Analysis Overview
SHA256
8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
Threat Level: Known bad
The file Win64Sys.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-03 23:51
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-03 23:51
Reported
2023-01-03 23:54
Platform
win7-20221111-en
Max time kernel
31s
Max time network
85s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe
"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\brbHepOetp3w.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1480
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
Files
memory/1232-54-0x0000000001020000-0x0000000001084000-memory.dmp
memory/1232-55-0x0000000076391000-0x0000000076393000-memory.dmp
memory/780-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/560-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/560-61-0x0000000000C90000-0x0000000000CF4000-memory.dmp
memory/1264-63-0x0000000000000000-mapping.dmp
memory/304-64-0x0000000000000000-mapping.dmp
memory/1416-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\brbHepOetp3w.bat
| MD5 | 6e7cc9dfd0cf89eebf293d791dc08556 |
| SHA1 | 2a3a1dbb224621a48522f7ede541e3c95fd0a16f |
| SHA256 | eb8cc91ce29159d1fc3b0e137eea0d1df2a458e11d26b438f355c27a94ea30b1 |
| SHA512 | daf7960c94f0a3729effe207b25ddc44335ca40bc8aa3d43541154d772bab882bebd7aaee0d7765132dc399e4da2f50a7f87f30f331b2dce88d0ff8dbc126bd4 |
memory/848-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1736-72-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1460-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-03 23:51
Reported
2023-01-03 23:54
Platform
win10v2004-20220901-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe
"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VB3HpmYxHjBo.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1704 -ip 1704
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 2220
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AzkcscIlg5Z5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1052 -ip 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2244
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGNN3oE1VN6l.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4500 -ip 4500
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DLmGaymeXXRl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4768 -ip 4768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 2244
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSJCPpLQyz2Y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2996 -ip 2996
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 2188
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2dJudxv233oh.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3648 -ip 3648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cpNQ9CMDveyu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3944 -ip 3944
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1688
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V8k0E21afHN7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2344 -ip 2344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\APMlQDxrUauo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4912 -ip 4912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 2208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CnaFiOLSXqSK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3488 -ip 3488
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxje7kEr0tSu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 1956
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1928
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OETlc5ZbivSJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 4848
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 20.42.72.131:443 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 67.24.25.254:80 | tcp | |
| N/A | 67.24.25.254:80 | tcp | |
| N/A | 67.24.25.254:80 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
Files
memory/4816-132-0x0000000000C70000-0x0000000000CD4000-memory.dmp
memory/4816-133-0x0000000005BC0000-0x0000000006164000-memory.dmp
memory/4816-134-0x0000000005750000-0x00000000057E2000-memory.dmp
memory/4816-135-0x0000000005A60000-0x0000000005AC6000-memory.dmp
memory/4816-136-0x00000000066B0000-0x00000000066C2000-memory.dmp
memory/4816-137-0x0000000006AE0000-0x0000000006B1C000-memory.dmp
memory/5088-138-0x0000000000000000-mapping.dmp
memory/1704-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/3696-142-0x0000000000000000-mapping.dmp
memory/1704-143-0x0000000006BC0000-0x0000000006BCA000-memory.dmp
memory/3668-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\VB3HpmYxHjBo.bat
| MD5 | b2772e0c2565c6595381219e2f6d5413 |
| SHA1 | a6709cba4eaffeccd4f54cf3d26a9caa13ebee1b |
| SHA256 | c965d44107b9c21c9fd122f31dee75716a1c1df2a37ee3a1754f033037695f22 |
| SHA512 | 93b36a8a293ee593bcac5167414a61c101d6f64593ffc801379078615fbe9d5992232012d5e6ef5046a46cd2f1205eaca545ffbfa1edfc8f7255cc0f50d01fe3 |
memory/1252-146-0x0000000000000000-mapping.dmp
memory/3936-147-0x0000000000000000-mapping.dmp
memory/1052-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Win64Sys.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
memory/2140-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 617da47d9ac161bcb3647fd07eae1504 |
| SHA1 | 466761cf8dbaefd182c1c28767666995beef84c0 |
| SHA256 | c5bd968168d85c0544edf5053d57e9cd2f571a3c14760b55582df9c0c5505e27 |
| SHA512 | 8bed1e8184abcc1066919730fa512ea43fb953268b01293b52e48aa367e83d06e99572767e455c0593f34e4d9d2044556f77b2bcdd90ff3d604107f404f2d5a5 |
memory/4748-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AzkcscIlg5Z5.bat
| MD5 | 052916aa9608eee3357fe0b9f19cdd96 |
| SHA1 | a1f9755a4e6ef140761318de9609834088e9a341 |
| SHA256 | 66235147fb060ff5d5b67b2bbbbd1df9f37eb213bda3183ce8d953a3d4e5648f |
| SHA512 | ae1c7f73971b028cef3c98fdb580e506a64b54bbc3c7618f80281186bdd386ddcf36a8d4297d1d7f68bbf80980137141953c54f4925b87b7a2a63068314c414d |
memory/2352-155-0x0000000000000000-mapping.dmp
memory/2296-156-0x0000000000000000-mapping.dmp
memory/4500-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1316-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | ae078958c3c2b8d9e7a60fd56d15291b |
| SHA1 | 7d79fa9a2df471c9577396e65ab211b3c7cc06e8 |
| SHA256 | f2781896e59e84b8ed528ef643b81ca598c606a304e93f58568cdfb9158a27de |
| SHA512 | 75c7ba6ee04388c75321d752ada471509301dd2dde8d970a76c56cd3a8ce551857a1c305f5344325c7b5db1570bb0969ebed757a92409ec6e632fc07eb592889 |
memory/1468-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\pGNN3oE1VN6l.bat
| MD5 | 4af6a8885f2ee5105f68081849ba646d |
| SHA1 | efa4b0fb839052cfc022de7cc3df424399802bb8 |
| SHA256 | 03f1fcee4ccc0b8b977da1e017a9dec8b23ed39201305e089fa6565c4d0583c2 |
| SHA512 | 5a6e819cf074e5ad753d211443226d27f705c696fec4dd1afbd00ed872e70d7e0881efe361e718acae5c3d0fb23052687e94044767b1292ae254e88c852be2de |
memory/4300-163-0x0000000000000000-mapping.dmp
memory/3760-164-0x0000000000000000-mapping.dmp
memory/4768-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/4912-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 1d9e1e245624fd2dcd1152e687f0809e |
| SHA1 | 1deeb60c74916e19d9666089f99aad91bd29471d |
| SHA256 | f55fed215087ca87e2bf56b4041bdd515b15597d2cb038f442d1288b27542700 |
| SHA512 | fa4837ca5ba78ae1221afdc4fd52376f8f62b4b521c3c4e4710ab356fd27977ea8396041c6d299295afa90c09f85ae575cca6f11a9d5c14f61f65528877f8c93 |
memory/4932-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DLmGaymeXXRl.bat
| MD5 | 92b394305956d93c719e9c7ad38a639f |
| SHA1 | b8c08541e7db0df8a1549bdb57d8f34144c9bed6 |
| SHA256 | d36d302b0bce1fd81fd74ae9c13828541fe1350a84b2a5983c6cbb1c3f3a1381 |
| SHA512 | e2eb7269dede7ffe870cc01e3e8206c989e9f1525a76d2e06e51e9c014f7dde9a944b6b1fdb65b2508b3ac52125c68ac46f3ff7b05b09c2cab101ce40b65d453 |
memory/1440-171-0x0000000000000000-mapping.dmp
memory/4988-172-0x0000000000000000-mapping.dmp
memory/2996-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/368-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 2b6fb25dcb589282203046231d507b66 |
| SHA1 | 114c4b6f66557dc8a59051a1541834442996ecad |
| SHA256 | 959f4da4d49eb943eabe0ed2de6d6700195b28ad069f0fdf22c91a95ea45478e |
| SHA512 | 82b35cd80e93da2d4f7b931f47c076006266a897366b339cbff10663cc204defab61a8e50c72a63853da8a4cca9408d3980040a094337d461a5724197ccb2e26 |
memory/4560-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WSJCPpLQyz2Y.bat
| MD5 | 231eeacb49c61d5619b8bff5289c6753 |
| SHA1 | 1f0622b6de15f895970babc0fa576c50f230a964 |
| SHA256 | 948768cea40f1e284208af59e35a154dd263d20e855f3b2dd845b9f35f0a89b6 |
| SHA512 | c01280e5e93b2a081674d9c6da5e673a7517de8d606b3b4fccb95b873cc6500fecf00934523c8e8dddd5ad8333646076d669fc27a7fd2a5987c8f54ba0d86960 |
memory/3964-179-0x0000000000000000-mapping.dmp
memory/4744-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/4464-181-0x0000000000000000-mapping.dmp
memory/2212-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | a64e2e8c2aec18b93b7ff94a22a3a17e |
| SHA1 | c7bfe46af4fea44740aa8c0412e15f19ee067252 |
| SHA256 | fae6d4333d5093451ef333f2ec7836f1acd931d42a330c192e03c6f5fb746e9b |
| SHA512 | 8dcce2a0ba512d4dadd00dc154b384a5f44ef2d221333993aa78d32797b2b05fbf4d0e06c19abab1292bfbcad3d4a528ae476a704ace3f60494c4c77a8df49de |
memory/3456-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat
| MD5 | c849d9bd5498d4096335a4c404ba5139 |
| SHA1 | 7860de2ef93de82032c667bea76b8d537d5022a5 |
| SHA256 | 1c350ec4a45140eca68fedba58d4204964f6d61a487954cced202fe5d8625106 |
| SHA512 | a90ab0204b99626c2febf1cd85bad5e6263a8da9e30f366652daf8e396effd2652233c0cdcbbadd429249ae8e0432268479e77a97e96ead1469e184bfe9fdffd |
memory/1296-187-0x0000000000000000-mapping.dmp
memory/4792-188-0x0000000000000000-mapping.dmp
memory/3648-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/824-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 068d28417aa88a7f20dd748605f30c62 |
| SHA1 | 17cf4372ecf6476a74abed735ece360ef0d7ac1b |
| SHA256 | 87238edd69e686282b7a5d55831c437fb4ab1b4bb90c0d266ab04fd8aea81b62 |
| SHA512 | 4496b0c28fe8732d50d6816184187a1d00cf9843ae4e70c1d77bfa8c22c8c43bcd57dbb812194a35d3978683d8d2c63305c1c1802eec83e675602e17c4e91c9b |
memory/2352-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2dJudxv233oh.bat
| MD5 | 7177e80810e2001cc62bd19902dcf14e |
| SHA1 | 2857135ac843c3ecef528b8f9492fffd889a3815 |
| SHA256 | 89b39e5257c9b996052466c8b6211daf4e75561905b31084fd17527cc6febfa4 |
| SHA512 | dab3ffa3753370944796b53f729fb9bd452b45b3c027912419f7ec59339a2b3de031979a1c26e3bdc790f300abe06982abdc9ec7969ff62839cce899347e5cd2 |
memory/4616-195-0x0000000000000000-mapping.dmp
memory/4780-196-0x0000000000000000-mapping.dmp
memory/3944-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/4424-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 07a86d85532448f84c72a08abb88da5a |
| SHA1 | 455f0d7da00f08c90d62ca0aa8225c4d370a496a |
| SHA256 | c46b0c454b87c3e4c128b9894a4d3b5db7fafd757a97f79db8d6961327369b40 |
| SHA512 | eefe34df99fa6138e287996125f00e96b19f192d0dac376cd42cef6cde3ae9de1aa37d41203d24da96bb20d7fa570b4dd2ea30e8ef0c2eb9940157acd3a52132 |
memory/2200-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cpNQ9CMDveyu.bat
| MD5 | 9e69c2759e2514eb65d298ce6be37297 |
| SHA1 | dd450317b2e3e05c0c216cb516f586f43c68b407 |
| SHA256 | d71d0e685b34832af16d215004d87dbf62e121c1c325c267081c0f5cfe1723ea |
| SHA512 | 00666767616bbc90513c8a2c48432ccf5ab47251bc24e1b5764b90fba2022b720139bcb9e1ff6c5412908feeeed14e385ed026b99f326c6134335b6a4bf9b3c9 |
memory/3636-203-0x0000000000000000-mapping.dmp
memory/3524-204-0x0000000000000000-mapping.dmp
memory/2344-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1344-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 7f3ff96b5ecaadce6d7adf4ec410a5f7 |
| SHA1 | 015db7dbd6228314f3ec49f89c9574b2cc653275 |
| SHA256 | 8c995a28eef58f01395a235e905a8bd45f913eb167df69c89ae40d77b029a79f |
| SHA512 | ce62f6911aea23effb6b731531e62a50e1de3b3776095bf2baa452cc0570252078761033ebadd96df056259e6cbe6711492afd98965d22954af73dc6c1f8ad74 |
memory/2760-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\V8k0E21afHN7.bat
| MD5 | 79f0dd4d45391202d3cf9056649acc38 |
| SHA1 | a6a260ff965a05ce2630159c5394996210e99cd1 |
| SHA256 | 85f6cd0d24436b665b656fb644e314136dd8e44f394f9d0eae65d70339d24dbf |
| SHA512 | 8d7ce7eb9fc00e6fb11800f78de6081335acf3239936742a9a8e3da9292700e68a94ed127d5f7e8278e6f17b8ea2ac02bf4206171b8f691382241ccac7438d76 |
memory/4012-211-0x0000000000000000-mapping.dmp
memory/1324-212-0x0000000000000000-mapping.dmp
memory/4912-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1544-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 0db7907f443d6f85735a335d3a0cde5f |
| SHA1 | 325618b6be9a3f595d3e854aefb415bb5816d2b5 |
| SHA256 | 268d394a5bb5ec0904d5a3e8248bfc2e11de0994db163b9d7c0315c39e8d7c5d |
| SHA512 | b10c8b07ecc92b9bff503ba943962beac2c25e1c9b1fe85a750065afdd5edac5cb29622d2d4bb0b604b5f27f55286e92c605e592fcfcf520414843a6140c3daf |
memory/1216-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\APMlQDxrUauo.bat
| MD5 | e53ac78296f63c90b41d538fecfeceb0 |
| SHA1 | fe1a1f79bdadacdbd5091b5ad5364780aa9b2831 |
| SHA256 | 82a84e3bae0585cfa51b73f67a93f5307f1cb7ccf72922e1ef4bd7dc917df62d |
| SHA512 | ec2b17f3b64b28102d421f02fedec348dda1ac9fa4c8a110c1495b126fdc58f006feb09e09e4bb9a2f2d5c2b20e87a77a1461f71cc21b664336ee4d80d7d665e |
memory/2300-219-0x0000000000000000-mapping.dmp
memory/4196-220-0x0000000000000000-mapping.dmp
memory/3488-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/628-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 4daf3feaf3109914263c64ed2b5b60d6 |
| SHA1 | d37231a4e94d4ab54e6fe2c4b6ab0fb3b6dcbb96 |
| SHA256 | 28bcb7081fe52437108593c16a5e897f212f9270304adf2d4c13ef665ce02ead |
| SHA512 | 3c0692543c79f322908873141430dc760b75f0047431f85dce8be7447d40a66b6777332594589d672db287f33a875ca8a1e4a6b92e9e28ab55b2c2c2610dce1e |
memory/3428-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CnaFiOLSXqSK.bat
| MD5 | 87fd781e0445b9d7b0e9f626a609ff94 |
| SHA1 | 5a38489cc575c0b555911687c243f84ac2eaf581 |
| SHA256 | 4f9aae0759e4082b22897a1afac12f35dfdb34343afc95166f32a76fca73cf8c |
| SHA512 | 238045cc318fb019072f02c4c1e57457e7fd3af4d713c4febea1a21e96ac538fc6dcacbe14bfed9322a1eb3e69815fd1cec7a0e65f31ce35a2855cdc2962c76f |
memory/1120-227-0x0000000000000000-mapping.dmp
memory/4872-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1956-229-0x0000000000000000-mapping.dmp
memory/1872-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 0498aa1527aeda4cf1cc02f535208c62 |
| SHA1 | 4d338cd507d5fd3e190ddd2806871dcb3238358e |
| SHA256 | ba643b6af49d3e48246a694adc481d8eb6ffff1a23f600327a3a9c25db13be93 |
| SHA512 | f9d65f5cbe2c8fe771e707efd74b6698d96adfb488200d9c18fa3ff0c07c9c062dfd35700c7ba5faf4eedff2fa2f4a12fb6ed47744a6df1c29020d94e0c8e325 |
memory/4936-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bxje7kEr0tSu.bat
| MD5 | ea90a6590cb2cf0b3e1069e28bf4df28 |
| SHA1 | 186fd8c69c2ea8b3aceff67b42137fc91d91642f |
| SHA256 | 65c6b6f8162103062b87356e1f0daea7ff8b4a8f182133fd90b4f3ec2eff8ee1 |
| SHA512 | 8c987b4a66041ac331009cdb7e73c1d45a83b7e7e7142f9702546e2e8cbc171822ce7949a8a8564d5ddb3f27a30dcbd78fa762735ead001ee064feeeac910871 |
memory/2516-235-0x0000000000000000-mapping.dmp
memory/2132-236-0x0000000000000000-mapping.dmp
memory/4848-237-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/672-239-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-03-2023
| MD5 | 17ceef730f590c96b687894cb95deaac |
| SHA1 | cebf3cbded6c2691e65e3f521af504edc582c451 |
| SHA256 | f423dc1ac35d2b89ae8a2766085588c6633c0d4e73a664fd4322dafd3c383586 |
| SHA512 | b8ce8430c3aafeaf6240634633ab5ceb708f4c2210d102cabede3aeaba20a668674865611a261ca4065c342b939e07e306c58e2ac42e5efb75a88658dd4b8c94 |
memory/1032-241-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\OETlc5ZbivSJ.bat
| MD5 | 87fce8dc2dd4f12a677f51675ad003f1 |
| SHA1 | 01d5bee32cb6379f704d5867474adfe6b4680ca4 |
| SHA256 | 463b2f99dabd4d1fbeefe3d579dd1684be68907873f167a8a83449d1e72f0b7b |
| SHA512 | 43cd8f49637aa44fd71e7979703b1c514a2de27e129725423ed99f0fc2c2762b3b2297101b230f17a290429fc2579b644a9ac7c0f10247742fb5dbe72b0198ea |