory/2196-152-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/2196-149-0x0000000005D00000-0x00000000062A4000-memory.dmpFilesize
5.6MB
-
memory/2196-147-0x0000000000DA0000-0x0000000000DFE000-memory.dmpFilesize
376KB
-
memory/2196-133-0x0000000000000000-mapping.dmp
-
memory/2196-153-0x0000000006690000-0x00000000066A2000-memory.dmpFilesize
72KB
-
memory/2196-154-0x0000000006AC0000-0x0000000006AFC000-memory.dmpFilesize
240KB
-
memory/2196-150-0x00000000056A0000-0x0000000005732000-memory.dmpFilesize
584KB
-
memory/2612-137-0x0000000000000000-mapping.dmp
-
memory/2612-151-0x00000000002D0000-0x000000000036C000-memory.dmpFilesize
624KB
-
memory/2632-187-0x0000000000000000-mapping.dmp
-
memory/2988-192-0x0000000000000000-mapping.dmp
-
memory/3368-182-0x0000000000000000-mapping.dmp
-
memory/3740-202-0x0000000000000000-mapping.dmp
-
memory/3932-204-0x0000000000000000-mapping.dmp
-
memory/4252-166-0x0000000000000000-mapping.dmp
-
memory/4256-206-0x0000000000000000-mapping.dmp
-
memory/4516-195-0x0000000000000000-mapping.dmp
-
memory/4652-183-0x0000000000E20000-0x0000000000EBC000-memory.dmpFilesize
624KB
-
memory/4652-170-0x0000000000E20000-0x0000000000EBC000-memory.dmpFilesize
624KB
-
memory/4652-165-0x0000000000000000-mapping.dmp
-
memory/4676-186-0x0000000000000000-mapping.dmp
-
memory/4712-203-0x0000000000000000-mapping.dmp
-
memory/4812-188-0x0000000000000000-mapping.dmp
-
memory/4840-163-0x0000000000000000-mapping.dmp
-
memory/4908-196-0x0000000000000000-mapping.dmp
-
memory/4956-198-0x0000000000000000-mapping.dmp
-
memory/4984-155-0x0000000000000000-mapping.dmp
-
memory/5024-148-0x0000000000000000-mapping.dmp